Using SSO verification

At a glance: Allow account users to log into AppsFlyer with single sign-on (SSO) by integrating AppsFlyer with your SSO identity provider.

What is SSO?

Your identity and access management system—Okta, Azure AD, OneLogin, and so on—acts as your identity provider (IdP) and generates a token with authenticated user data.

The IdP gets 2 certificates—a self-signed AppsFlyer certificate used to encrypt data and a certificate for validating the request signature. To integrate AppsFlyer with your company’s IdP, SSO metadata is exchanged and the systems are updated.

Considerations

  • Users must be set up in both systems. AppsFlyer has to be able to identify user emails.
  • The solution handles service provider (SP)-initiated login. Users can’t log in by clicking an icon in their IdP.
  • If the feature is set to SSO-only mode, specific users can’t be excluded. All users must log in using only SSO.
  • Every time the mode is changed—from hybrid to SSO-only OR SSO-only to hybrid—the IdP SSO certificate must be reuploaded.

Login settings

Only an admin can activate or deactivate SSO.

  • Login is done via the AppsFlyer interface.
  • The chosen setting applies to everyone — admins and all account users.
  • Account users at the time of activation will be permitted to log in and prompted to set up SSO at their next login.
  • If SSO is activated or deactivated, it applies to account users.

SSO and IdP SSO certificates

The AppsFlyer platform supports SSO verification that uses SAML2.0 technology.

To copy certificates and implement SSO:

  1. From the menu bar, access the user menu (email address drop-down).
  2. Select Security center.
  3. In the Enhanced login security section, click Configure login method to access the Login security page.
  4. In the Single sign-on (SSO) section, go to the Copy AppsFlyer certificate field.
  5. Click the Copy icon to get certificate content. 
  6. [Optional] Click View to open an AppsFlyer SSO certificate message with certificate details: Entity ID, Encryption key, and Location URL.
  7. Implement the copied certificate values in your SAML 2.0 IdP.
  8. Return to the Login security page > Import or upload IdP SSO certificate > Click Add.
  9. In the IdP SSO certificate message, choose 1 option then import/upload your SSO certificate:
    • Click Import from URL > Enter URL address > Click Import Save
      OR
    • Click Upload file (.xml file) > Click Upload Save

Login security page

Admin: To activate or deactivate SSO, access the user menu (email address drop-down) > Security center. In the Enhanced login security section, click Configure login method to access the Login security page.

In the Single sign-on (SSO) section there are 2 login modes:

  • SSO-only mode (with forced SSO login): Users must log in using SSO
  • Hybrid mode: Users can choose to log in with SSO or with their AppsFlyer username and password

Activate hybrid mode

In this mode, login is possible using either SSO or the user's AppsFlyer username and password.

To activate hybrid mode:

  1. Activate the SSO toggle.
  2. Read the notification. It indicates required IdP configurations: 
    • Users must be assigned to AppsFlyer
    • User emails must be identifiable by AppsFlyer
  3. Click Activate.

Activate SSO-only mode

In this mode, login is only possible using SSO and only via the AppsFlyer interface.

To activate SSO-only mode:

  1. Select the Force SSO login checkbox.
  2. Read the notification. It indicates required IdP configurations: 
    • Users must be assigned to AppsFlyer
    • User emails must be identifiable by AppsFlyer
  3. Click Enable.
  4. Activate the SSO toggle.
  5. Read the notification. It indicates required IdP configurations: 
    • Users must be assigned to AppsFlyer
    • User emails must be identifiable by AppsFlyer
  6. Click Activate.

Deactivate hybrid and SSO-only modes

Every time the mode is changed—from hybrid to SSO-only OR SSO-only to hybrid—the IdP SSO certificate needs to be reuploaded.

  • To disable forced SSO login, it is NOT enough to unmark the checkbox.
  • It is necessary to deactivate the SSO toggle to disable Forced SSO login.

To deactivate both SSO modes and disable Forced SSO login:

  1. Deactivate the SSO toggle.
  2. Read the notification:
    • SSO login will be deactivated
    • IdP SSO metadata will be deleted
  3. Click Deactivate; this both deactivates SSO and disables forced SSO login
  4. Users will now log in using their AppsFlyer usernames and passwords.

Delete IdP metadata

Every time the mode is changed—from hybrid to SSO-only OR SSO-only to hybrid—the IdP SSO certificate must be reuploaded.

To delete: 

  1. Click the delete icon (trash can) beside the IdP SSO certificate file.
  2. Read the notification: SSO login will be deactivated and IdP SSO metadata deleted.
  3. Click Delete.
  4. If necessary, upload another IdP SSO certificate.

SSO and 2FA options

Only 1 security login option can be used at a time, SSO or 2FA.

  • If SSO is active, then deactivate SSO and activate 2FA
  • If 2FA is active, then deactivate 2FA and activate SSO

FAQ | Troubleshooting

Why can't some users connect using SSO?

Make sure all user emails are set up in both systemsin your IDP and in the AppsFlyer platform.

Why do I get a 503 message when I log in using my email address?

Make sure that your email is set up in both systems, IdP and AppsFlyer.

How do I test the SSO login?

Activate the SSO login in hybrid mode. While testing, users can log in using their AppsFlyer username and password.

Do I need a test environment to test setup before pushing to production?

A test environment isn’t required:

  • Hybrid mode lets you test the setup without interfering with the existing workflow.
  • While testing, users can log in using their AppsFlyer username and password.

Test as follows:

  1. Activate the SSO login in hybrid mode using either production or testing metadata.
  2. Test the login.

Do I need to update the validUntil field in the metadata?

The field includes the following: 

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2020-11-12T09:32:23.418436776Z" entityID="https://hq1.appsflyer.com">

The date is automatically updated—extended by 7 days—every time the metadata document is used.

How is the AppsFlyer certificate renewed?

Before the certificate expires:

  • AppsFlyer will issue an announcement that a new certificate will be issued.
  • You must then update the IdP with the new certificate.