At a glance: AppsFlyer single sign-on (SSO)—an authentication scheme—lets you log in with a single ID and password to any of several related, yet independent, software systems. Log in once, then access other services without re-entering authentication factors.
What is SSO?
Your identity and access management system—Okta, Azure AD, OneLogin, and so on—acts as your identity provider (IdP) and generates a token with authenticated user data.
The IdP gets 2 certificates—a self-signed AppsFlyer certificate used to encrypt data and a certificate for validating the request signature. To integrate AppsFlyer with your company’s IdP, SSO metadata is exchanged and the systems are updated.
Considerations
- Users must be set up in both systems. AppsFlyer has to be able to identify user emails.
- Solution handles service provider (SP)-initiated login. Users can’t log in by clicking an icon in their IdP.
- If the feature is set to SSO-only mode, specific users can’t be excluded. All users must log in using only SSO.
- Every time the mode is changed—from hybrid to SSO-only OR SSO-only to hybrid—the IdP SSO certificate needs to be reuploaded.
Login settings
Only the account admin can activate/deactivate SSO.
- Login is done via the AppsFlyer interface.
- The chosen setting applies to everyone—account admin and all team members.
- Team members, in the account at the time of activation, are not affected; they will set up SSO at their next login.
- If SSO is activated/deactivated, it applies to all team members in the account.
SSO and IdP SSO certificates
The AppsFlyer platform supports SSO verification that uses SAML2.0 technology.
To copy certificates and implement SSO:
- Go to your email drop-down menu > Login security page.
- Go to the Copy AppsFlyer certificate field > Click the Copy icon to get certificate content.
- [Optional] Click View to open an AppsFlyer SSO certificate message with certificate details: Entity ID, Encryption key, and Location URL.
- Implement the copied certificate values in your SAML 2.0 IdP.
- Return to the Login security page > Upload IdP SSO certificate > Click Add.
- In the IdP SSO certificate message, choose 1 option then upload your SSO certificate:
- Click Upload file (.xml file) > Click Upload > Save
Login security page
Admin: To activate/deactivate SSO, go to your email drop-down menu > Login security page. There are 2 login modes:
- SSO-only mode (with Force SSO login): Users must log in using SSO.
- Hybrid mode: Users can choose to log in with SSO or with their AppsFlyer username and password.
Activate hybrid mode
In this mode, login is possible using either SSO-only or with your AppsFlyer username and password.
To activate hybrid mode:
- Activate the SSO toggle.
- Read the notification. It indicates required IdP configurations:
- Users must be assigned to AppsFlyer.
- User emails must be identifiable by AppsFlyer.
- Click Activate.
Activate SSO-only mode
In this mode, login is only possible using SSO and only via the AppsFlyer interface.
To activate SSO-only mode:
- Enable the Force SSO login checkbox.
- Read the notification. It indicates required IdP configurations:
- Users must be assigned to AppsFlyer.
- User emails must be identifiable by AppsFlyer.
- Click Enable.
- Activate the SSO toggle.
- Read the notification. It indicates required IdP configurations:
- Users must be assigned to AppsFlyer.
- User emails must be identifiable by AppsFlyer.
- Click Activate.
Deactivate hybrid and SSO-only modes
Every time the mode is changed—from hybrid to SSO-only OR SSO-only to hybrid—the IdP SSO certificate needs to be reuploaded.
- To disable Force SSO login, it is NOT enough to unmark the checkbox.
- It is necessary to deactivate the SSO toggle to disable Force SSO login.
To deactivate both SSO modes and disable Force SSO login:
- Deactivate the SSO toggle.
- Read the notification:
- SSO login will be deactivated.
- IdP SSO metadata will be deleted.
- Click Deactivate; this both deactivates SSO and disables Force SSO login.
- Now, log in using your AppsFlyer username and password.
Delete IdP metadata
Every time the mode is changed—from hybrid to SSO-only OR SSO-only to hybrid—the IdP SSO certificate must be reuploaded.
To delete:
- Click the delete icon (trash can) beside the IdP SSO certificate file.
- Read the notification: SSO login will be deactivated and IdP SSO metadata deleted.
- Click Delete.
- If necessary, upload another IdP SSO certificate.
SSO and 2FA options
Only 1 security login option can be used at a time, SSO or 2FA.
- If SSO is active, then deactivate SSO and activate 2FA.
- If 2FA is active, then deactivate 2FA and activate SSO.
FAQ | Troubleshooting
Why can't some team members connect using SSO?
Make sure all user emails are set up in both systems—in your IDP and in the AppsFlyer platform.
Why do I get a 503 message when I log in using my email address?
Make sure that your email is set up in both systems, IdP and AppsFlyer.
How do I test the SSO login?
Activate the SSO login in hybrid mode. While testing, users can log in using their AppsFlyer username and password.
Do I need a test env to test setup before pushing to production?
A test environment isn’t required.
- Hybrid mode lets you test the setup without interfering with the existing workflow.
- While testing, users can log in using their AppsFlyer username and password.
Test as follows:
- Activate the SSO login in hybrid mode using either production or testing metadata.
- Test the login.
Do I need to update the validUntil field in the metadata?
The field includes the following:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2020-11-12T09:32:23.418436776Z" entityID="https://hq1.appsflyer.com">
The date is automatically updated—extended by 7 days—every time the metadata document is used.
How is the AppsFlyer certificate renewed?
Before the certificate expires:
- AppsFlyer will issue an announcement that a new certificate will be issued.
- You must then update the IdP with the new certificate.