Reach out to your IT Administrator
To set up SSO, you must work with your IT department and the RollWorks team to configure your organization.
Single Sign-On (SSO) enables you to log into RollWorks using Microsoft Entra ID (formerly known as Azure Active Directory). Enabling SSO means a streamlined login process for your team without multiple passwords. Your users can log in by clicking a button in your IdP or using the SSO button on the RollWorks sign-in page.
Who can access
Single Sign-On (SSO) is included with all RollWorks paid packages:
Your Package | SSO |
---|---|
Account Based Advertising | Included |
Account Based Marketing + Advertising | Included |
Account Based Marketing | Included |
Starter (Legacy) | Included |
Standard (Legacy) | Included |
Professional (Legacy) | Included |
Ultimate (Legacy) | Included |
Free Tier | Not Included |
Before you Start
- You can enable SSO any identity provider that supports the SAML and SCIM standards, including Microsoft Entra ID.
- You must set up SAML before you set up SCIM.
- You will need to work with RollWorks to complete the setup. Reach out to your Customer Success Manager and provide them with the metadata.xml file used for SAML created by your IT team.
SAML Standard
SAML is a standard that enables employees of your organization to sign into multiple applications without needing to enter their credentials each time.
About our SAML implementation:
- We support SAML v2.
- Both Service Provider (SP) and Identity Provider (IdP) initiated login are supported.
- Just-in-time account provisioning is not supported. You should instead use SCIM to manage accounts. If you don’t configure SCIM, you must create accounts manually using the RollWorks dashboard.
Once SAML is configured, you can expect the following:
- You can initiate a login from your identity provider.
- You can initiate a login by entering your email address from the SSO sign-in page.
- You will no longer be able to sign with their email address and password.
- You will no longer be prompted to use your second factor when signing in (TFA).
- You will no longer be asked to verify your email when users are created using SCIM.
SAML Configuration For Microsoft Entra ID
Step 1: Create an Enterprise Application
- In Microsoft Entra ID, navigate to Identity > Applications > Enterprise Applications
- Select New application > Create your own application
- On the Create your own application side drawer, name the application RollWorks
- Select Integrate any other application you don't find in the gallery (Non-gallery)
- Click Create to finalize creating the application
Step 2: Assign User and Groups
- In your RollWorks application created above, navigate to Users and groups
- Select Add user/group
- On the Add Assignment pane, select all users or groups that should have access to the application. See assign a user account to an enterprise application on Microsoft’s help resource.
Step 3. Set up Single Sign-On with SAML
- In your RollWorks application created earlier, navigate to Manage > Single sign-on
- Within the Basic SAML Configuration card, click Edit
- Fill in the following field values:
Field | Value |
---|---|
Identifier (Entity ID) |
https://app.adroll.com |
Reply URL (Assertion Consumer Service URL) |
https://app.adroll.com/account/saml/callback |
Sign on URL (Optional) |
https://app.adroll.com/profile/saml?product=b2b |
- Click Save and return to the Single sign-on page
- Within the Attributes & Claims card, click Edit
- Click Unique User Identifier (Name ID) to manage the claim
- Select the following field values:
Field | Value |
---|---|
Name identifier format |
Email Address |
Source |
Attribute |
Source attribute |
user.mail |
- Click Save
- Return to the Single Sign-On page under Manage
- Within the SAML Certificates card, download the Federation Metadata XML
- Send this file to the RollWorks team. Once received, we will complete the configuration.
SCIM Standard
SCIM is a standard that enables organizations to manage employee access to applications from a single place rather than within each application. It is used to manage the lifecycle of an account automatically.
About our SCIM implementation:
- You must set up SAML before you set up SCIM
- We support SCIM v2
- You must configure custom schema extensions to specify user permissions
Once SCIM is configured, you can expect the following:
- You can create RollWorks accounts from your identity provider.
- You can remove RollWorks accounts from your identity provider.
- You can update RollWorks accounts from your identity provider (i.e., email, name, permissions, etc.)
- Some identity providers do not update the account when you update their username (email address). Instead, they deactivate the RollWorks account of the previous email before creating a new account with the new email address.
- Some identity providers will attempt to find and reactivate a previous RollWorks account if the email address is reused.
SCIM Configuration For Microsoft Entra ID
You will need to use the following information to configure your identity provider:
- Base URL: https://app.adroll.com/api/v1/scim
- Authentication method: Bearer token
For your bearer token, you will need to generate a Personal Access Token (PAT) from your settings page. The PAT must be created with an administrator account for your RollWorks organization.
We support the following attributes. Any other attribute is ignored.
Attribute | Description |
---|---|
userName | The format must be Email |
name.giveName |
|
name.familyName | |
active | |
urn:ietf:params:scim:schemas:nextroll:User.organizationRole | Either user or admin. An admin user will have full access to your organization. |
urn:ietf:params:scim:schemas:nextroll:User.advertisableEIDs |
A comma-separated list of advertisable EIDs the user will have access to. You must specify this attribute if the user has the user role. If the user has the admin role, this field is ignored. They have access to all advertisables in your organization. |
urn:ietf:params:scim:schemas:nextroll:User.billingAllowed |
True if the user should be able to manage the billing for your organization. If the user has the admin role, this field is ignored. They can manage billing in your organization. |
Troubleshooting
If you need help with SSO:
- Confirm with your IT department that Microsoft Entra ID is integrated with RollWorks.
- Confirm they have followed the instructions to configure SAML
- Reach out to the RollWorks team and provide the metadata.xml file used for SAML
Below are possible error scenarios why you may not be able to login via SSO:
- We can’t redirect to your IdP
- The RollWorks account has not been integrated with your IdP
- You have not yet created a RollWorks account
- You are redirected to your IdP
- Your IT team has not yet given you access to RollWorks via your IdP
SSO FAQs
Are users automatically added/removed to RollWorks?
Through SCIM configuration, new users can automatically get access when your IT team adds RollWorks to your identity provider, streamlining account management.
- SCIM configuration: If you configure the SSO integration through SCIM, new users that are created on your Identity Provider, will be automatically created as users in RollWorks, and vice-versa, if a user is removed/deactivated in your Identity Provider, the RollWorks user will be deactivated as well in the RollWorks app.
- SAML-only configuration: If you only configure the SSO integration through SAML, then users will not be created/removed automatically in RollWorks, and you will need to create user accounts manually in RollWorks.
What happens when a user leaves my company?
- SCIM configuration: Through SCIM configuration, when someone leaves their company, the integration of SSO ensures their account access is automatically revoked, in line with the company's identity management policies. This process helps maintain security by ensuring only current employees can access company resources.
- SAML-only configuration: If the customer only configures the SSO integration through SAML only, then users will not be created/removed automatically, and the customer will need to create user accounts manually in RollWorks.
Can I integration multiple Identity Providers with RollWorks?
We only support configuration with one identity provider at a time.
Can I login using my email and password credentials after configuring SSO?
Once SSO is configured between RollWorks and Microsoft Entra ID, your users will no longer sign in with their email address and password and no longer be asked for two-factor authentication.