Single Sign-On (SSO) Integration for Microsoft Entra ID

 Reach out to your IT Administrator

To set up SSO, you must work with your IT department and the RollWorks team to configure your organization.

Single Sign-On (SSO) enables you to log into RollWorks using Microsoft Entra ID (formerly known as  Azure Active Directory). Enabling SSO means a streamlined login process for your team without multiple passwords. Your users can log in by clicking a button in your IdP or using the SSO button on the RollWorks sign-in page.

Who can access

Single Sign-On (SSO) is included with all RollWorks paid packages:

Your Package SSO
Account Based Advertising Included
Account Based Marketing + Advertising Included
Account Based Marketing Included
Starter (Legacy) Included
Standard (Legacy) Included
Professional (Legacy) Included
Ultimate (Legacy) Included
Free Tier Not Included

 

Before you Start

  • You can enable SSO any identity provider that supports the SAML and SCIM standards, including Microsoft Entra ID.
  • You must set up SAML before you set up SCIM.
  • You will need to work with RollWorks to complete the setup. Reach out to your Customer Success Manager and provide them with the metadata.xml file used for SAML created by your IT team.

 

SAML Standard

SAML is a standard that enables employees of your organization to sign into multiple applications without needing to enter their credentials each time.

About our SAML implementation:

  • We support SAML v2.
  • Both Service Provider (SP) and Identity Provider (IdP) initiated login are supported.
  • Just-in-time account provisioning is not supported. You should instead use SCIM to manage accounts. If you don’t configure SCIM, you must create accounts manually using the RollWorks dashboard.

Once SAML is configured, you can expect the following:

  • You can initiate a login from your identity provider.
  • You can initiate a login by entering your email address from the SSO sign-in page.
  • You will no longer be able to sign with their email address and password.
  • You will no longer be prompted to use your second factor when signing in (TFA).
  • You will no longer be asked to verify your email when users are created using SCIM.

 

SAML Configuration For Microsoft Entra ID

Step 1: Create an Enterprise Application

  • In Microsoft Entra ID, navigate to Identity > Applications > Enterprise Applications

navigation entra.png

  1. Select New application > Create your own application
  2. On the Create your own application side drawer, name the application RollWorks
  3. Select Integrate any other application you don't find in the gallery (Non-gallery)
  4. Click Create to finalize creating the application

NEW APPLICATION.png

 

Step 2: Assign User and Groups

  1. In your RollWorks application created above, navigate to Users and groups
  2. Select Add user/group
  3. On the Add Assignment pane, select all users or groups that should have access to the application. See assign a user account to an enterprise application on Microsoft’s help resource.

assign.png

Step 3. Set up Single Sign-On with SAML

  • In your RollWorks application created earlier, navigate to Manage > Single sign-on
  • Within the Basic SAML Configuration card, click Edit
  • Fill in the following field values:
Field Value

Identifier (Entity ID)

https://app.adroll.com

Reply URL (Assertion Consumer Service URL)

https://app.adroll.com/account/saml/callback

Sign on URL (Optional)

https://app.adroll.com/profile/saml?product=b2b
  • Click Save and return to the Single sign-on page

Screenshot 2024-05-30 at 10.08.04 AM.png

  • Within the Attributes & Claims card, click Edit
  • Click Unique User Identifier (Name ID) to manage the claim
  • Select the following field values:
Field Value

Name identifier format

Email Address

Source

Attribute

Source attribute

user.mail  
  • Click Save

Screenshot 2024-05-30 at 10.10.05 AM (1).png

 

  • Return to the Single Sign-On page under Manage
  • Within the SAML Certificates card, download the Federation Metadata XML
  • Send this file to the RollWorks team. Once received, we will complete the configuration.

 

 

SCIM Standard

SCIM is a standard that enables organizations to manage employee access to applications from a single place rather than within each application. It is used to manage the lifecycle of an account automatically.

About our SCIM implementation:

  • You must set up SAML before you set up SCIM
  • We support SCIM v2
  • You must configure custom schema extensions to specify user permissions

Once SCIM is configured, you can expect the following:

  • You can create RollWorks accounts from your identity provider.
  • You can remove RollWorks accounts from your identity provider.
  • You can update RollWorks accounts from your identity provider (i.e., email, name, permissions, etc.)
  • Some identity providers do not update the account when you update their username (email address). Instead, they deactivate the RollWorks account of the previous email before creating a new account with the new email address.
  • Some identity providers will attempt to find and reactivate a previous RollWorks account if the email address is reused.

 

SCIM Configuration For Microsoft Entra ID

You will need to use the following information to configure your identity provider:

  • Base URL: https://app.adroll.com/api/v1/scim
  • Authentication method: Bearer token

For your bearer token, you will need to generate a Personal Access Token (PAT) from your settings page. The PAT must be created with an administrator account for your RollWorks organization.

We support the following attributes. Any other attribute is ignored.

Attribute Description
userName The format must be Email

name.giveName

 
name.familyName  
active  
urn:ietf:params:scim:schemas:nextroll:User.organizationRole Either user or admin. An admin user will have full access to your organization.
urn:ietf:params:scim:schemas:nextroll:User.advertisableEIDs

A comma-separated list of advertisable EIDs the user will have access to.

You must specify this attribute if the user has the user role.

If the user has the admin role, this field is ignored. They have access to all advertisables in your organization.

urn:ietf:params:scim:schemas:nextroll:User.billingAllowed

True if the user should be able to manage the billing for your organization.

If the user has the admin role, this field is ignored. They can manage billing in your organization.

 

Troubleshooting

If you need help with SSO:

  1. Confirm with your IT department that Microsoft Entra ID is integrated with RollWorks.
  2. Confirm they have followed the instructions to configure SAML
  3. Reach out to the RollWorks team and provide the metadata.xml file used for SAML

Below are possible error scenarios why you may not be able to login via SSO:

  • We can’t redirect to your IdP
    • The RollWorks account has not been integrated with your IdP
    • You have not yet created a RollWorks account
  • You are redirected to your IdP
    • Your IT team has not yet given you access to RollWorks via your IdP

adroll-sso-3-error (1).png

 

 

 

SSO FAQs

Are users automatically added/removed to RollWorks?

Through SCIM configuration, new users can automatically get access when your IT team adds RollWorks to your identity provider, streamlining account management.

  • SCIM configuration: If you configure the SSO integration through SCIM, new users that are created on your Identity Provider, will be automatically created as users in RollWorks, and vice-versa, if a user is removed/deactivated in your Identity Provider, the RollWorks user will be deactivated as well in the RollWorks app.
  • SAML-only configuration: If you only configure the SSO integration through SAML, then users will not be created/removed automatically in RollWorks, and you will need to create user accounts manually in RollWorks.

 

What happens when a user leaves my company?

  • SCIM configuration: Through SCIM configuration, when someone leaves their company, the integration of SSO ensures their account access is automatically revoked, in line with the company's identity management policies. This process helps maintain security by ensuring only current employees can access company resources.
  • SAML-only configuration: If the customer only configures the SSO integration through SAML only, then users will not be created/removed automatically, and the customer will need to create user accounts manually in RollWorks.

 

Can I integration multiple Identity Providers with RollWorks?

We only support configuration with one identity provider at a time.

 

Can I login using my email and password credentials after configuring SSO?

Once SSO is configured between RollWorks and Microsoft Entra ID, your users will no longer sign in with their email address and password and no longer be asked for two-factor authentication.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

Chat with an agent
Mon - Fri 10am - 6pm EST
Send a support email
Mon - Fri 10am - 6pm EST