Using Single Sign-On with the Agent Interface
Overview
PayNearMe gives clients the ability to set up single sign-on (SSO) services in one of the following ways:
- Via Okta Integration
- Via Azure Integration
- Via API call to the /agent_sso endpoint.
Okta and Azure use the SAML protocol to give your agents access to the PayNearMe Agent Interface without the hassle of creating and maintaining a separate set of credentials. To set up an Okta or Azure SSO configuration, you’ll need to exchange some information with your PayNearMe Technical Account Manager (TAM) and then configure your SAML settings in your Okta instance.
The /agent_sso API enables agents authenticated by the client solution to access the PayNearMe Business Portal without having to submit a separate password. Clients also have the option to take the agent directly to the order, so that he or she can quickly make payments on behalf of the consumer without having to search for the correct account in the PayNearMe UI.
Defining Roles
To successfully map to a single sign-on protocol, you’ll need to define roles or a user_type for each user. Roles are a grouping of permissions that grant users with a specified user_type access to different functionality in the Business Portal. Roles can be made up of the following permissions, which your PayNearMe TAM will set up for your site.
Roles for API Method
For security, agents that access the Business Portal via the /agent_sso endpoint are limited to a subset of roles that are listed in the Using SSO with the API section.
| Permission | Description |
|---|---|
| Admin | Provides access to the Admin tab where users can edit business details, view/add users, and review the site’s charge history and invoices (if available). |
| Create Customers/Accounts | Grants access to the Customers section and gives the user the ability to create customers and accounts. NOTE: Requires the View Customers/Accounts permission. |
| Edit Customers/Accounts | Grants access to the Customers section and gives the user the ability to edit customer and account information such as name, email, and phone number (NOTE: This does not include the preferred phone number as only the consumer can edit this value.). |
| View Customers/Accounts | Grants access to the Customers section where the user can view customer and account information. |
| View Payments | Grants access to the Payments section where the user can view payment information. |
| Configure | Grants access to the Configure tab where users can update merchant details (e.g., edit the merchant logo, configure callback URLs, etc.) and the Business Portal and Agent Interface features can be configured. |
| Communicate | Gives users the ability to send emails and texts to consumers. |
| Agent Interface | Gives the user access to the Agent Interface where he/she can view customer and payment data. NOTE: All merchant users should have access to the Agent Interface. |
| Developer | Provides access to the Developer tab where the user can access API documentation, create and manage their API keys, review API call logs, and use the callback debugger. |
| Manage Users | Provides access to the Admin tab where business portal users can be managed (i.e., created, edited, and/or removed). |
| Reports | Provides access to Reconciliation and Settlement reports in the Payments section. |
| Agent Interface Electronic Payments | Grants the ability to process an electronic payment (e.g., ACH, card, Apple Pay, and Google Pay) within the Agent Interface. NOTE: Requires the Agent Interface permission. |
| Refund Electronic Payments | Grants the ability to initiate a partial or full refund for an electronic payment. |
| Supervisor | Provides ability to override merchant business rules. For example, if there is a minimum payment requirement set by a business rule, then a supervisor would be able to override this restriction and process the payment. NOTE: This permission only displays when Business Rules are enabled and active for a client site. |
| Alternate Autopay Authorizations | Provides access to a different list of autopay authorization methods including a telephone recording, a signed authorization agreement, or a clicked-through web flow where the consumer agrees to scheduled payments. |
| Schedule Autopay | Grants the ability for a user to set a recurring autopay schedule in the Agent Interface. |
| Cancel Autopay | Grants the ability for a user to cancel a recurring autopay schedule in the Agent Interface. |
| Waive Fees | Grants the ability to waive fees. NOTE: Requires an Agent Waived pricing plan. |
| Dashboards | Provides access to the Insights Dashboards. |
| View Disbursements | Provides access to the Disbursements section where users can view disbursement details. It also enables users to view disbursements from the Customer Details screen. |
| Approve Disbursements | Provides access to the Disbursements section where users can approve disbursements. It also enables users to approve disbursements from the Customer Details screen. |
| Create Disbursements | Provides access to the Disbursements section where users can create disbursements. It also enables users to create disbursements from the Customer Details screen. |
| Cancel Disbursements | Provides access to the Disbursements section where users can cancel disbursements. It also enables users to cancel disbursements from the Customer Details screen. |
| No Card Entry | Prevents users from adding debit or credit cards in the Business Portal/Agent Interface. |
| No ACH Entry | Prevents users from adding bank accounts in the Business Portal/Agent Interface. |
| Agent Cannot Edit | Prevents users from editing consumer information in Agent Interface. |
| Cannot Cancel Payments | Prevents users from canceling unprocessed payments in the Business Portal/Agent Interface. |
| Chargeback Disputes | Grants access to the Disputes and Returns screen and gives users the ability to dispute chargebacks. |
| Manage Risk | Grants the user the ability to unblock ACH payment methods that were previously blocked because of returns. |
| Sensitive Data | Grants the user access to view Personal Identifiable Information (PII). |
| Beta Features | Grants access the Beta Features section where users can preview and test upcoming features to the Business Portal. |
Adding Deep Links
Deep Links take users to a specified customer/account record or order without having to first search the Agent Interface. This saves time and provides your consumers with a better customer support experience. To enable deeplinking, PayNearMe uses a Service Provider Entity ID-initiated login flow to create the SAML assertion. This Entity ID must be unique in the PayNearMe system and will typically include the Site Name and environment type (e.g., alendingmerchant-DEV) followed by one of the following identifiers:
site_order_identifierpnm_order_identifiersite_customer_identifier
Deep Link URLs use the following structure:
protocol://host/saml_login/sp_entity_id/(optional order identifier)
For example,
https://pro.paynearme-sandbox.com/saml_login/alendingmerchant-DEV/88234764711
For more information about deeplinking, contact your PayNearMe TAM.
Updated about 1 month ago