At a glance: Allow account team members to log into AppsFlyer with single sign-on (SSO) by integrating AppsFlyer with your SSO identity provider.
What is SSO?
Your identity and access management system—Okta, Azure AD, OneLogin, and so on—acts as your identity provider (IdP) and generates a token with authenticated user data.
The IdP gets 2 certificates—a self-signed AppsFlyer certificate used to encrypt data and a certificate for validating the request signature. To integrate AppsFlyer with your company’s IdP, SSO metadata is exchanged and the systems are updated.
Considerations
- Users must be set up in both systems. AppsFlyer has to be able to identify user emails
- The solution handles service provider (SP)-initiated login. Users can’t log in by clicking an icon in their IdP
- If the feature is set to SSO-only mode, specific users can’t be excluded. All users must log in using only SSO
- Every time the mode is changed—from hybrid to SSO-only OR SSO-only to hybrid—the IdP SSO certificate needs to be reuploaded
Login settings
Only the account admin can activate/deactivate SSO.
- Login is done via the AppsFlyer interface
- The chosen setting applies to everyone—account admin and all team members
- Team members, in the account at the time of activation, are not affected; they will set up SSO at their next login
- If SSO is activated/deactivated, it applies to all team members in the account
SSO and IdP SSO certificates
The AppsFlyer platform supports SSO verification that uses SAML2.0 technology.
To copy certificates and implement SSO:
- Go to your email drop-down menu > Login security page.
- Go to the Copy AppsFlyer certificate field.
- Click the Copy icon to get certificate content.
- [Optional] Click View to open an AppsFlyer SSO certificate message with certificate details: Entity ID, Encryption key, and Location URL.
- Implement the copied certificate values in your SAML 2.0 IdP.
- Return to the Login security page > Import or upload IdP SSO certificate > Click Add.
- In the IdP SSO certificate message, choose 1 option then import/upload your SSO certificate:
- Click Import from URL > Enter URL address > Click Import > Save
OR - Click Upload file (.xml file) > Click Upload > Save
- Click Import from URL > Enter URL address > Click Import > Save
Login security page
Admin: To activate/deactivate SSO, go to your email dropdown menu > Login security page. There are 2 login modes:
- SSO-only mode (with Force SSO login): Users must log in using SSO
- Hybrid mode: Users can choose to log in with SSO or with their AppsFlyer username and password
Activate hybrid mode
In this mode, login is possible using either SSO-only or with your AppsFlyer username and password.
To activate hybrid mode:
- Activate the SSO toggle.
- Read the notification. It indicates required IdP configurations:
- Users must be assigned to AppsFlyer
- User emails must be identifiable by AppsFlyer
- Click Activate.
Activate SSO-only mode
In this mode, login is only possible using SSO and only via the AppsFlyer interface.
To activate SSO-only mode:
- Enable the Force SSO login checkbox.
- Read the notification. It indicates required IdP configurations:
- Users must be assigned to AppsFlyer.
- User emails must be identifiable by AppsFlyer.
- Click Enable.
- Activate the SSO toggle.
- Read the notification. It indicates required IdP configurations:
- Users must be assigned to AppsFlyer.
- User emails must be identifiable by AppsFlyer.
- Click Activate.
Deactivate hybrid and SSO-only modes
Every time the mode is changed—from hybrid to SSO-only OR SSO-only to hybrid—the IdP SSO certificate needs to be reuploaded.
- To disable Force SSO login, it is NOT enough to unmark the checkbox
- It is necessary to deactivate the SSO toggle to disable Force SSO login
To deactivate both SSO modes and disable Force SSO login:
- Deactivate the SSO toggle.
- Read the notification:
- SSO login will be deactivated
- IdP SSO metadata will be deleted
- Click Deactivate; this both deactivates SSO and disables Force SSO login.
- Now, log in using your AppsFlyer username and password.
Delete IdP metadata
Every time the mode is changed—from hybrid to SSO-only OR SSO-only to hybrid—the IdP SSO certificate must be reuploaded.
To delete:
- Click the delete icon (trash can) beside the IdP SSO certificate file.
- Read the notification: SSO login will be deactivated and IdP SSO metadata deleted.
- Click Delete.
- If necessary, upload another IdP SSO certificate.
SSO and 2FA options
Only 1 security login option can be used at a time, SSO or 2FA.
- If SSO is active, then deactivate SSO and activate 2FA
- If 2FA is active, then deactivate 2FA and activate SSO
FAQ | Troubleshooting
Why can't some team members connect using SSO?
Make sure all user emails are set up in both systems—in your IDP and in the AppsFlyer platform.
Why do I get a 503 message when I log in using my email address?
Make sure that your email is set up in both systems, IdP and AppsFlyer.
How do I test the SSO login?
Activate the SSO login in hybrid mode. While testing, users can log in using their AppsFlyer username and password.
Do I need a test env to test setup before pushing to production?
A test environment isn’t required.
- Hybrid mode lets you test the setup without interfering with the existing workflow
- While testing, users can log in using their AppsFlyer username and password
Test as follows:
- Activate the SSO login in hybrid mode using either production or testing metadata.
- Test the login.
Do I need to update the validUntil field in the metadata?
The field includes the following:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2020-11-12T09:32:23.418436776Z" entityID="https://hq1.appsflyer.com">
The date is automatically updated—extended by 7 days—every time the metadata document is used.
How is the AppsFlyer certificate renewed?
Before the certificate expires:
- AppsFlyer will issue an announcement that a new certificate will be issued
- You must then update the IdP with the new certificate