Skip to main content
Logo
Identify a payment Support GoCardless
Status pages
  • GoCardless status
  • IBP status
  1. Support Centre
  2. Account setup & management
  3. Account Security

Single Sign-On (SSO)

  • Overview
  • Features & Limitations
  • Set up Single Sign-On (SSO)
    • Entra ID
    • Okta 
    • OneLogin
  • FAQs

Overview

Single Sign-On (SSO) authentication allows users to access multiple applications through an Identity Provider (IdP) using a single set of login credentials. Using SSO allows you to improve the security of your account and makes it easier for your users to login.

We have documented the SSO setup process for the most common IdPs: Okta, Entra ID, and OneLogin. Our SSO solution supports any IdP that offers the OpenID Connect (OIDC) or Security Assertion Markup Language (SAML) 2.0 protocols.

It's your responsibility to secure your IdP and implement necessary security measures. We're not responsible for losses if your IdP is compromised or unauthorised parties access your GoCardless account through your IdP while SSO is enabled.

Features and limitations

Features

We support these SSO features:

  • Configure and test your SSO configuration from the GoCardless dashboard.
  • Enforce SSO for all your users: to get the full security benefits you can enforce SSO to make it the only way your users can sign in (sign in using password and GoCardless 2-factor authentication will be disabled).
  • Service Provider-initiated SSO: Initiate SSO login directly from the GoCardless login page.
  • Multi-account support: for users of our multi-account feature, configure SSO once at the parent account level and it will apply to all accounts in the account group.

Limitations

We do not support these SSO features:

  • Automated just-in-time account creation upon first SSO sign in: new users will need to be invited manually from the GoCardless dashboard.
  • System for Cross-domain Identity Management (SCIM): a protocol that automates the exchange of user identity information and lifecycle processes between the IdP and service provider (e.g. GoCardless).
  • IdP-initiated SSO: Authenticate directly from an IdP’s website or browser extension. This means you will not be able to log into the GoCardless dashboard from a bookmark/tile in your IdP dashboard or similar, only from the GoCardless login screen.

If your organisation has multiple GoCardless accounts

Important: If your organisation has multiple GoCardless accounts but you don’t have the multi-account feature enabled, you must set that up first in order to start using SSO.

The multi-account feature enables you to manage your account structures by linking multiple GoCardless accounts in a parent-child structure.
If you have the multi-account feature enabled, you configure and enforce SSO once on the parent account and the configuration and enforcement will automatically apply to all accounts in the account group.
In addition to ensuring all users on the parent account are provisioned through the IdP, please also ensure all users on child accounts have also been provisioned before enforcing SSO.

Set up SSO

Entra ID

These are the steps to set up SSO with Microsoft Entra ID. You must have Admin access to your GoCardless account in order to configure, enable and enforce SSO.

Using OIDC

Start SSO setup

  1. Log in to the GoCardless dashboard as an Admin user
  2. In the top right click Settings > Account settings
  3. In the section Single Sign-On (SSO) click Set up SSO.
  4. A new tab will open where you can configure SSO in an Auth0-hosted journey. Click to proceed.
  5. Select your IdP and click Next.

Create application

Follow the instructions in the configuration journey.

Configure connection

Follow the instructions in the configuration journey.

Claims mapping

  1. Navigate back to your application, and then on the left-hand tab, select Manage > Token configuration, and click Add optional claim.
  2. Select Token type ID and claim “email”, “family_name” and “given_name”.
  3. Click Add, and you may get a dialogue to enable a feature, which we recommend you do.

Assign access

  1. Under Manage > App roles > click How do I assign App roles.
  2. Click the hyperlink on Assign app roles with 'User' allowed member types in Enterprise applications or in Microsoft Graph APIs.
  3. Select Assign users and groups > Add user/group, and add the user(s) or group.

Test your configuration

Skip ahead to the Test your configuration steps below.

