Set up SSO authentication with your identity provider (IdP)

The first stage is configuring the IdP side. 

Configuration procedures for the main IdPs

See the detailed procedures to configure SSO authentication in any of the following IdPs:

• JumpCloud
• Okta
• OneLogin
• Ping Identity

Configuration overview for other IdP platforms

Overview of the configuration process on other IdP platforms:

• An AppsFlyer app is created on the IdP platform, based on the SAML 2.0 protocol, and the AppsFlyer authentication certificate is implemented in the IdP platform
• Users are assigned to the new AppsFlyer app
• The IdP certificate or metadata is retrieved for use in AppsFlyer (in Step 2)

Configure the callback URL  

The default method for authenticating users entering AppsFlyer is from the IdP. This means users are directed to AppsFlyer from the IdP authentication plugin or webpage.

Use the following link to authenticate users from the IdP: https://hq1.appsflyer.com/auth/sso-callback/<Enter your AppsFlyer account ID here>

To get your account ID, contact your CSM.

After configuring the IdP platform, go back to AppsFlyer to complete the configuration. 

1. From the top-right of the menu bar, click your username (admin) > Security center.
2. Under Enhanced login security, select Configure login method.
3. From the Single sign-on (SSO) section, near Upload the IdP SSO certificate, click Add. 
   
4. Add the IdP SSO metadata in either of the following ways:
   • URL address: Paste the URL you copied from the IdP platform in Step 1
     
   • Upload file: Upload the file you downloaded from the IdP platform in Step 1
     

     

5. Click Import and then Save.
6. [Optional] Force SSO login: Checking this box makes sure users sign in via SSO and not with their username and password.
   Note:
   • Keeping Force SSO login selected is the recommended method for enforcing a more secure login. It means users trying to log in are authenticated by the IdP and can't log in just with their username and password.
   • The Force SSO login option becomes disabled after turning on and saving the Single sign-on toggle. This means, whether Force SSO login is selected or unselected, it can't be changed. See here how to revert this.
7. Turn on Single sign-on and click Save.

After completing the SSO configuration on both platforms—the IdP and AppsFlyer, check to make sure users can log in to AppsFlyer in either of the URL callback methods: your IdP or the service provider (AppsFlyer), but not both.

Test authentication via your IdP

If you've configured the authentication to log in via your IdP, check that users can enter AppsFlyer from the IdP plugin or webpage:

1. If you're signed in to AppsFlyer and the IdP, sign out from both.
2. Open a webpage in incognito mode.
3. Go to your IdP webpage. Since you're not signed in to the IdP, you'll go through an authentication process. Sign in with the relevant user.
4. Search for and select AppsFlyer. You're directed to the AppsFlyer homepage. This indicates the process was successful.

Test authentication via your service provider (AppsFlyer)

If you've configured the authentication flow to log in via your service provider (AppsFlyer), check that users can enter AppsFlyer using their email:

1. If you're signed in to AppsFlyer and the IdP, sign out from both.
2. Open a webpage in incognito mode.
3. Go to the AppsFlyer login page and click Login with SSO.
4. Enter the relevant email and click Continue. You're now directed to the IdP for authentication.
5. After IdP authentication, you're directed back to AppsFlyer as a logged-in user. This indicates the process was successful.

SSO is an authentication method that allows users to access multiple independent apps, systems, or platforms by logging in once via your identity provider (for example, Okta, Azure AD, or OneLogin). Adding AppsFlyer to your IdP lets your users sign into AppsFlyer directly from your IdP by a single sign-on (SSO) process. This lets your users sign in automatically with more secure authentication using only one set of credentials.

The AppsFlyer platform supports SSO verification using the SAML2.0 protocol. By implementing AppsFlyer's authentication certificate into your SAML 2.0 IdP, your IdP generates a token with authenticated user data. The same process is done from your IdP to AppsFlyer—their token is implemented in AppsFlyer.

AppsFlyer provides an encryption certificate to encrypt data and sign the SSO request. You can choose which certificate to use:

• Public encryption certificate: An AppsFlyer certificate (.crt document). You can obtain this certificate from the AppsFlyer metadata URL (see below).
• Signed encryption certificate: An AppsFlyer certificate signed by Amazon. To get this certificate, contact your CSM.

Obtaining the AppsFlyer certificate from the metadata URL

1. Open the AppsFlyer metadata URL and find use="signing" or use="encryption".
2. Copy the data from the X509Certificate element.
3. Paste it into a new text file.
4. Insert "-----BEGIN CERTIFICATE-----" to the beginning of the file.
5. Append "-----END CERTIFICATE-----" to the end of the file.
6. Save the text file with a .CRT extension.

• Prerequisite: Users must be set up in both systems (AppsFlyer and the IdP) using the same email
• Only an admin can activate or deactivate SSO
• If the feature is set to SSO-only mode, all users must log in using only SSO and specific users can’t be excluded
• It's not recommended to enable both SSO with another authentication method (such as username and password)

When deactivating SSO authentication, users will be able to log in using other methods, such as their AppsFlyer usernames and passwords and the 2FA method.

1. From the top-right of the menu bar, click your username (admin) > Security center.
2. Under Enhanced login security, select Configure login method.
3. From the Single sign-on (SSO) section, turn off the Single sign-on toggle.

Only one security login method can be used at a time, either SSO or 2FA.

• To activate the 2FA method when SSO is active: First deactivate SSO, then activate 2FA
• To activate the SSO method when 2FA is active: First deactivate 2FA, then activate SSO

Make sure all user emails are set up in both systems—in your IdP and in the AppsFlyer platform. If that isn't the reason, contact your CSM to find why and how to fix it. In the meantime, your CSM can temporarily disable the Force SSO login option so that users can log in using their email and password. 

A test environment isn’t required. Follow the steps in Step 3 to test the SSO login, either from the IdP or the service provider's side (AppsFlyer).

Before the certificate expires, AppsFlyer issues an announcement on the platform that a new certificate will be issued. Make sure to update the IdP with the new certificate, found in the AppsFlyer metadata URL.

Once the Force SSO login option is selected and the configuration is saved, this option becomes disabled. To revert and have Force SSO login enabled, you'll need to re-configure step 2 of the SSO process from the beginning.