Using SSO verification

At a glance: AppsFlyer single sign-on (SSO)—an authentication scheme—lets you log in with a single ID and password to any of several related, yet independent, software systems. Log in once, then access other services without re-entering authentication factors.

What is SSO?

Your identity and access management system—Okta, Azure AD, OneLogin, and so on—acts as your identity provider (IdP) and generates a token with authenticated user data.

The IdP gets 2 certificates—a self-signed AppsFlyer certificate used to encrypt data and a certificate for validating the request signature. To integrate AppsFlyer with your company’s IdP, SSO metadata is exchanged and the systems are updated.

Considerations

  • Users must be set up in both systems. AppsFlyer has to be able to identify user emails. 
  • Solution handles service provider (SP)-initiated login. Users can’t log in by clicking an icon in their IdP. 
  • If the feature is set to SSO-only mode, specific users can’t be excluded. All users must log in using only SSO.
  • Every time the mode is changed—from hybrid to SSO-only OR SSO-only to hybrid—the IdP SSO certificate needs to be reuploaded.

Login settings

Only the account admin can activate/deactivate SSO.

  • Login is done via the AppsFlyer interface.
  • The chosen setting applies to everyone—account admin and all team members.
  • Team members, in the account at the time of activation, are not affected; they will set up SSO at their next login.
  • If SSO is activated/deactivated, it applies to all team members in the account.

SSO and IdP SSO certificates

The AppsFlyer platform supports SSO verification that uses SAML2.0 technology.

To copy certificates and implement SSO:

  1. Go to your email drop-down menu > Login security page.
  2. Go to the Copy AppsFlyer certificate field > Click the Copy icon to get certificate content. 
  3. [Optional] Click View to open an AppsFlyer SSO certificate message with certificate details: Entity ID, Encryption key, and Location URL.
  4. Implement the copied certificate values in your SAML 2.0 IdP.
  5. Return to the Login security page > Upload IdP SSO certificate > Click Add.
  6. In the IdP SSO certificate message, choose 1 option then upload your SSO certificate:
    • Click Upload file (.xml file) > Click Upload > Save

Login security page

Admin: To activate/deactivate SSO, go to your email drop-down menu > Login security page. There are 2 login modes:

  • SSO-only mode (with Force SSO login): Users must log in using SSO.
  • Hybrid mode: Users can choose to log in with SSO or with their AppsFlyer username and password.

Activate hybrid mode

In this mode, login is possible using either SSO-only or with your AppsFlyer username and password.

To activate hybrid mode:

  1. Activate the SSO toggle.
  2. Read the notification. It indicates required IdP configurations: 
    • Users must be assigned to AppsFlyer.
    • User emails must be identifiable by AppsFlyer.
  3. Click Activate.

Activate SSO-only mode

In this mode, login is only possible using SSO and only via the AppsFlyer interface.

To activate SSO-only mode:

  1. Enable the Force SSO login checkbox.
  2. Read the notification. It indicates required IdP configurations: 
    • Users must be assigned to AppsFlyer.
    • User emails must be identifiable by AppsFlyer.
  3. Click Enable.
  4. Activate the SSO toggle.
  5. Read the notification. It indicates required IdP configurations: 
    • Users must be assigned to AppsFlyer.
    • User emails must be identifiable by AppsFlyer.
  6. Click Activate.

Deactivate hybrid and SSO-only modes

Every time the mode is changed—from hybrid to SSO-only OR SSO-only to hybrid—the IdP SSO certificate needs to be reuploaded.

  • To disable Force SSO login, it is NOT enough to unmark the checkbox. 
  • It is necessary to deactivate the SSO toggle to disable Force SSO login.

To deactivate both SSO modes and disable Force SSO login:

  1. Deactivate the SSO toggle.
  2. Read the notification:
    • SSO login will be deactivated.
    • IdP SSO metadata will be deleted.
  3. Click Deactivate; this both deactivates SSO and disables Force SSO login
  4. Now, log in using your AppsFlyer username and password.

Delete IdP metadata

Every time the mode is changed—from hybrid to SSO-only OR SSO-only to hybrid—the IdP SSO certificate must be reuploaded.

To delete: 

  1. Click the delete icon (trash can) beside the IdP SSO certificate file.
  2. Read the notification: SSO login will be deactivated and IdP SSO metadata deleted.
  3. Click Delete.
  4. If necessary, upload another IdP SSO certificate.

SSO and 2FA options

Only 1 security login option can be used at a time, SSO or 2FA.

  • If SSO is active, then deactivate SSO and activate 2FA.
  • If 2FA is active, then deactivate 2FA and activate SSO.

FAQ | Troubleshooting

Why can't some team members connect using SSO?

Make sure all user emails are set up in both systemsin your IDP and in the AppsFlyer platform.

Why do I get a 503 message when I log in using my email address?

Make sure that your email is set up in both systems, IdP and AppsFlyer.

How do I test the SSO login?

Activate the SSO login in hybrid mode. While testing, users can log in using their AppsFlyer username and password.

Do I need a test env to test setup before pushing to production?

A test environment isn’t required.

  • Hybrid mode lets you test the setup without interfering with the existing workflow.
  • While testing, users can log in using their AppsFlyer username and password.

Test as follows:

  1. Activate the SSO login in hybrid mode using either production or testing metadata.
  2. Test the login.

Do I need to update the validUntil field in the metadata?

The field includes the following: 

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2020-11-12T09:32:23.418436776Z" entityID="https://hq1.appsflyer.com">

The date is automatically updated—extended by 7 days—every time the metadata document is used.

How is the AppsFlyer certificate renewed?

Before the certificate expires:

  • AppsFlyer will issue an announcement that a new certificate will be issued.
  • You must then update the IdP with the new certificate.
Was this article helpful?