Set up SSO authentication with your identity provider (IdP)

At a glance: By integrating AppsFlyer with your identity provider (IdP), AppsFlyer account users can log into AppsFlyer using single sign-on (SSO). Learn about SSO authentication, how to set up SSO with your IdP, and find answers to FAQs.

Set up SSO with your IdP

The configuration process, using the SAML2.0 protocol, is done in three stages. Step 1 includes detailed procedures for the following IdPs:

  • JumpCloud
  • Okta
  • OneLogin
  • Ping Identity

Step 1: Configure the IdP platform

The first stage is configuring the IdP side. 

Configuration procedures for the main IdPs

See the detailed procedures to configure SSO authentication in any of the following IdPs:

Configuration overview for other IdP platforms

Overview of the configuration process on other IdP platforms:

  • An AppsFlyer app is created on the IdP platform, based on the SAML 2.0 protocol, and the AppsFlyer authentication certificate is implemented in the IdP platform
  • Users are assigned to the new AppsFlyer app
  • The IdP certificate or metadata is retrieved for use in AppsFlyer (in Step 2)

 Note

  • When assigning users to the IdP, make sure you're using the same user email as in AppsFlyer so that each user on both platforms has the same email.
  • The AppsFlyer metadata contains:
    • Encryption and signing certificates
    • Entity ID
    • Callback URL

Configure the callback URL  

The default method for authenticating users entering AppsFlyer is from the IdP. This means users are directed to AppsFlyer from the IdP authentication plugin or webpage.

Use the following link to authenticate users from the IdP: https://hq1.appsflyer.com/auth/sso-callback/<Enter your AppsFlyer account ID here>

To get your account ID, contact your CSM.

 Note

Users can also enter AppsFlyer via the AppsFlyer SSO login page by clicking Login with SSO and entering their email address. They will get directed to the IdP for authentication and then redirected to the AppsFlyer homepage. 

AppsFlyer_login_page.png

Step 2: Complete the configuration at AppsFlyer

After configuring the IdP platform, go back to AppsFlyer to complete the configuration. 

  1. From the top-right of the menu bar, click your username (admin) > Security center.
  2. Under Enhanced login security, select Configure login method.
  3. From the Single sign-on (SSO) section, near Upload the IdP SSO certificate, click Add
  4. Add the IdP SSO metadata in either of the following ways:
    • URL address: Paste the URL you copied from the IdP platform in Step 1
    • Upload file: Upload the file you downloaded from the IdP platform in Step 1

      IdP_SSO_certificate__1_.png

  5. Click Import and then Save.
  6. [Optional] Force SSO login: Checking this box makes sure users sign in via SSO and not with their username and password.
    Note:
    • Keeping Force SSO login selected is the recommended method for enforcing a more secure login. It means users trying to log in are authenticated by the IdP and can't log in just with their username and password.
    • The Force SSO login option becomes disabled after turning on and saving the Single sign-on toggle. This means, whether Force SSO login is selected or unselected, it can't be changed. See here how to revert this.
  7. Turn on Single sign-on and click Save.
idp

Step 3: Test the SSO process

After completing the SSO configuration on both platforms—the IdP and AppsFlyer, check to make sure users can log in to AppsFlyer in either of the URL callback methods: your IdP or the service provider (AppsFlyer), but not both.

Test authentication via your IdP

If you've configured the authentication to log in via your IdP, check that users can enter AppsFlyer from the IdP plugin or webpage:

  1. If you're signed in to AppsFlyer and the IdP, sign out from both.
  2. Open a webpage in incognito mode.
  3. Go to your IdP webpage. Since you're not signed in to the IdP, you'll go through an authentication process. Sign in with the relevant user.
  4. Search for and select AppsFlyer. You're directed to the AppsFlyer homepage. This indicates the process was successful.

