Search

Enable SSO for your organisation

Airwallex offers Single Sign-On (SSO) as a login option to provide additional account security for your organisation. SSO allows company administrators to enforce the use of an Identity Provider (IdP) when users log in to Airwallex, so authentication is centrally controlled by your IT team and you no longer need to rely on individual passwords.

Who can configure this feature: Owners and Admin users. Learn more about User Roles.

Plan availability: Available on the Accelerate plan. In the US and Canada, available on both the Grow and Accelerate plans. Single Sign-On (SSO) is currently in beta and available on request. To enable this feature for your organisation, please contact your dedicated Airwallex account manager. Once access has been enabled, you can follow the steps below to complete the setup.

In this article we cover the end-to-end steps required to enable SSO login for your organisation, including:

  • Creating the Airwallex application in your IdP
  • Verifying ownership of your domain
  • Reviewing your existing users before activation
  • Troubleshooting common issues

Step 1: Create the Airwallex app in your IdP

Complete the following steps directly in your IdP. For detailed step-by-step instructions, refer to the dedicated guide: Set up SSO with Okta.

If your organisation uses a different identity provider, please reach out to your dedicated account manager to discuss integration.

Once you've completed those steps, return to Airwallex to continue the setup. 

Step 2: Configure the connection in Airwallex and test it

In Airwallex, navigate to Settings → Connections → Security → Select your IdP and click Set up.

Enter the connection details (such as the Issuer URL, Client ID, and Client secret) generated by your IdP. The exact fields depend on the provider.

Set up SSO.png
The following screenshot shows sample connection details required to enable SSO with Okta.

Once you have entered the configuration, click Test connection and continue. Airwallex will validate the connection end-to-end before allowing you to proceed. If the test fails, review the configuration in your IdP (most issues are caused by mismatched redirect URIs or missing user assignments) and try again.

Step 3: Verify your domain

Before you can enable SSO, you must verify ownership of at least one domain. Once verified, any user in your Airwallex organisation whose email address matches that domain becomes eligible to sign in via SSO.

To verify your domain:

  1. Enter the domain you want to verify and click Add domain.

    Adding domain.png
    Verification in progress.png
    Airwallex will generate a unique TXT record (verification key) for this domain.
  2. Sign in to your DNS provider, open the DNS records for your domain, and add a new TXT record provided by Airwallex. Save the record.

  3. Return to the Airwallex SSO configuration page and click Verify selected. Airwallex will perform a DNS lookup to confirm the TXT record is present. If successful, the domain status updates to Verified.

    Verification in progress.png
  4. Verification can take 24–48 hours to propagate, but you may proceed with configuration in the meantime. SSO will remain inactive for any domains still pending verification. Click Continue to move to the next step.

Important: Do not delete the TXT record from your DNS provider after verification. Airwallex periodically re-checks ownership, and removing the record may cause your organisation to lose SSO access.

A few additional things to keep in mind:

  • A domain can only be associated with one Airwallex organisation at a time. If you receive an error stating that the domain is already in use, please contact Airwallex support.
  • You can verify multiple domains for the same organisation if your users sign in with different email domains.

Step 4: Nominate a backup user for login

Before activating SSO, you must nominate at least one Owner or Admin to retain standard email and password login access. This ensures you always have a backup sign-in method should your IdP be unavailable.

Step 5: Review your users before enforcing SSO

Before you activate SSO, take a moment to review user access. SSO will only apply to users whose email address matches one of your verified domains. Any user with an email outside those domains will continue to sign in using their email and password — they will not be routed through SSO.

Use the Filters to identify users who can log in with a password by clicking Filters and applying a filter where the New login method value is Password. This is the right time to clean up your user list:

  • Offboard any user who should no longer have access to your Airwallex organisation. Remove them in Settings → User Management before activating SSO.
  • Review external collaborators and guests. If you work with contractors, auditors, or partners who use a personal email address or another company's domain, decide whether they should keep access. Once SSO is active, those users will fall outside your IdP's control.
  • Adopt a dedicated guest/external domain pattern where possible. Industry best practice for managing external collaborators is to bring them into your own IdP as guest identities so they authenticate through your IdP under a separate user pool, rather than logging in to Airwallex with a non-managed email and password. This keeps all access centrally governed and avoids "shadow" users that bypass your SSO controls.

Once you are satisfied with the user list, you can move on to activation.

Step 6: Activate SSO

On the final review screen, click Activate SSO, your SSO configuration is applied immediately. From that moment, any user with an email address matching one of your verified domains who visits your organisation's sign-in URL will be routed through the SSO flow.

Troubleshooting common issues

Domain verification

Q: Why is my domain verification failing, and what should I do to troubleshoot the issue?

If verification fails immediately, please wait 15–30 minutes and try again. This delay is normal: DNS changes can take up to 24 hours (sometimes longer) to propagate globally, and verification attempts may fail during this period even if the TXT record is correctly configured.

If verification is still unsuccessful after 24 hours, double-check that:

  • The TXT record was added to the correct domain.
  • The Name/Host and Value/Content exactly match what Airwallex provided (including any prefixes or trailing characters).
  • You have not added the record to a subdomain by mistake.

If the issue persists after confirming your records are correct, contact Airwallex support for further assistance.

Q: Can I configure multiple identity providers for a single organisation?

No. At this time, Airwallex supports a single IdP per organisation.

Managing your SSO setup

Q: What happens if I disable SSO and re-enable it later?

If you disable SSO, any domains you have already verified will remain verified, and you can re-enable SSO at any time without verifying the domain again. However, if you delete a verified domain from the SSO dashboard, you will need to add and verify that domain again before SSO can be activated for it.

Q: When I enable SSO, does it mean every user in my organisation must use SSO?

No. Enabling SSO only applies to users in your organisation whose email address matches one of your verified domains. Users with email addresses outside those domains can still authenticate with email and password — this allows you to support guest users or external collaborators if needed.

For better security and central control, we recommend reviewing your user list before activating SSO and either removing users who should no longer have access or onboarding external collaborators through your own IdP as guest identities. 

Related to

Was this article helpful?

1 out of 1 found this helpful

Have more questions? Submit a request