Single Sign On (SSO) Integration

 Reach out to your IT Administrator

To set up SSO, you must work with your IT department and the RollWorks team to configure your organization.

Single Sign-On (SSO) enables you to log into RollWorks using your existing company Identity Provider (IdP), for example Okta. Enabling SSO means a streamlined login process for your team without multiple passwords. Your users can log in by clicking a button in your IdP or using the SSO button on the RollWorks sign-in page.

 

Who can access

Single Sign-On (SSO) is included with all RollWorks paid packages:

Your Package SSO
Standard Advertising Included
Advanced Advertising Included
ABM Included
ABM with Advanced Advertising Included
Starter (Legacy) Included
Standard (Legacy) Included
Professional (Legacy) Included
Ultimate (Legacy) Included
Free Tier Not Included

 

Before you Start

  • You can enable SSO any identity provider that supports the SAML and SCIM standards.
  • You must set up SAML before you set up SCIM.
  • You will need to work with RollWorks to complete the setup. Reach out to your Customer Success Manager and provide them with the metadata.xml file used for SAML created by your IT team.
  • If your Identity Provider is Microsoft Entra ID (formerly Azure) please follow the configuration steps in this article instead.

 

SAML

SAML is a standard that enables employees of your organization to sign into multiple applications without needing to enter their credentials each time.

About our SAML implementation:

  • We support SAML v2.
  • Both Service Provider (SP) and Identity Provider (IdP) initiated login are supported.
  • Just-in-time account provisioning is not supported. You should instead use SCIM to manage accounts. If you don’t configure SCIM, you must create accounts manually using the RollWorks dashboard.

Once SAML is configured, you can expect the following:

  • You can initiate a login from your identity provider.
  • You can initiate a login by entering your email address from the SSO sign-in page.
  • You will no longer be able to sign with their email address and password.
  • You will no longer be prompted to use your second factor when signing in (TFA).
  • You will no longer be asked to verify your email when users are created using SCIM.

 

Set up SAML

You will need to use the following information to configure your identity provider:

  • Single Sign-On URL (ACS URL): https://app.adroll.com/account/saml/callback
  • Recipient URL: https://app.adroll.com/account/saml/callback
  • Destination URL: https://app.adroll.com/account/saml/callback
  • Audience Restriction (Entity ID / Audience URI): https://app.adroll.com
  • Name ID Format: EmailAddress

After configuring your identity provider, generate a metadata.xml file. Send this file to the RollWorks team. Once received, we will complete the configuration.

 

SCIM

SCIM is a standard that enables organizations to manage employee access to applications from a single place rather than within each application. It is used to manage the lifecycle of an account automatically.

About our SCIM implementation:

  • You must set up SAML before you set up SCIM
  • We support SCIM v2
  • You must configure custom schema extensions to specify user permissions

Once SCIM is configured, you can expect the following:

  • You can create RollWorks accounts from your identity provider.
  • You can remove RollWorks accounts from your identity provider.
  • You can update RollWorks accounts from your identity provider (i.e., email, name, permissions, etc.)
  • Some identity providers do not update the account when you update their username (email address). Instead, they deactivate the RollWorks account of the previous email before creating a new account with the new email address.
  • Some identity providers will attempt to find and reactivate a previous RollWorks account if the email address is reused.

 

Set up SCIM

You will need to use the following information to configure your identity provider:

  • Base URL: https://app.adroll.com/api/v1/scim
  • Authentication method: Bearer token

For your bearer token, you will need to generate a Personal Access Token (PAT) from your settings page. The PAT must be created with an administrator account for your RollWorks organization.

We support the following attributes. Any other attribute is ignored.

Attribute Description
userName The format must be Email

name.giveName

 
name.familyName  
active  
urn:ietf:params:scim:schemas:nextroll:User.organizationRole Either user or admin. An admin user will have full access to your organization.
urn:ietf:params:scim:schemas:nextroll:User.advertisableEIDs

A comma-separated list of advertisable EIDs the user will have access to.

You must specify this attribute if the user has the user role.

If the user has the admin role, this field is ignored. They have access to all advertisables in your organization.

urn:ietf:params:scim:schemas:nextroll:User.billingAllowed

True if the user should be able to manage the billing for your organization.

If the user has the admin role, this field is ignored. They can manage billing in your organization.

 

Troubleshooting

If you need help with SSO:

  1. Confirm with your IT department your IdP (Identity Provider) is integrated with RollWorks.
  2. Reach out to the RollWorks team and provide the metadata.xml file used for SAML.

Below are possible error scenarios why you may not be able to login via SSO:

  • We can’t redirect to your IdP
    • The RollWorks account has not been integrated with your IdP
    • You have not yet created a RollWorks account
  • You are redirected to your IdP
    • Your IT team has not yet given you access to RollWorks via your IdP

adroll-sso-3-error (1).png

 

 

SSO FAQs

Are users automatically added/removed to RollWorks?

Through SCIM configuration, new users can automatically get access when your IT team adds RollWorks to your identity provider, streamlining account management.

  • SCIM configuration: If you configure the SSO integration through SCIM, new users that are created on your Identity Provider(i.e. Okta), will be automatically created as users in RollWorks, and vice-versa, if a user is removed/deactivated in your Identity Provider, the RollWorks user will be deactivated as well in the RollWorks app.
  • SAML-only configuration: If you only configure the SSO integration through SAML, then users will not be created/removed automatically in RollWorks, and you will need to create user accounts manually in RollWorks.

 

What happens when a user leaves my company?

  • SCIM configuration: Through SCIM configuration, when someone leaves their company, the integration of SSO ensures their account access is automatically revoked, in line with the company's identity management policies. This process helps maintain security by ensuring only current employees can access company resources.
  • SAML-only configuration: If the customer only configures the SSO integration through SAML only, then users will not be created/removed automatically, and the customer will need to create user accounts manually in RollWorks.

 

Can I integration multiple Identity Providers with RollWorks?

We only support configuration with one identity provider at a time.

 

Can I login using my email and password credentials after configuring SSO?

Once SSO is configured between RollWorks and your IdP, your users will no longer sign in with their email address and password and  no longer be asked for two-factor authentication.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

Chat with an agent
Mon - Fri 10am - 6pm EST
Send a support email
Mon - Fri 10am - 6pm EST