Single sign-on (SSO) is a method of authentication that allows users to use one set of login credentials to access multiple applications. In Fintecture, SSO enables users to log in securely and efficiently without having to remember different usernames and passwords for each application.

Fintecture supports SSO using the Security Assertion Markup Language (SAML) protocol. When a user tries to access an application, Fintecture sends a SAML request to the Identity Provider (IDP) specified by the user. The IDP authenticates the user and sends a SAML response back to Fintecture, which then grants the user access to the application.

Keep in mind: Users can only log in with their username and password if they have not successfully logged in with SSO before. Once a user logs in with SSO, their username and password login is disabled for security purposes.

Depending on the SSO configuration, there are two possible scenarios:

• Single SSO company configuration: Access is managed through the client's IDP, so it will not be possible to access more than one company or change user roles from our platform. Everything must be done in the IDP, and we will reflect the changes based on the information received.
• Multiple SSO companies configuration: Access is managed through the client's IDP, but we allow administrators to add users to other companies within the same group and edit their roles from our platform.

In summary, our SSO solution provides a secure and efficient way for users to access our platform, and their level of access depends on their membership status and the customer IDP settings.

How to configure SSO with Fintecture

• Service Provider callbackUri: This is the Assertion Consumer Service (ACS) URL specified by SAML identity providers.
• Sandbox environment: https://fintecture-test.firebaseapp.com/__/auth/handler
• Production environment: https://fintecture.firebaseapp.com/__/auth/handler
• Service Provider EntityId: This is the name of the Fintecture console.
• Sandbox environment: fintecture-console-test
• Production environment: fintecture-console

To ensure seamless integration, it is mandatory to configure the User Identifier (SAML NameID) as the user's email address in your Identity Provider settings, as our system requires this information for proper functionality.

Here's what we need to configure SSO with Fintecture:

• Provider EntityID
• Provider SAML SSO URL
• The x.509 certificate used for token-signing on the provider (.pem format)
• (optional) The default role they want to have for their new users: (Please note that if the default_role is not provided, the role must be added in the mapped attributes from the IDP.)
• admin: Will be able to view payments, request payments, make refunds, create shops and applications, add bank accounts and manage users
• developer: Will be able to view payments, request payments, make refunds, create shops and applications
• operator: Will be able to view payments, request payments and make refunds
• sales: Will only have access to ‘Payments' and 'Create a payment’ pages.
• (optional) If you want a multi-companies SSO configuration.
• (optional) company_external_ids: If there will be multiple companies in the group linked to this SSO provider, and you want to use your own identifier to determine which company each user should belong to.

Attributes Mapping in Fintecture

Fintecture accepts the following information in the SAML token from the customer IDP:

• first_name: string
• last_name: string
• phone_number: string
• role: string, one of (admin, developer, operator, sales), mandatory if no DefaultRole is configured. The roles provide different levels of access to Fintecture's features and functionalities.
• admin: Will be able to view payments, request payments, make refunds, create shops and applications, add bank accounts and manage users
• developer: Will be able to view payments, request payments, make refunds, create shops and applications
• operator: Will be able to view payments, request payments, and make refunds
• sales: Will only have access to ‘Payments' and 'Create a payment’ pages
• Direct company provisioning, are optional and only valid in the case of an environment with multiple SSO companies. Through identifiers in the token provided by your IDP, you can automatically assign which company each user will be able to access. Only one identifier is accepted, if you want to allow access to more than one company, the user must be invited to the others.
• company_id: string, company Fintecture identifier for access provisioning.
• company_external_id: string, company Client identifier for access provisioning. If both company_id and company_external_id are provided, company_id will be prioritised. To use company_external_id, we should provide this company_external_id when linking an SSO provider to a company.

SSO in Fintecture provides users with a convenient and secure way to access multiple applications using a single set of login credentials. By following the steps outlined above, you can configure SSO with Fintecture and start using this powerful feature today.