Grant access via Alternative methods

Explore alternative methods for granting Partners access to Klarna Portal when the recommended Deep Link + AP Button approach cannot be implemented due to technical or business constraints.

Overview

When the recommended Deep Link + AP Button approach cannot be implemented, Klarna supports two alternative methods:

Method	Description	When to use
User Access Management API	API-based access for creating and managing semi-permanent user accounts in Klarna Portal. Users receive invitation emails and set up their own passwords.	For Acquiring Partners without an admin portal or when Partners need to request access through a manual process.
Identity Provider (IdP) via SAML	Delegates authentication to your system using SAML v2.0 protocol. You become the Identity Provider, and Klarna acts as the Service Provider.	For Acquiring Partners with advanced technical capabilities to implement SAML IdP, providing seamless single sign-on experience.

These methods are alternatives to the recommended approach. They may require additional technical implementation or result in less seamless user experience. Discuss with your Klarna representative before choosing an alternative method.

Acquiring Partner as Identity Provider (IdP)

An Identity Provider (IdP) is a system that authenticates users and authorizes their access to applications and services. In this setup, you act as the IdP and Klarna acts as the Service Provider (SP).

Benefits of IdP integration

By leveraging SAML v2.0, this setup ensures:

Secure Authentication: User credentials remain securely managed by your IdP
Policy Enforcement: Enables your security policies such as MFA
Enhanced Efficiency and Compliance: Centralized user management
Seamless SSO: Partners authenticate once and access multiple services

Prerequisites

Before implementing IdP integration, ensure you have:

SAML 2.0 IdP infrastructure in place
Ability to generate and sign SAML assertions
Certificate management capabilities
User attribute mapping configuration

Implementation steps

Step 1: Share SAML configuration with Klarna

Provide Klarna with the required SAML configuration details:

IdP metadata XML or equivalent configuration
X.509 certificate for signing SAML assertions
IdP entity ID
Single Sign-On (SSO) endpoint URL
Single Logout (SLO) endpoint URL (if supported)

Klarna will complete the necessary configuration to accept SAML assertions from your IdP.

Step 2: Set up Klarna Portal as the Service Provider

Configure Klarna Portal to accept SAML assertions from your IdP
Enforce MFA during SAML authentication for enhanced security
Configure assertion consumer service (ACS) URL provided by Klarna
Set appropriate SAML binding (HTTP-POST recommended)

Step 3: Map user attributes

Define and map user attributes from your IdP to the corresponding Klarna Portal users. Required attributes include:

Attribute	Description	Required
`email`	User's email address (used as unique identifier)	Yes
`account_id`	Partner Account ID in Klarna (e.g., `krn:partner:global:account:test:MB6KIE1P`)	Yes
`roles`	Array of role identifiers (e.g., `merchant:admin`)	Yes
`given_name`	User's first name	Optional
`family_name`	User's last name	Optional

Step 4: Handle SAML authentication requests

When Partners attempt to access Klarna Portal:

Klarna sends a SAML authentication request to your IdP
Your IdP authenticates the user according to your policies
Your IdP generates a SAML assertion with user attributes
Your IdP signs the assertion and sends the SAML response to Klarna
Klarna validates the assertion and grants access

Step 5: Testing

Before going live, test the complete SAML flow:

Initiate authentication from Klarna Portal
Verify authentication redirects to your IdP
Complete authentication at your IdP
Verify successful redirect back to Klarna Portal
Confirm appropriate access based on roles

The SAML IdP solution requires coordination with Klarna for configuration. If you are interested in proceeding with this option for Partner Portal access, please reach out to your Klarna representative to discuss further.

User Access Management API

Klarna Portal accounts can be created via createUserAccess Klarna Icon endpoint.

When to use this method

Use the User Access Management API when:

You don't have a Partner-facing admin portal
Partners need to manually request access (e.g., via support ticket)
You want to manage Partner users programmatically
Long-term access without frequent re-authentication is preferred

How it works

User requests Access: Partners request access through your defined process (e.g., support ticket, self-service form)
Integration: Your system calls the User Access Management API to create access
Email invitation: Klarna sends an invitation email to the Partner
Partner activation: Partner follows the activation flow (accept T&Cs, set up password and 2FA)

Implementation steps

Important: This method requires JWT signing with a client certificate. If you haven't completed the JWT setup yet, follow the JWT signing setup.

Build and sign your JWT

After completing the JWT signing setup, create your JWT with the following structure:

Sample header

{
  "alg": "ES256",
  "typ": "JWT",
  "x5c": ["<your_cert_base64>"]
}

Sample payload

JSON

{
  "iss": "krn:partner:global:account:live:LYABCDEI",
  "jti": "a4728c02-9885-41bf-b539-251ffa7f7eaa",
  "sub": "portal.user@merchant.com",
  "iat": 1716768000,
  "exp": 1716892720,
  "account_id": "krn:partner:global:account:test:MB6KIE1P",
  "on_behalf_of": "krn:partner:global:account:test:MB6KIE1P",
  "roles": ["merchant:admin"],
  "expires_at": "2024-12-31",
  "inactivity_grace_period": "P30D"
}

Note: Unlike deep linking, the User Access Management API JWT does not require the amr field.

Optional JWT claims

In addition to the required claims shown above, you can include optional claims to control access duration:

Claim	Description	Format	Example
`expires_at`	The date when the user's access expires. Must be a future date.	YYYY-MM-DD	`2024-12-31`
`inactivity_grace_period`	How long the access remains valid after user inactivity. Must be between 1 day and 6 months.	ISO 8601 duration	`P30D` (30 days) or `P3M` (3 months)

See the full JWT parameter documentation here Klarna Icon .

Create user access

User access for Partners is created using a POST request to createUserAccess Klarna Icon endpoint.

Request payload:

{
  "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.<....>SMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
}

On success, the endpoint responds with 201 Created and dispatches an invitation email to the specified address. If that address is already registered, no new email will be sent.

You can define the level of access granted to the user by setting the roles array in the JWT payload.

What happens next:

Klarna creates a Portal user for the supplied email (sub in JWT)
Klarna gives the user access to the specified account
Klarna sends an invitation email containing an activation link
User follows the activation flow:
1. Accept Terms & Conditions
2. Update their given name and family name
3. Set up password
4. Configure two-factor authentication (2FA)

Deleting user access

User access can be deleted at any time. Make a DELETE request to deleteUserAccess Klarna Icon endpoint, with optional query parameters:

Parameter	Description
`account_id`	The Partner Account ID of the access to delete
`on_behalf_of`	When specified, only the specific access with this `on_behalf_of` value will be deleted
`principal`	The ID or email of the user to delete the access from

Warning: If no parameters are supplied, all user access created by you will be deleted.

If both account_id and principal parameters are provided, they are combined to precisely target and delete the user's access to the specified Partner account.

When user access is revoked, the user's access to the Partner account will be removed within 5 minutes.