Using Single Sign-On with the Agent Interface
Overview
PayNearMe gives clients the ability to set up single sign-on (SSO) services in one of the following ways:
- Via Okta Integration
- Via Azure Integration
- Via API call to the /agent_sso endpoint.
Okta and Azure use the SAML protocol to give your agents access to the PayNearMe Agent Interface without the hassle of creating and maintaining a separate set of credentials. To set up an Okta or Azure SSO configuration, you’ll need to exchange some information with your PayNearMe Technical Account Manager (TAM) and then configure your SAML settings in your Okta instance.
The /agent_sso API enables agents authenticated by the client solution to access the PayNearMe Business Portal without having to submit a separate password. Clients also have the option to take the agent directly to the order, so that he or she can quickly make payments on behalf of the consumer without having to search for the correct account in the PayNearMe UI.
Defining Roles
To successfully map to a single sign-on protocol, you’ll need to define roles or a user_type for each user. Roles are a grouping of permissions that grant users with a specified user_type access to different functionality in the Business Portal. Roles can be made up of the following permissions, which your PayNearMe TAM will set up for your site.
Roles for API Method
For security, agents that access the Business Portal via the /agent_sso endpoint are limited to a subset of roles that are listed in the Using SSO with the API section.
| Permission | Description |
|---|---|
| Admin | Provides access to the Admin tab where users can edit business details, view/add users, and review the site’s charge history. |
| Create Customers/Accounts | Grants the ability to create customers and accounts. NOTE: Requires the View Customers/Accounts permission. |
| Edit Customers/Accounts | Grants the ability to edit customer and account information such as name, email, and phone number (NOTE: This does not include the preferred phone number as only the consumer can edit this value.) |
| View Customers/Accounts | Provides access to view customer and account information. |
| View Payments | Provides access to view payment information |
| Configure | Grants access to the Configure tab where users can configure callback URLs, edit the site’s logo, etc. |
| Communicate | Provides the user with the ability to send emails and texts to consumers. |
| Agent Interface | Gives the user access to the Agent Interface where he/she can view customer and payment data. NOTE: All merchant users should have access to the Agent Interface. |
| Developer | Provides access to the Developer tab where the user can access API documentation and the site’s API Keys. |
| Manage Users | Provides access to the Admin tab where business portal users can be managed (create, edit, remove). |
| Reports | Provides access to Reconciliation and Settlement reports in the Payments section. |
| Agent Interface Electronic Payments | Grants the ability to process an electronic payment within the Agent Interface. |
| Refund Electronic Payments | Grants the ability to initiate a partial or full refund for an electronic payment. |
| Supervisor | Provides ability to override merchant business rules. For example, if there is a minimum payment requirement set by a business rule, then a supervisor would be able to override this restriction and process the payment. |
| View Disbursements | Provides access to the Disbursements section where disbursements can be viewed. It also enables merchants to view disbursements on the customer screen. |
| Alternate Autopay Authorizations | Provides access to a different list of autopay authorization methods. |
| Approve Disbursements | Provides access to the Disbursements section where disbursements can be approved. It also enables merchants to view and approve disbursements on the customer screen. |
| Create Disbursements | Provides access to the Disbursements section where disbursements can be created. It also enables merchants to create disbursements on the customer screen. |
| Schedule Autopay | Grants the ability to set a recurring autopay schedule in the Agent Interface. |
| Cancel Autopay | Grants the ability to cancel a recurring autopay schedule. |
| Waive Fees | Grants the ability to waive fees. |
| Cancel Disbursements | Provides access to the Disbursements section where disbursements can be canceled. It also enables merchants to view and cancel disbursements on the customer screen. |
| Beta Features | Provides access to various beta features. |
| Sensitive Data | Grants the user access to view Personal Identifiable Information (PII). |
| Manage Risk | Grants the user the ability to unblock ACH payment methods that were previously blocked because of returns. |
Adding Deep Links
Deep Links take users to a specified customer/account record or order without having to first search the Agent Interface. This saves time and provides your consumers with a better customer support experience. To enable deeplinking, PayNearMe uses a Service Provider Entity ID-initiated login flow to create the SAML assertion. This Entity ID must be unique in the PayNearMe system and will typically include the Site Name and environment type (e.g., alendingmerchant-DEV) followed by one of the following identifiers:
site_order_identifierpnm_order_identifiersite_customer_identifier
Deep Link URLs use the following structure:
protocol://host/saml_login/sp_entity_id/(optional order identifier)
For example,
https://pro.paynearme-sandbox.com/saml_login/alendingmerchant-DEV/88234764711
For more information about deeplinking, contact your PayNearMe TAM.
Updated 8 months ago