Using SAML

Start SSO setup

  1. Log in to the GoCardless dashboard as an Admin user
  2. In the top right click Settings > Account settings
  3. In the section Single Sign-On (SSO) click Set up SSO.
  4. A new tab will open where you can configure SSO in an Auth0-hosted journey. Click to proceed.
  5. Select Custom SAML and click Next.

Create Application

This is where to get the “Single Sign-On URL” and “Service Provider Entity ID” values you need to set in Entra ID.

Set up SAML application in Entra ID

image_1.png

Configure connection

This is where to set the Metadata URL that you get in the previous step.

image_2.png

Attribute mapping

Create necessary claims (in Entra ID, check the box for Expose claim in JWT tokens in addition to SAML tokens)

image_3.png

Test your configuration

  1. Use the Test Connection button in the configuration journey to review the attributes that are being passed.
  2. If everything looks good, click Enable Connection and proceed.
    • SSO is now enabled and, if the configuration is all working correctly, you and your users can use it to log in. Next you will try logging in with SSO to check it is working as expected.
  3. Sign out of the GoCardless dashboard.
  4. Sign back in using the Sign in with SSO button on the login page.
    • If successful, move to the next step.
    • If unsuccessful, you can login as usual with your password while you troubleshoot your configuration.

Complete setup

If you are satisfied that SSO is working as expected, you can enforce SSO for your users. Enforcing SSO will make it the required method of authentication for all users on your GoCardless account. This means they will no longer be able to login using their password or two-factor authentication.

  1. You can enforce SSO from your SSO settings in the dashboard. If you enforce SSO, your users will be sent an email to inform them they must login with SSO going forward and can no longer use password or two-factor authentication.
  2. As some users are likely to miss this email, to prevent confusion or disruption please inform your users about this change to make sure they are aware.

Okta

These are the steps to set up SSO with Okta. You must have Admin access to your GoCardless account in order to configure, enable and enforce SSO.

Using OIDC

Start SSO setup

  1. Log in to the GoCardless dashboard as an Admin user
  2. In the top right click Settings > Account settings
  3. In the section Single Sign-On (SSO) click Set up SSO.
  4. A new tab will open where you can configure SSO in an Auth0-hosted journey. Click to proceed.
  5. Select your IdP and click Next.

Create application

Follow the instructions in the configuration journey. In the Assignments section untick Enable immediate access with Federation Broker Mode.

Configure connection

Follow the instructions in the configuration journey.

Assign access

Follow the instructions in the configuration journey.

Test your configuration

Skip ahead to the Test your configuration steps below.

Using SAML

Start SSO setup

  1. Log in to the GoCardless dashboard as an Admin user
  2. In the top right click Settings > Account settings
  3. In the section Single Sign-On (SSO) click Set up SSO.
  4. A new tab will open where you can configure SSO in an Auth0-hosted journey. Click to proceed.
  5. Select Custom SAML and click Next.

Create application

This is where to get the “Single Sign-On URL” and “Service Provider Entity ID” values you need to set in Okta.

Set up SAML application in Okta

  1. Open Okta in a new tab and create a SAML app integration
  2. Enter app name, icon, etc
  3. SAML configuration
    • The values for the “Single sign-on URL” and “Audience URI (SP Entity ID)” fields are provided in the GoCardless SSO configuration journey
    • Add the following attribute statements when setting up SAML for the application in Okta:
      • given_name → user.firstName
      • family_name → user.lastName
      • email → user.email
  4. Complete feedback question
  5. The application settings page in Okta after finishing setting it up shows the Metadata URL that you need for Auth0 needs

Configure connection

This is where to set the Metadata URL that you get in the previous step.

Attribute mapping

This has already been done as part of the steps to set up the SAML application in Okta.

