Enterprise SSO for K-Series Back Office

What is SSO?

Single Sign-On (SSO) allows your employees to log in to K-Series Back Office using your company’s existing corporate login — the same one they already use for email, Teams, Slack, and other work tools. No more separate K-Series passwords.

We support any identity provider that complies with the OIDC (OpenID Connect) protocol, including:

Google Workspace
Okta
Microsoft Entra ID (Azure AD)

How it works

Accessing the K-Series Back Office is quick and secure using your company’s Single Sign-On (SSO). By routing authentication through your identity provider, you can log in instantly without needing a separate K-Series password.

Step 1

Navigate to Login:

Go to the K-Series Back Office login page.

Step 2

Select SSO:

Click the Log in with Enterprise SSO option.

Step 3

Enter Email:

Type in your company email address.

For example: name@yourcompany.com

Step 4

Authenticate:

You’ll be redirected to your company’s login portal (such as Okta or Entra ID) to complete your standard login and any MFA.

Step 5

Access Granted:

Once authenticated, you will automatically land back in the K-Series Back Office, fully logged in.

Require information to enable the Beta

To set up SSO for your organisation, please provide the details below for both your test and production environments. We will set up the test environment first to verify everything works. If all goes well, we will then proceed with production.

Business name: Your company/business name
Environment: Test or Production
Client ID: From your IdP’s OIDC app registration
Client Secret
Issuer URL: Your IdP’s OIDC issuer URL (e.g. https://login.microsoftonline.com/{tenant}/v2.0)
Email Domains: The domain(s) that should use SSO (e.g. yourcompany.com)

Setup process

Note: Users can log back in at any time with their username and password. If they cannot remember their password, they can easily reset it using the standard recovery flow.

You provide the details above for your test environment.
We configure the connection and verify the setup works.
You test by logging in with a test user to confirm the flow.
You provide the Production environment details.
We configure Production and flip the switch when you are ready.

Important notes

Back Office only

POS terminal login is unchanged.

Per email domain

Users with an email address on your configured domain (e.g. @yourcompany.com) must use SSO. Username/password sign-in will no longer work for them.

Users must be created first

An admin still needs to create the user in K-Series Back Office and assign roles and permissions. SSO does not auto-create users.

Contractors keep login details

Contractors with a different domain (e.g. @agency.com) continue to use username/password as normal.

Password reset emails are disabled

This applies to SSO users to prevent shadow credentials.

Opt-in and fully reversible

We can disable SSO at any time and switch back to username and password.

FAQs

What do I still manage after setup?

Creating users: Add users in K-Series Back Office as normal (email + role + location assignments).

Roles & permissions: Assigned in K-Series, not in your IdP.

Offboarding: Remove users in the Back Office to disable access. This will not happen automatically via SSO.

What if our IdP goes down?

Reach out to Support. We can help you get unblocked and, for example, temporarily disable SSO.

Can we have multiple domains?

Yes. Provide all domains that should use SSO.

What about users with emails on a non-SSO domain?

They continue using username/password as before. SSO enforcement is per email domain, not per business or location.

Do we need to share passwords with new employees?

No. They can click “SSO login” to access the K-Series Back Office.

What happens if we disable SSO later?

Users can log in again with their username and password. If they forgot the password, they can use the reset password flow.

lightspeedhq.com