Single Sign-On (SSO) Integration for Microsoft Entra ID

 Reach out to your IT Administrator

To set up SSO, you must work with your IT department and the AdRoll team to configure your organization.

Single Sign-On (SSO) enables you to log into AdRoll using Microsoft Entra ID (formerly known as  Azure Active Directory). Enabling SSO means a streamlined login process for your team without multiple passwords. Your users can log in by clicking a button in your IdP or using the SSO button on the AdRoll sign-in page.

 

Who can access

Single Sign-On (SSO) is included with all AdRoll paid packages:

Your Package

SSO

Advanced Package Included
Marketing and Ads Plus Included
Ads Not Included
Starter (Legacy) Not Included
Growth (Legacy) Included
Essential (Legacy) Included

Before you Start

  • You can enable SSO any identity provider that supports the SAML and SCIM standards, including Microsoft Entra ID.
  • You must set up SAML before you set up SCIM.
  • Please reach out to your AdRoll Account Manager or the Customer Support team to complete the set up. You will need to provide them with the metadata.xml file used for SAML.

SAML Standard

SAML is a standard that enables employees of your organization to sign into multiple applications without needing to enter their credentials each time.

About our SAML implementation:

  • We support SAML v2.
  • Both Service Provider (SP) and Identity Provider (IdP) initiated login are supported.
  • Just-in-time account provisioning is not supported. You should instead use SCIM to manage accounts. If you don’t configure SCIM, you must create accounts manually using the AdRoll dashboard.

Once SAML is configured, you can expect the following:

  • You can initiate a login from your identity provider.
  • You can initiate a login by entering your email address from the SSO sign-in page.
  • You will no longer be able to sign with their email address and password.
  • You will no longer be prompted to use your second factor when signing in (TFA).
  • You will no longer be asked to verify your email when users are created using SCIM.

SAML Configuration For Microsoft Entra ID

Step 1: Create an Enterprise Application

  • In Microsoft Entra ID, navigate to Identity > Applications > Enterprise Applications

navigation entra.png

  1. Select New application > Create your own application
  2. On the Create your own application side drawer, name the application AdRoll
  3. Select Integrate any other application you don't find in the gallery (Non-gallery)
  4. Click Create to finalize creating the application

Screenshot 2024-05-30 at 10.01.54 AM.png

Step 2: Assign User and Groups

  1. In your AdRoll application created above, navigate to Users and groups
  2. Select Add user/group
  3. On the Add Assignment pane, select all users or groups that should have access to the application. See assign a user account to an enterprise application on Microsoft’s help resource.

Screenshot 2024-06-27 at 2.39.58 PM.png

Step 3. Set up Single Sign-On with SAML

  • In your AdRoll application created earlier, navigate to Manage > Single sign-on
  • Within the Basic SAML Configuration card, click Edit
  • Fill in the following field values:

Field

Value

Identifier (Entity ID)

https://app.adroll.com

Reply URL (Assertion Consumer Service URL)

https://app.adroll.com/account/saml/callback

Sign on URL (Optional)

https://app.adroll.com/profile/saml
  • Click Save and return to the Single sign-on page

Screenshot 2024-06-27 at 2.38.05 PM.png

  • Within the Attributes & Claims card, click Edit
  • Click Unique User Identifier (Name ID) to manage the claim
  • Select the following field values:

Field

Value

Name identifier format

Email Address

Source

Attribute

Source attribute

user.mail  
  • Click Save

Screenshot 2024-05-30 at 10.10.05 AM.png

  • Return to the Single Sign-On page under Manage
  • Within the SAML Certificates card, download the Federation Metadata XML
  • Send this file to the AdRoll team. Once received, we will complete the configuration.

Screenshot 2024-06-27 at 2.39.14 PM.png

SCIM Standard

SCIM is a standard that enables organizations to manage employee access to applications from a single place rather than within each application. It is used to manage the lifecycle of an account automatically.

About our SCIM implementation:

  • You must set up SAML before you set up SCIM
  • We support SCIM v2
  • You must configure custom schema extensions to specify user permissions

Once SCIM is configured, you can expect the following:

  • You can create AdRoll accounts from your identity provider.
  • You can remove AdRoll accounts from your identity provider.
  • You can update AdRoll accounts from your identity provider (i.e., email, name, permissions, etc.)
  • Some identity providers do not update the account when you update their username (email address). Instead, they deactivate the AdRoll account of the previous email before creating a new account with the new email address.
  • Some identity providers will attempt to find and reactivate a previous AdRoll account if the email address is reused.

SCIM Configuration For Microsoft Entra ID

You will need to use the following information to configure your identity provider:

  • Base URL: https://app.adroll.com/api/v1/scim
  • Authentication method: Bearer token

For your bearer token, you will need to generate a Personal Access Token (PAT) from your settings page. The PAT must be created with an administrator account for your AdRoll organization.

We support the following attributes. Any other attribute is ignored.

Attribute

Description

 userName The format must be Email
 name.giveName  
 name.familyName  
 active  

 urn:ietf:params:scim:schemas:nextroll:User. 

 organizationRole

Either user or admin. An admin user will have full access to your organization.

 urn:ietf:params:scim:schemas:nextroll:User.

 advertisableEIDs

A comma-separated list of advertisable EIDs the user will have access to.

You must specify this attribute if the user has the user role.

If the user has the admin role, this field is ignored.  They have access to all advertisables in your organization.

 urn:ietf:params:scim:schemas:nextroll:User.

 billingAllowed

True if the user should be able to manage the billing for your organization

If the user has the admin role, this field is ignored.  They can manage billing in your organization.

Troubleshooting

If you need help with SSO:

  1. Confirm with your IT department that Microsoft Entra ID is integrated with AdRoll.
  2. Confirm they have followed the instructions to configure SAML
  3. Reach out to the AdRoll team and provide the metadata.xml file used for SAML

Below are possible error scenarios why you may not be able to login via SSO:

  • We can’t redirect to your IdP
    • The AdRoll account has not been integrated with your IdP
    • You have not yet created a AdRoll account
  • You are redirected to your IdP
    • Your IT team has not yet given you access to AdRoll via your IdP

SSO FAQs

Are users automatically added/removed to AdRoll?

Through SCIM configuration, new users can automatically get access when your IT team adds AdRoll to your identity provider, streamlining account management.

  • SCIM configuration: If you configure the SSO integration through SCIM, new users that are created on your Identity Provider, will be automatically created as users in AdRoll, and vice-versa, if a user is removed/deactivated in your Identity Provider, the AdRoll user will be deactivated as well in the AdRoll app.
  • SAML-only configuration: If you only configure the SSO integration through SAML, then users will not be created/removed automatically in AdRoll, and you will need to create user accounts manually in AdRoll.

What happens when a user leaves my company?

  • SCIM configuration: Through SCIM configuration, when someone leaves their company, the integration of SSO ensures their account access is automatically revoked, in line with the company's identity management policies. This process helps maintain security by ensuring only current employees can access company resources.
  • SAML-only configuration: If the customer only configures the SSO integration through SAML only, then users will not be created/removed automatically, and the customer will need to create user accounts manually in AdRoll.

Can I integration multiple Identity Providers with AdRoll?

We only support configuration with one identity provider at a time.

Can I login using my email and password credentials after configuring SSO?

Once SSO is configured between AdRoll and Microsoft Entra ID, your users will no longer sign in with their email address and password and no longer be asked for two-factor authentication.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Chat with an agent
24/7 Support
Send a support email
24/7 Support