{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-apis/platform/iam/sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":[]},"type":"markdown"},"seo":{"title":"Aritma ID","keywords":"documentation, api, portal, banking, payment, account information, aritma, psd2, open banking, reconciliation","description":"Developer documentation for Aritma's banking and financial APIs - payments, account information, webhooks, authentication and integrations.","meta":[{"name":"google-site-verification","content":"hplqlK_5O42BZjNnjtVQMEpxv9JkxcD1eH4J1T-NQmI"}],"llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"aritma-id","__idx":0},"children":["Aritma ID"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Users and clients authenticate via ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Aritma ID"]}," — Aritma's built-in identity system. A user subject is linked to an Aritma ID account by email address. When you invite a user, they create or connect an Aritma ID account as part of accepting the invitation."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Aritma ID is always available as a fallback, even when SSO is configured."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"sso-providers","__idx":1},"children":["SSO providers"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Organizations that manage their own identity infrastructure can configure an external ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["identity provider (IdP)"]}," so that users log in with their corporate credentials instead of a separate Aritma ID password."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Aritma IAM supports four SSO provider types:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Provider"},"children":["Provider"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Use case"},"children":["Use case"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Azure AD"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Microsoft Entra ID / Azure Active Directory"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Google"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Google Workspace accounts"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Signicat"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Strong authentication methods (BankID, MitID, Swedish BankID)"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Custom OIDC"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Any standards-compliant OpenID Connect provider"]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When a user logs in via an SSO provider, Aritma maps the incoming identity to a user subject in your tenant. The subject's permissions are the same regardless of how they authenticated."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"user-provisioning","__idx":2},"children":["User provisioning"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["There are three ways a user subject can be created in your tenant, and they are independent of each other:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Method"},"children":["Method"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"When the user is created"},"children":["When the user is created"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Requires"},"children":["Requires"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Invitation"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["After the user accepts the invite"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Nothing"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Auto-provisioning"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["On the user's first SSO login (Just-in-time)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["An SSO provider with auto-provisioning enabled"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["SCIM"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Before the user ever logs in"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["A SCIM token and IdP provisioning configuration"]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"auto-provisioning","__idx":3},"children":["Auto-provisioning"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["auto-provisioning"]}," is enabled on an SSO provider, Aritma creates a user subject the first time that user logs in through that provider. The subject is created just-in-time during the login flow — no invitation or pre-creation is needed."," ","It is configured directly on the SSO provider."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"scim","__idx":4},"children":["SCIM"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["SCIM"]}," (System for Cross-domain Identity Management) lets your IdP manage the full user lifecycle — independently of login events. With SCIM configured, your IdP can:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Create users when they are assigned to the application in the directory"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Update user attributes when they change"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Deprovision users when they are removed from the application or leave the organization"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Because SCIM creates users proactively, they exist in Aritma before their first login."," ","SCIM is configured by creating a SCIM token in Aritma and providing it to your IdP as the provisioning credential. In our SCIM implementation a token is linked to a specific SSO provider to associate provisioned users with an sso login method. This is to ensure that provisioned users can login directly."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"domain-verification","__idx":5},"children":["Domain verification"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["By default, users must be invited via email before they can be created in your tenant. ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Domain verification"]}," lets you prove ownership of an email domain, after which you can create users on that domain directly — without the invitation flow."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Domain verification requires publishing a DNS TXT record. Once the domain status reaches ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Confirmed"]},", direct user creation is enabled for that domain."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"related","__idx":6},"children":["Related"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"/apis/platform/iam/sso/overview"},"children":["SSO Setup"]}," — configure SSO providers via the API"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"/apis/platform/iam/scim/overview"},"children":["SCIM Provisioning"]}," — configure SCIM tokens and provisioning"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"/apis/platform/iam/guides/domains"},"children":["Domains"]}," — verify domain ownership"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"/apis/platform/iam/concepts/subjects"},"children":["Subjects"]}," — how user subjects relate to identities"]}]}]},"headings":[{"value":"Aritma ID","id":"aritma-id","depth":2},{"value":"SSO providers","id":"sso-providers","depth":2},{"value":"User provisioning","id":"user-provisioning","depth":2},{"value":"Auto-provisioning","id":"auto-provisioning","depth":3},{"value":"SCIM","id":"scim","depth":3},{"value":"Domain verification","id":"domain-verification","depth":2},{"value":"Related","id":"related","depth":2}],"frontmatter":{"title":"Identity and SSO","seo":{"title":"Aritma ID"}},"lastModified":"2026-05-08T13:38:07.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/apis/platform/iam/concepts/identity-sso","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}