Single Sign-On (SSO) is an authentication solution that enables you to log into your AdRoll account using an Identity Provider (i.e. Okta). SSO is set up to allow users to sign into multiple applications without the need to create credentials for each. SSO is typically found in enterprise environments where employees access numerous apps and services on a daily basis.
SSO can be set up with any identity provider that supports the SAML and SCIM standards. These standards are used to allow users to sign in and out of apps (SAML) and for provisioning of users (SCIM). Most Identity Providers support these standards but if you’re unsure, please reach out to your identity provider.
Who can access
Single Sign-On (SSO) is included with all AdRoll paid packages:
Your Package |
SSO |
---|---|
Advanced Package | Included |
Marketing and Ads Plus | Included |
Ads | Not Included |
Starter (Legacy) | Not Included |
Growth (Legacy) | Included |
Essential (Legacy) | Included |
Before you Start
- Ensure your Identity Provider uses SAML and SCIM.
- You will need to set up SAML before you can set up SCIM.
- Please reach out to your AdRoll Account Manager or the Customer Support team to complete the set up. You will need to provide them with the metadata.xml file used for SAML. See additional instructions below.
- You must be on an AdRoll paid package to set up SSO, please see pricing for more details.
What is SAML?
SAML is a standard that enables employees of your organization to sign into multiple applications without needing to enter their credentials each time.
About our SAML implementation:
- We support SAML v2.
- Both Service Provider (SP) and Identity Provider (IdP) initiated login are supported.
- Just-in-time account provisioning is not supported. You should instead use SCIM to manage accounts. If you don’t configure SCIM, you must create accounts manually using the AdRoll dashboard.
Once SAML is configured, you can expect the following:
- You can initiate a login from your identity provider.
- You can initiate a login by entering your email address from the SSO sign-in page.
- You will no longer be able to sign with their email address and password.
- You will no longer be prompted to use your second factor when signing in (TFA).
- You will no longer be asked to verify your email when users are created using SCIM.
How to set up SAML
You will need to use the following information to configure your identity provider:
- Single Sign-On URL (ACS URL): https://app.adroll.com/account/saml/callback
- Recipient URL: https://app.adroll.com/account/saml/callback
- Destination URL: https://app.adroll.com/account/saml/callback
- Audience Restriction (Entity ID / Audience URI): https://app.adroll.com
- Name ID Format: EmailAddress
After configuring your identity provider, generate a metadata.xml file. Send this file to the AdRoll team. Once received, we will complete the configuration.
SCIM
SCIM is a standard that enables organizations to manage employee access to applications from a single place rather than within each application. It is used to manage the lifecycle of an account automatically.
About our SCIM implementation:
- You must set up SAML before you set up SCIM
- We support SCIM v2
- You must configure custom schema extensions to specify user permissions
Once SCIM is configured, you can expect the following:
- You can create AdRoll accounts from your identity provider.
- You can remove AdRoll accounts from your identity provider.
- You can update AdRoll accounts from your identity provider (i.e., email, name, permissions, etc.)
- Some identity providers do not update the account when you update their username (email address). Instead, they deactivate the AdRoll account of the previous email before creating a new account with the new email address.
- Some identity providers will attempt to find and reactivate a previous AdRoll account if the email address is reused.
Set up SCIM
You will need to use the following information to configure your identity provider:
- Base URL: https://app.adroll.com/api/v1/scim
- Authentication method: Bearer token
For your bearer token, you will need to generate a Personal Access Token (PAT) from your settings page. The PAT must be created with an administrator account for your AdRoll organization.
We support the following attributes. Any other attribute is ignored.
Attribute |
Description |
---|---|
userName | The format must be Email |
name.giveName | |
name.familyName | |
active | |
urn:ietf:params:scim:schemas:nextroll:User. organizationRole |
Either user or admin. An admin user will have full access to your organization. |
urn:ietf:params:scim:schemas:nextroll:User. advertisableEIDs |
A comma-separated list of advertisable EIDs the user will have access to. You must specify this attribute if the user has the user role. If the user has the admin role, this field is ignored. They have access to all advertisables in your organization. |
urn:ietf:params:scim:schemas:nextroll:User. billingAllowed |
True if the user should be able to manage the billing for your organization If the user has the admin role, this field is ignored. They can manage billing in your organization. |
Troubleshooting
If you need help with SSO please reach out to AdRoll Customer Support and provide the metadata.xml file used for SAML.