Test your configuration

  1. Use the Test Connection button in the configuration journey to review the attributes that are being passed.
  2. If everything looks good, click Enable Connection and proceed.
    • SSO is now enabled and, if the configuration is all working correctly, you and your users can use it to log in. Next you will try logging in with SSO to check it is working as expected.
  3. Sign out of the GoCardless dashboard.
  4. Sign back in using the Sign in with SSO button on the login page.
    • If successful, move to the next step.
    • If unsuccessful, you can login as usual with your password while you troubleshoot your configuration.

Complete setup

If you are satisfied that SSO is working as expected, you can enforce SSO for your users. Enforcing SSO will make it the required method of authentication for all users on your GoCardless account. This means they will no longer be able to login using their password or two-factor authentication.

  1. You can enforce SSO from your SSO settings in the dashboard. If you enforce SSO, your users will be sent an email to inform them they must login with SSO going forward and can no longer use password or two-factor authentication.
  2. As some users are likely to miss this email, to prevent confusion or disruption please inform your users about this change to make sure they are aware.

OneLogin

These are the steps to set up SSO with OneLogin. You must have Admin access to your GoCardless account in order to configure, enable and enforce SSO.

Using OIDC

Start SSO setup

  1. Log in to the GoCardless dashboard as an Admin user
  2. In the top right click Settings > Account settings
  3. In the section Single Sign-On (SSO) click Set up SSO.
  4. A new tab will open where you can configure SSO in an Auth0-hosted journey. Click to proceed.
  5. Select “Custom OIDC” and click Next.

Create application

1. In OneLogin, go to Applications -> Custom Connectors and then click the New Connector button

image_4.png

2. Set the name of the new custom connector, change the Sign on method to “OpenID Connect”, and set the Redirect URI to the value of the Callback URL given by Auth0

image_5.png

3. Save the new connector, then click the More Actions button to open a drop-down menu and click Add App to Connector.

4. Name the app, set any icons and description as desired, and click Save.

Configure connection

  1. Once the app has been saved in OneLogin, you should have a number of additional settings tabs available on the left hand side. If not, go to Applications -> Applications and select the newly created application.
  2. Go to the SSO tab of the application settings in OneLogin and copy the Client ID, Client Secret and the Well-known Configuration URL to the relevant places in the Auth0 settings.
  3. Change the Token Endpoint -> Authentication Method in OneLogin to “POST” and click Save
  4. Click Next in Auth0

image_6.png

Claims mapping

Nothing needs to be done for setting up claims mapping. OneLogin returns the claims that we require by default. Just click Next

image_7.png

Assign access

1. Users can be assigned to an application in OneLogin from the user’s edit page. Go to Users -> Users and then click on the user to be edited.

image_8.png

2. Click the + button in the Applications area of the edit page on the right hand side. This opens a dialog for selecting the application to assign the user to. Select the application and click Continue

image_9.png

3. Click Save

image_10.png

Test your configuration

  1. Use the Test Connection button in the configuration journey to review the attributes that are being passed.
  2. If everything looks good, click Enable Connection and proceed.
    • SSO is now enabled and, if the configuration is all working correctly, you and your users can use it to log in. Next you will try logging in with SSO to check it is working as expected.
  3. Sign out of the GoCardless dashboard.
  4. Sign back in using the Sign in with SSO button on the login page.
    • If successful, move to the next step.
    • If unsuccessful, you can login as usual with your password while you troubleshoot your configuration.

Complete setup

If you are satisfied that SSO is working as expected, you can enforce SSO for your users. Enforcing SSO will make it the required method of authentication for all users on your GoCardless account. This means they will no longer be able to login using their password or two-factor authentication.

  1. You can enforce SSO from your SSO settings in the dashboard. If you enforce SSO, your users will be sent an email to inform them they must login with SSO going forward and can no longer use password or two-factor authentication.
  2. As some users are likely to miss this email, to prevent confusion or disruption please inform your users about this change to make sure they are aware.