Test authentication via your service provider (AppsFlyer)

If you've configured the authentication flow to log in via your service provider (AppsFlyer), check that users can enter AppsFlyer using their email:

log_in_to_af_by_email2.png

  1. If you're signed in to AppsFlyer and the IdP, sign out from both.
  2. Open a webpage in incognito mode.
  3. Go to the AppsFlyer login page and click Login with SSO.
  4. Enter the relevant email and click Continue. You're now directed to the IdP for authentication.
  5. After IdP authentication, you're directed back to AppsFlyer as a logged-in user. This indicates the process was successful.

About SSO authentication

Learn about the process of logging into AppsFlyer via single sign-on (SSO) with your identity provider (IdP).

What is SSO authentication?

SSO is an authentication method that allows users to access multiple independent apps, systems, or platforms by logging in once via your identity provider (for example, Okta, Azure AD, or OneLogin). Adding AppsFlyer to your IdP lets your users sign into AppsFlyer directly from your IdP by a single sign-on (SSO) process. This lets your users sign in automatically with more secure authentication using only one set of credentials.

How does SSO authentication work?

The AppsFlyer platform supports SSO verification using the SAML2.0 protocol. By implementing AppsFlyer's authentication certificate into your SAML 2.0 IdP, your IdP generates a token with authenticated user data. The same process is done from your IdP to AppsFlyer—their token is implemented in AppsFlyer.

The authentication certificate

AppsFlyer provides an encryption certificate to encrypt data and sign the SSO request. You can choose which certificate to use:

  • Public encryption certificate: An AppsFlyer certificate (.crt document). You can obtain this certificate from the AppsFlyer metadata URL (see below).
  • Signed encryption certificate: An AppsFlyer certificate signed by Amazon. To get this certificate, contact your CSM.

Obtaining the AppsFlyer certificate from the metadata URL

  1. Open the AppsFlyer metadata URL and find use="signing" or use="encryption".
  2. Copy the data from the X509Certificate element.
  3. Paste it into a new text file.
  4. Insert "-----BEGIN CERTIFICATE-----" to the beginning of the file.
  5. Append "-----END CERTIFICATE-----" to the end of the file.
  6. Save the text file with a .CRT extension.

Considerations

  • Prerequisite: Users must be set up in both systems (AppsFlyer and the IdP) using the same email
  • Only an admin can activate or deactivate SSO
  • If the feature is set to SSO-only mode, all users must log in using only SSO and specific users can’t be excluded
  • It's not recommended to enable both SSO with another authentication method (such as username and password)

Deactivating SSO authentication

When deactivating SSO authentication, users will be able to log in using other methods, such as their AppsFlyer usernames and passwords and the 2FA method.

  1. From the top-right of the menu bar, click your username (admin) > Security center.
  2. Under Enhanced login security, select Configure login method.
  3. From the Single sign-on (SSO) section, turn off the Single sign-on toggle.

FAQ

Find answers to frequently asked questions about SSO login.

Can users log in using both SSO and 2FA methods?

Only one security login method can be used at a time, either SSO or 2FA.

  • To activate the 2FA method when SSO is active: First deactivate SSO, then activate 2FA
  • To activate the SSO method when 2FA is active: First deactivate 2FA, then activate SSO

Why can't some users connect using SSO?

Make sure all user emails are set up in both systems—in your IdP and in the AppsFlyer platform. If that isn't the reason, contact your CSM to find why and how to fix it. In the meantime, your CSM can temporarily disable the Force SSO login option so that users can log in using their email and password. 

Do I need a test environment to test setup before setting the configuration?

A test environment isn’t required. Follow the steps in Step 3 to test the SSO login, either from the IdP or the service provider's side (AppsFlyer).

What should I do before the AppsFlyer certificate expires?

Before the certificate expires, AppsFlyer issues an announcement on the platform that a new certificate will be issued. Make sure to update the IdP with the new certificate, found in the AppsFlyer metadata URL.

Force SSO login is disabled, how can I enable it?

Once the Force SSO login option is selected and the configuration is saved, this option becomes disabled. To revert and have Force SSO login enabled, you'll need to re-configure step 2 of the SSO process from the beginning.

 Note

Keeping Force SSO login selected is the recommended method for enforcing a more secure login. It means users trying to log in are authenticated by the IdP and can't log in with their username and password.