Docs

Configuring an Azure Instance

Suggest Edits

Use the following settings when configuring PayNearMe on your Azure instance, which will use these settings to generate the SAML certificate for your site.

📘

Sandbox vs. Production

The settings below are for the sandbox environment. You will need to generate a new certificate for the production environment.

Basic SAML Configuration

URLDescription
Identifier (Entity ID)https://pro.paynearme-sandbox.com/users/saml/metadata
Reply URL (Assertion Consumer Service URL)https://pro.paynearme-sandbox.com/users/saml/auth
Sign On URLOptional
Relay StateOptional
Logout URLOptional

Attributes and Claims

AttributeDescription
givennameuser.givenname
surnameuser.surname
emailaddressuser.mail
nameuser.userprincipalname
user_type“bpo”
Unique User Identifieruser.userprincipalname

Setting Up Enterprise Applications

Define two Entra ID enterprise applications, one each for sandbox and production environments. The following are instructions for setting up the sandbox enterprise application. Repeat these instructions for production.

  1. Click New application. In the Entra ID Enterprise applications > All applications blade.

  2. Click on Create your own application in the new page.

  3. Enter PayNearMe Sandbox as the name of the new app, and select Integrate any other application you don’t find in the gallery (Non-gallery).

  4. Open the Manage > Single sign-on blade for the newly created application.

  5. Click edit in the Basic SAML Configuration box.

  6. Add the provided instance id value in the Identifier (Entity ID).

  7. Add https://pro.paynearme-sandbox.com/users/saml/auth as the Reply URL (Assertion Consumer Service URL).

  8. Click Save.

Configuring the SAML Claims Using Entra ID Security Groups

The user_type claim controls the application role assumed by the user in PayNearMe. The following instructions assume two application roles, agent and merchant, and one PayNearMe site, PayNearMe Sandbox.

  1. Define one Entra ID security group for each application role. Choose a prefix that identifies the site, and append the application role to it. For example, PayNearMe-Sandbox-, with the security groups being PayNearMe-Sandbox-agent and PayNearMe-Sandbox-merchant.

    1. Open the Entra ID Groups > All groups blade in the Azure Portal:

    2. Click New group.

    3. Fill in the details below:

    4. Click Create.

    5. Repeat for all application roles.

  2. Assign the security groups to the corresponding enterprise application.

    1. Locate the enterprise application in the Enterprise applications blade:

    2. Click on the enterprise application name.

    3. Select the Manage > User and groups section.

    4. Click Add user/group and add all security groups created in step 1.

    5. The final result should be:

  3. Define the SAML claims.

    1. Locate the enterprise application in the Enterprise applications blade:

    2. Click on the enterprise application name.

    3. Select Single sign-on:

    4. Click Edit under Attributes & Claims section.

    5. Delete all additional claims by clicking the ... menu next to each default claim, selecting Delete and confirming.

    6. Add the following claims:

      NameSourceValue
      urn:mace:dir:attribute-def:emailAttributeuser.mail
      first_nameAttributeuser.givenname
      last_nameAttributeuser.surname
      siteAttribute"<provided site value>"

    7. Click Add a group claim and enter the following (values listed in the text below
      screenshot):

      FieldValue
      Which groups associated with the user should be returned in the claimGroups assigned to the application
      Source attributeCloud-only group display names
      Filter groupsChecked
      Attribute to matchDisplay name
      Match withPrefix
      StringPayNearMe-Sandbox
      Customize the name of the group claimChecked
      Nameuser_type
      NamespaceLeave empty
      Emit groups as role claimUnchecked
      Apply regex replace to groups claim contentChecked
      Regex pattern^PayNearMe-Sandbox-(?'role'.*)$
      Regex replacement pattern{role}
      Expose claim in JWT tokens in addition to SAML tokensUnchecked

    8. Click Save.

    9. The Attributes & Claims should be:

    10. Add users to the security groups as appropriate. Users will now be redirected and logged in to the PayNearMe site when accessing the enterprise application.

❗️

Users and Security Groups

A user should only be added to a single security group for each site. For example, if you have configured two sites, PayNearMe Sandbox and PayNearMe Production, a user can belong to PayNearMe-Sandbox-agent and PayNearMe-Production-merchant, but not to PayNearMe-Sandbox-agent and PayNearMe-Sandbox-merchant. In the latter scenario the resulting user_type claim for PayNearMe Sandbox will be malformed and the user won't be able to access the
PayNearMe site.

Generating Connection Values

After generating and sending PayNearMe the SAML certificate for your site, we’ll use the certificate to generate the certificate fingerprints and login URL for your configuration.

ParameterDescriptionExample
Azure AD IdentifierThe Azure Active Directory identifier.https://sts.windows.net/17c47e7e-2b45-48b1-a5ba-5df2bb60cce5/
SP Entity IDThe SP Entity ID is a URL where a service provider publishes public information about its SAML configuration. The metadata document published by the service provider shows its public certificate that can be used to verify the signature of authentication requests initiated from the service itself. This ID typically includes the business name, environment, and type of SSO configuration.BusinessName-Environment-ssoType toysrus-production-okta
Certificate FingerprintThe Identity provider (Idp) certificate fingerprint is exchanged out-of-band between the sender and the receiver and is configured on the receiving end. It uniquely identifies a certificate with the public key that the sender uses to sign the SAML messages that it sends.

In most cases a client will supply PayNearMe with a X509 certificate within a metadata file which then needs to be converted into a thumbprint. For example,

<x509 Certificate>MIIC8DCCAdigAwIBA….r61ShvRg\</x509 Certificate>

To convert the X509 certificate to a thumbprint, complete the following steps:
  1. Navigate to https://www.samltool.com/format_x509cert.php.
  2. Put in the MIIC8DCCAdigAwIBA….r61ShvRg value into the X.509 certificate section and choose Format X.509 Certificate.
  3. Copy the output from the X.509 cert with the header section included (be sure to include the —-BEGIN…—- and —-END…—- lines).
  4. Go to the Calculate Fingerprint section and paste the information into the X.509 cert box.
  5. For Azure configurations, choose the sha1 encryption algorithm.
  6. Once the tool calculates the thumbprint, grab the Fingerprint value.
4D:86:FC:B4:EB:F3:A4:99:CB:72:EC:0B:13:E6:C6: 23:F2:2C:EB:9B:10:02:4A:B7:C3:62:29:B4:89:47: 3C:58
IdP Cert Fingerprint AlgorithmUse the SignatureMethod property to specify the algorithm to use for signature generation and verification. This property identifies all cryptographic functions involved in creating an XML digital signature, including hashing, public key algorithms, Message Authentication Codes (MACs), and padding.http://www.w3.org/2001/04/xmldsig-more#rsa-sha1
or
http://www.w3.org/2000/09/xmldsig#rsa-sha1*
Login URLThe identity provider portal URL where users will sign-on.https://login.microsoft.com/17c47e7e-2b45-48b1-a5ba-5df2bb60cce5/saml2

*This algorithm has been deprecated and may not work.

Updated 9 months ago