FAQs

  • How do I add new team members to my account?
  • My SSO login isn’t working, how can I access my account?
  • I'm getting an error message when trying to log in with SSO; what does it mean?
  • Can I still use my password to log in once SSO is enforced?
  • How do I set up 2-factor authentication with SSO?
  • Can I switch my identity provider after setting up SSO?
  • How do I connect a new partner app once SSO is enforced?
  • Is there a direct link to the SSO sign in page?

How do I add new team members to my account?

Add them in the GoCardless dashboard following the usual steps, then give them access to GoCardless in your IdP.

My SSO login isn’t working, how can I access my account?

First, check whether SSO has been enforced on your account. If it has, you should have received an email from us to inform you. If it hasn’t, you should be able to login with your password. If you are sure SSO is enforced:

  • If you do have an Admin account, please complete this form to request alternative access
  • If you do not have an Admin account, please contact your Admin(s) for assistance

I'm getting an error message when trying to log in with SSO; what does it mean?

It could be one of a few reasons:

  • SSO has not been enabled or enforced on your account
  • Your email address has not been granted access to GoCardless in your IdP
  • There is a problem with your SSO configuration

If you are stuck:

  • If you do have an Admin account, please complete this form to request alternative access
  • If you do not have an Admin account, please contact your Admin(s) for assistance

Can I still use my password to log in once SSO is enforced?

No, once SSO is enforced on your account SSO will be the only way to login. You will not be able to login using password or 2-factor authentication.

How do I set up 2-factor authentication with SSO?

When SSO is enforced, it is not possible to sign in using GoCardless dashboard’s 2-factor authentication. We recommend that you set up 2-factor authentication through your IdP where it’s available.

Can I switch my identity provider after setting up SSO?

Yes. Please turn off SSO enforcement in the GoCardless dashboard then click the Reset button to reset your configuration. After doing this you’ll be able to connect to a new IdP.

How do I connect a new partner app once SSO is enforced?

The authentication required in the OAuth journey to connect a partner app does not currently support SSO. If you want to connect a new partner app and you have SSO enforced, you need to turn off SSO enforcement, connect the partner app, then turn SSO enforcement back on.

Is there a direct link to the SSO sign in page?

Yes - https://manage.gocardless.com/sign-in?sso=true

Was this article helpful?

  • Promoted articles

    • Credit card payments
    • Notice of change of legal entity
    • Bulk importing payments
    • Overview of payment statuses
    • Refund a payment

  • Recently Added Articles

  • Top Articles

API Documentation

Our detailed docs have everything you need to know about using our Payments and Bank account data APIs

View documentation

Need help identifying a payment?

Seen ‘GoCardless Ltd’ on your bank statement? Use our secure tool below to find out more.

Payment Lookup

Need support?

Contact Support

Our support team are available 24/7 to answer any questions you may have.

Quick links

Knowledge base
Visit GoCardless.com

About GoCardless

Legal
Privacy
Security
Blog

Support

Contact support
Complaints
Contact sales

Seen ‘GoCardless Ltd’ on your bank statement?

Identify a payment

GoCardless Ltd, Sutton Yard, 65 Goswell Road, London, EC1V 7EN, United Kingdom


GoCardless Ltd (company registration number 07495895) is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017, registration number 597190, for the provision of payment services.





English (GB) Deutsch English (AU) English (CA) English (NZ) English (US) Español Français
Search help articles
https://gocardless.com/partner-with-us/
/hc/theming_assets/01K6CWEX65HDS7SN48AB4BJ0FJ
Partner with us
Partner with us to shape the future of payments.
custom
https://gocardless.com/stories/
/hc/theming_assets/01K6CWEXFM1KVSFD87E8NNH1HK
Customer Stories
GoCardless helps thousands of businesses with their payments everyday.
custom
https://payersupport.gocardless.com/hc
/hc/theming_assets/01K6CWEXSCTABZBKYYHZK1HCVV
Paying a merchant via GoCardless
Our Payer Support provides resources on paying through GoCardless.
Payment timings, Verification, Xero, 2fa