SAML Single Sign-On 

Security Assertion Markup Language (SAML) is an XML-based framework for enabling authentication through a third party identity provider or in-house single sign-on application.

SAML comes in handy for organizations which use multiple applications or services and need a single source to manage member activity. Instead of creating multiple credentials for different applications, with SAML you can create one set of credentials per member and allow them to access multiple applications.

Note

This feature is available only on Scale and Enterprise plans. To know more, visit our plans and pricing  page.

SAML offers the ability to:

  • Manage a password policy across multiple applications
  • Access multiple applications securely
  • Reduce the risk of lost or forgotten passwords
Note
  • Enabling SAML will mandate all users to sign in only via SAML.
  • Okta, OneLogin and Azure AD are the supported IdPs. If you are using a different IdP, please raise a request to Chargebee Support.
  • Only one IdP can be configured per Chargebee site.
  • Chargebee supports SAML 2.0
  • Enabling SAML will disable 2 factor authentication (2FA) in Chargebee. This is to remove redundancy as the IdP will have the option to enable 2FA.
  • The team member's email address must be present in Chargebee and IdP.

Terminology 

Team Member: Team Member is an employee of the organization, say, Acme Inc, and is an authorized user of Acme Inc's Chargebee User Interface.

Authentication: The verification mechanism that certifies an individual is the actual person they claim to be.

IdP: Identity Provider (IdP) is the platform or application that provides authentication for the member.

SP: Service Provider (SP) is the application that needs authentication for allowing access to the member. For the entirety of this doc, Chargebee is the Service Provider.

Login URL: This URL will take you to the IdP's login page asking for your credentials. Login URL is provided by your IdP and must be added in Chargebee while integrating.

X.509 Certificate: Chargebee accepts only X.509 Certificate to validate the authenticity of an IdP.

Login Options 

You can log in to Chargebee using one of the ways listed below:

Sign in via IdP

  1. Log into your IdP.
  2. Select Chargebee from the list of applications.
  3. You will be taken to the Chargebee Dashboard.

Sign in via Chargebee

  1. In the login page, click Sign in with Single Single-On.
  2. Enter the Chargebee site's URL in the text box provided and click Sign in.
  3. You will be taken to your IdP's login screen. Enter your credentials and click Sign In.

Login using Chargebee URL

  1. Enter the Chargebee site URL.
  2. You will be redirected to your IdP's login window asking for credentials.
  3. Fill in the details and log in.

Okta as IdP 

You can add Chargebee app in Okta using the steps below:

  1. Log in to your Okta account and search for "Chargebee" under Add applications
  2. Enter your Chargebee site name in the Subdomain field and click Done.
  3. Click View Setup Instructions under the Sign On tab to get the
    • Login URL
    • SAML Certificate

These are required and need to be pasted in your Chargebee User Interface while enabling SAML.

OneLogin as IdP 

You can add Chargebee app in Onelogin using the steps below:

  1. Log in to your Onelogin account and search for "Chargebee" under Add Apps. Click Save after selecting the Chargebee app.
  2. Enter your Chargebee site name in the Chargebee subdomain field under Configuration tab and click Save.
  3. Go to the SSO tab and get the
    • SAML 2.0 Endpoint (Login URL)
    • X.509 Certificate (SAML certificate)

These are required and need to be pasted in your Chargebee User Interface while enabling SAML.

Azure AD as IdP 

You can add Chargebee app in Microsoft's Azure Active Directory using the steps below:

  1. Sign into your Microsoft Azure site(through portal.azure.com).

  2. Go to Azure Active Directory > Enterprise applications > New application > Non-gallery application and add an application by naming it as "Chargebee".

  3. Now, go to the newly created Chargebee application and select Single sign-on found on the left pane and select SAML.

  4. Click edit against the Basic SAML Configuration section and enter

    • https://acme.chargebee.com - for Identifier(Entity ID) field
    • https://app.chargebee.com/saml/acme/acs - for Reply URL field. Replace acme with your Chargebee site name.
      "
  5. Scroll down to the Setup Chargebee section. Copy the Login URL and paste it in the field provided in Chargebee's SAML Configuration page.

  6. In the SAML Signing Certificate section, Use the URL given against App Federation Metadata URL and copy the content present between the start and end tags of «X509Certificate». Paste it in Chargebee's SAML Certificate field.

Configure SAML in Chargebee 

  1. Login to Chargebee and navigate to Settings > Security > Single Sign-on > Setup.
  2. Select SAML and click Confirm.
  3. Paste the Login URL and the X.509 Certificate retrieved from the IdP.
"

Disable SAML 

To disable SAML, go to Settings > Security and click Disable.
When you disable SAML in Chargebee, your team members will be notified that SAML has been disabled and they should sign in using custom credentials or Google SSO.

Email Notifications 

Your Team members will receive a system generated email during the following events:

  • When admin enables SAML for the organization's Chargebee site
  • When a new team member is added to the organization's Chargebee site
  • When SAML is disabled

FAQ 

1) What would happen if the team member's email is in the Chargebee site and not in IdP?

An error would occur while the team member enters the Chargebee site name and clicks on Sign In. Admin needs to add the team member's credentials in IdP to resolve this error.

2) What happens if you try to login via Single Sign-On when it is not enabled on your Chargebee site?

Chargebee will show the prompt "Single Sign-On is not enabled for this domain". SAML should be enabled to proceed, take a look at the steps to enable SAML.

3) How will team members with access to multiple Chargebee sites access Chargebee?

Team members having access to multiple Chargebee sites can easily switch between different sites using the option besides your Chargebee site name on the left-pane.

"

However, if the team members try to switch to a Chargebee site which does not have SAML enabled, they will be shown Chargebee's login screen. They can sign in using their custom credentials or via Google SSO.

4) How to generate a password when the team members don't have a password?

You can create a password by clicking on Forgot Password option in the login page and proceed.

Was this article helpful?
Loading…