Skip to main content

Single Sign-On in cart

Single Sign-On in cart

Last updated: 13-Oct-2021
Rate this article:


Use the getSingleSignOnInCart method.  Avangate attaches a unique token to links, designed to identify the returning shoppers and support the automatic extraction of payment data and billing information from the Avangate system. For example, you can generate single sign on in cart links for existing customers logged into your website based on their external or Avangate customer IDs.

How does this work?

When accessing the shopping cart using tokenized payment links:

  • Avangate prefills automatically customer billing and delivery details associated with their Avangate customer accounts (linked based on their unique customer IDs).
  • Avangate presents shoppers with an optimized payment area featuring the credit / debit cards used to make previous purchases / transactions in the Avangate system. Customers have the option of selecting one of the payment methods depending on available card-on-file data.





Required (string)


Session identifier, the output of the Login method. Include sessionID into all your requests. Avangate throws an exception if the values are incorrect.  The sessionID expires in 10 minutes.


Required (string)


Unique customer identifiers. Can be either the ExternalCustomerReference you control or the system-generated AvangateCustomerReference.


Required (string)


Possible values:

  • ExternalCustomerReference
  • AvangateCustomerReference


Required (string)


The shopping cart URL. Avangate redirects shoppers to this URL.


Possible values:


Any buy link you generate from the cPanel or using the API. Note: For the time being, payment tokenization does not support Express Payments Checkout or the Avangate mobile shopping cart.


Optional (int)


The time, in seconds, before the single sign-on URL expires. By default, the URL expires after 10 seconds. (optional)


Optional (string)


The IP address of the shopper, necessary for security purposes. Can be an empty string or a valid IP, or null.


Single sign-on URL



The generated string is the tokenized time-limited single sign-on URL pointing to Avangate shopping cart.


Note: Each SSO link cleans any previous cart sessions. Shoppers using multiple SSO links would purchase only a single product at a time.


If shoppers add multiple products to cart via SSO buy links and then use a non-SSO link, they’ll purchase all items using the same order.

When you use single sign on in cart for customers without card on files in the Avangate system, the generated tokenized link prefills the billing information but the purchase process requires that shoppers provide payment information, such as a credit or debit card.



Important! You can use the value of the logintoken to retrieve customer information by SSO token.



$host   = "";
$client = new SoapClient($host . "/soap/4.0/?wsdl", array(
    'location' => $host . "/soap/4.0/",
    "stream_context" => stream_context_create(array(
        'ssl' => array(
            'verify_peer' => false,
            'verify_peer_name' => false

function hmac($key, $data)
    $b = 64; // byte length for md5
    if (strlen($key) > $b) {
        $key = pack("H*", md5($key));
    $key    = str_pad($key, $b, chr(0x00));
    $ipad   = str_pad('', $b, chr(0x36));
    $opad   = str_pad('', $b, chr(0x5c));
    $k_ipad = $key ^ $ipad;
    $k_opad = $key ^ $opad;
    return md5($k_opad . pack("H*", md5($k_ipad . $data)));
$merchantCode = "YOUR_MERCHANT_CODE";// your account's merchant code available in the 'System settings' area of the cPanel:
$key = "YOUR_SECRET_KEY";// your account's secret key available in the 'System settings' area of the cPanel:
$now          = gmdate('Y-m-d H:i:s'); //date_default_timezone_set('UTC')
$string = strlen($merchantCode) . $merchantCode . strlen($now) . $now;
$hash   = hmac($key, $string);
try {
    $sessionID = $client->login($merchantCode, $now, $hash);
catch (SoapFault $e) {
    echo "Authentication: " . $e->getMessage();
$IdCustomer = '352365983';
$CustomerType = 'AvangateCustomerReference';
$Url = '';
$ValidityTime = 50;
$ValidationIp = null;
try {
    $ssoLINK = $client->getSingleSignOnInCart($sessionID, $IdCustomer, $CustomerType, $Url, $ValidityTime, $ValidationIp);
catch (SoapFault $e) {
    echo "ssoLINK: " . $e->getMessage();
var_dump("ssoLINK", $ssoLINK);

Rate this article:

Need help?

Do you have a question? If you didn’t find the answer you are looking for in our documentation, you can contact our Support teams for more information. If you have a technical issue or question, please contact us. We are happy to help.

Not yet a Verifone customer?

We’ll help you choose the right payment solution for your business, wherever you want to sell, in-person or online. Our team of experts will happily discuss your needs.

Verifone logo