Reach out to your IT Administrator
To set up SSO, you must work with your IT department and the RollWorks team to configure your organization.
Single Sign-On (SSO) enables you to log into RollWorks using your existing company Identity Provider (IdP), for example Okta. Enabling SSO means a streamlined login process for your team without multiple passwords. Your users can log in by clicking a button in your IdP or using the SSO button on the RollWorks sign-in page.
Who can access
Single Sign-On (SSO) is included with all RollWorks paid packages:
| Your Package | SSO |
|---|---|
| Account Based Advertising | Included |
| Account Based Marketing + Advertising | Included |
| Account Based Marketing | Included |
| Starter (Legacy) | Included |
| Standard (Legacy) | Included |
| Professional (Legacy) | Included |
| Ultimate (Legacy) | Included |
| Free Tier | Not Included |
Before you Start
- You can enable SSO any identity provider that supports the SAML and SCIM standards.
- You must set up SAML before you set up SCIM.
- You will need to work with RollWorks to complete the setup. Reach out to your Customer Success Manager and provide them with the metadata.xml file used for SAML created by your IT team.
- If your Identity Provider is Microsoft Entra ID (formerly Azure) please follow the configuration steps in this article instead.
SAML
SAML is a standard that enables employees of your organization to sign into multiple applications without needing to enter their credentials each time.
About our SAML implementation:
- We support SAML v2.
- Both Service Provider (SP) and Identity Provider (IdP) initiated login are supported.
- Just-in-time account provisioning is not supported. You should instead use SCIM to manage accounts. If you don’t configure SCIM, you must create accounts manually using the RollWorks dashboard.
Once SAML is configured, you can expect the following:
- You can initiate a login from your identity provider.
- You can initiate a login by entering your email address from the SSO sign-in page.
- You will no longer be able to sign with their email address and password.
- You will no longer be prompted to use your second factor when signing in (TFA).
- You will no longer be asked to verify your email when users are created using SCIM.
Set up SAML
You will need to use the following information to configure your identity provider:
- Single Sign-On URL (ACS URL): https://app.adroll.com/account/saml/callback
- Recipient URL: https://app.adroll.com/account/saml/callback
- Destination URL: https://app.adroll.com/account/saml/callback
- Audience Restriction (Entity ID / Audience URI): https://app.adroll.com
- Name ID Format: EmailAddress
After configuring your identity provider, generate a metadata.xml file. Send this file to the RollWorks team. Once received, we will complete the configuration.
SCIM
SCIM is a standard that enables organizations to manage employee access to applications from a single place rather than within each application. It is used to manage the lifecycle of an account automatically.
About our SCIM implementation:
- You must set up SAML before you set up SCIM
- We support SCIM v2
- You must configure custom schema extensions to specify user permissions
Once SCIM is configured, you can expect the following:
- You can create RollWorks accounts from your identity provider.
- You can remove RollWorks accounts from your identity provider.
- You can update RollWorks accounts from your identity provider (i.e., email, name, permissions, etc.)
- Some identity providers do not update the account when you update their username (email address). Instead, they deactivate the RollWorks account of the previous email before creating a new account with the new email address.
- Some identity providers will attempt to find and reactivate a previous RollWorks account if the email address is reused.
Set up SCIM
You will need to use the following information to configure your identity provider:
- Base URL: https://app.adroll.com/api/v1/scim
- Authentication method: Bearer token
For your bearer token, you will need to generate a Personal Access Token (PAT) from your settings page. The PAT must be created with an administrator account for your RollWorks organization.
We support the following attributes. Any other attribute is ignored.
| Attribute | Description |
|---|---|
| userName | The format must be Email |
|
name.giveName |
|
| name.familyName | |
| active | |
| urn:ietf:params:scim:schemas:nextroll:User.organizationRole | Either user or admin. An admin user will have full access to your organization. |
| urn:ietf:params:scim:schemas:nextroll:User.advertisableEIDs |
A comma-separated list of advertisable EIDs the user will have access to. You must specify this attribute if the user has the user role. If the user has the admin role, this field is ignored. They have access to all advertisables in your organization. |
| urn:ietf:params:scim:schemas:nextroll:User.billingAllowed |
True if the user should be able to manage the billing for your organization. If the user has the admin role, this field is ignored. They can manage billing in your organization. |
Troubleshooting
If you need help with SSO:
- Confirm with your IT department your IdP (Identity Provider) is integrated with RollWorks.
- Reach out to the RollWorks team and provide the metadata.xml file used for SAML.
Below are possible error scenarios why you may not be able to login via SSO:
- We can’t redirect to your IdP
- The RollWorks account has not been integrated with your IdP
- You have not yet created a RollWorks account
- You are redirected to your IdP
- Your IT team has not yet given you access to RollWorks via your IdP
SSO FAQs
Are users automatically added/removed to RollWorks?
Through SCIM configuration, new users can automatically get access when your IT team adds RollWorks to your identity provider, streamlining account management.
- SCIM configuration: If you configure the SSO integration through SCIM, new users that are created on your Identity Provider(i.e. Okta), will be automatically created as users in RollWorks, and vice-versa, if a user is removed/deactivated in your Identity Provider, the RollWorks user will be deactivated as well in the RollWorks app.
- SAML-only configuration: If you only configure the SSO integration through SAML, then users will not be created/removed automatically in RollWorks, and you will need to create user accounts manually in RollWorks.
What happens when a user leaves my company?
- SCIM configuration: Through SCIM configuration, when someone leaves their company, the integration of SSO ensures their account access is automatically revoked, in line with the company's identity management policies. This process helps maintain security by ensuring only current employees can access company resources.
- SAML-only configuration: If the customer only configures the SSO integration through SAML only, then users will not be created/removed automatically, and the customer will need to create user accounts manually in RollWorks.
Can I integration multiple Identity Providers with RollWorks?
We only support configuration with one identity provider at a time.
Can I login using my email and password credentials after configuring SSO?
Once SSO is configured between RollWorks and your IdP, your users will no longer sign in with their email address and password and no longer be asked for two-factor authentication.