At a glance: By integrating AppsFlyer with your identity provider (IdP), AppsFlyer account users can log into AppsFlyer using single sign-on (SSO). Learn how to set up SSO authentication in AppsFlyer and your IdP platform.
Considerations
- Prerequisite: Users must be set up in both systems (AppsFlyer and the IdP) using the same email
- SSO configuration settings can only be managed and removed by an admin.
- When Force SSO is set, all users must log in through SSO, and individual users can't be excluded.
- 2FA isn't supported when using SSO.
- It's not recommended to enable both SSO with username and password
Access the SSO configuration page
- From the top bar, open the account menu (admin email address dropdown) > Security center.
- Under Enhanced login security, select Configure login method.
- From the Login security page, click Configure SSO.
Set up SSO
The SSO configuration is done on both the IdP platform and in AppsFlyer, as detailed in the steps below. The configuration status can either be Active when SSO is set up, or Not configured when no configuration was set or the configuration setup has been removed.
Note
- This guide includes detailed procedures for the IdPs below. A general setup overview is described for all other IdPs.
- JumpCloud
- Okta
- OneLogin
- Ping Identity
- For users with multiple accounts: When switching from an account that's configured to login via SSO to an account configured for login via Username and Password or Google login, you'll be required to log in using the account credentials or via the Google login process.
Step 1: Set up the IdP platform
See the detailed procedures for configuring SSO authentication in the following IdPs:
Setup overview for other IdP platforms
The process for configuring other IdP platforms is outlined below:
- Create an AppsFlyer app on the IdP platform using the SAML 2.0 protocol, and integrate the AppsFlyer authentication certificate within the IdP platform.
- Assign users to the newly created AppsFlyer app.
- Retrieve the IdP certificate or metadata to be used in AppsFlyer (as mentioned in Step 2: Set up AppsFlyer --> 5. Provide IdP metadata).
Note
- Important! When assigning users to the IdP, make sure you're using the same user email as in AppsFlyer so that each user on both platforms has the same email.
- The AppsFlyer metadata contains:
- Encryption and signing certificates
- Entity ID
- Callback URL
Step 2: Set up AppsFlyer
The following flow takes you through the steps to set up SSO authentication in AppsFlyer after you've configured it on the IdP platform.
See how to access the SSO configuration setup page.
1. Select authentication starting point
- Select from where users enter AppsFlyer. This also defines the authentication process.
- Click Next.
Identity provider (IdP)
Users log in through the IdP authentication plugin or webpage and are then directed to AppsFlyer after authentication.
Note
By selecting this option, users can log in through both the IdP and the service provider (AppsFlyer).
Service provider (AppsFlyer)
Users enter AppsFlyer via the AppsFlyer SSO login page by clicking Login with SSO and entering their email address. They are then directed to the IdP for authentication and redirected to the AppsFlyer homepage.
Note
By selecting this option, users can log in only via the service provider (AppsFlyer) and not directly from the IdP.
2. Set login method
- Select how users can log in to AppsFlyer:
- Force SSO [Recommended]: This method enforces a more secure login.
- SSO or Username & password: Users can choose to log in either via SSO or with their username and password
- Click Next.
3. Select certificate type
AppsFlyer offers two types of public encryption key certificates to encrypt data and sign the SSO request:
- AppsFlyer-signed certificate: An AppsFlyer certificate created from the AppsFlyer metadata URL.
- CA-signed certificate: An AppsFlyer certificate signed by Amazon.
To perform this step:
- Select the certificate type and click Next.
Note
The certificate becomes activated only after both sides complete the mutual certificate implementation process: AppsFlyer incorporates the IdP SAML configuration, and the IdP integrates the latest AppsFlyer SSO metadata. This is done in the following steps below.
4. Obtain service provider (AppsFlyer) metadata
- Copy the latest AppsFlyer SSO metadata and implement it into your IdP SAML configuration.
- If you've selected the AppsFlyer-signed certificate: Copy any of the fields below.
- Metadata URL: For IdPs that support full metadata URLs, copy the URL and implement it in your IdP.
- Metadata components: For IdPs that don't support full metadata URLs, copy each of the components and implement them in the corresponding section in your IdP: Entity ID, Encryption key (downloadable), and Location URL.
- XML file: You have the option to download the AppsFlyer SSO metadata as an XML file.
- If you've selected the CA-signed certificate: Copy the Metadata components.
- If you've selected the AppsFlyer-signed certificate: Copy any of the fields below.
- Click Next.
5. Provide IdP metadata
Provide the IdP SSO metadata using the options below, then validate the metadata format.
- Select the preferred method for providing your IdP metadata:
- URL: Enter the IdP metadata URL.
- XML file: Upload the IdP metadata XML file.
- Click Validate. A confirmation message appears at the top of the page indicating the validation status.
- Click Activate. A confirmation message appears at the top of the page indicating the SSO authentication activation status.
Step 3: Test the SSO configuration
After completing the SSO configuration on both platforms—the IdP and AppsFlyer, check to make sure users can log in to AppsFlyer in either of the URL callback methods: your IdP or the service provider (AppsFlyer), but not both.
Test authentication via your IdP
If you've configured the authentication to log in via your IdP, check that users can enter AppsFlyer from the IdP plugin or webpage:
- If you're signed in to AppsFlyer and the IdP, sign out from both.
- Open a webpage in incognito mode.
- Go to your IdP webpage. Since you're not signed in to the IdP, you'll go through an authentication process. Sign in with the relevant user.
- Search for and select AppsFlyer. You're directed to the AppsFlyer homepage. This indicates the process was successful.
Test authentication via your service provider (AppsFlyer)
If you've configured the authentication flow to log in via your service provider (AppsFlyer), check that users can enter AppsFlyer using their email:
- If you're signed in to AppsFlyer and the IdP, sign out from both.
- Open a webpage in incognito mode.
- Go to the AppsFlyer login page and click Login with SSO.
- Enter the relevant email and click Continue. You're now directed to the IdP for authentication.
- After IdP authentication, you're directed back to AppsFlyer as a logged-in user. This indicates the process was successful.
Manage SSO configuration
Once you've set up the SSO configuration, you can edit the configuration or remove it.
See how to access the SSO configuration page.
Edit SSO
From this page you can edit any of the following options:
- Authentication starting point
- Login method
- Certificate type
- Service provider (AppsFlyer metadata) - details can be obtained
- Identity provider metadata
Important!
When changing either the certificate type or the authentication starting point, the AppsFlyer metadata changes. It is crucial to copy the most recent service provider (AppsFlyer) SSO metadata and implement it in your IdP SAML configuration immediately after saving your changes.
To edit the SSO configuration:
- Click the Edit icon from the right side of the SAML Single sign-on (SSO) section.
- Go to any of the sections are select your preferred option.
- Click Save changes. A confirmation message appears indicating the status of the changes.
Delete SSO configuration
To delete the SSO configuration:
- Click the Delete dustbin icon from the right side of the SAML Single sign-on (SSO) section.
- Go to any of the sections are select your preferred option.
- Click Save changes. A confirmation message appears indicating the status of the changes.
Note
When removing the SSO configuration, the IdP SSO metadata stored in AppsFlyer is deleted.