Description: This article applies to our Sell Side customers, explains Innovid's approach to single sign-on (SSO), and provides guidelines for setting up SSO for InnovidXP.

SSO is currently available to customers who typically have many users accessing the InnovidXP platform. If you are interested in SSO for your business, please contact your Sales representative or submit a request via InnovidXP support.


Single sign-on overview

Important: Our solution allows SSO as well as username and password authentication. We are unable to enforce authentication via single sign-on only.

What is single sign-on?

Single sign-on (SSO) allows users to authenticate with a single ID/username/email and password to any of several related, yet independent, software applications. 

Important: To use SSO, the user credentials must have the same domain as the existing email for the Innovid credentials.

The benefits of using single sign-on

Single sign-on simplifies the way in which users connect to applications, for example, the Innovid platform, and ensures consistent security and access policies. It provides a secure, approved method of authentication that works with a variety of authentication sources.

The user experience

Users who want to use InnovidXP can authenticate using their company credentials, or by using an Innovid password or social provider, as agreed with you. Once verified, users can access the platform in line with the roles and permissions they have been granted. First-time users are taken through an authorization workflow to ensure the correct roles and permissions are granted.

The Innovid single sign-on solution

Innovid utilizes a trusted, scalable single sign-on solution provided by Amazon AWS’s Cognito service. This approach provides us with a highly efficient, responsive, “always on”, and scalable authentication platform, which allows us to extend our enterprise-grade infrastructure.

The following flow diagram shows the single sign-on process (IdP = Identity Provider):

Single sign-on process flow.png

What is authorization?

Authorization is the process used to grant a verified user the correct access within InnovidXP.

How does Innovid implement authorization?

This flow will not apply to users who have already been authorized; those users will be able to authenticate and use the platform according to the access they have been granted.

All first-time users, including administrators, will go through an authorization “access request/approval” workflow.

The diagram and steps below outline the process and stages of the authorization workflow:

02_2024_v2_Flow diagram.png

Step-by-step process:
1. The user selects the Login with SSO Details button on the login page.
2. The login is authenticated via the SSO API.
3. The landing page is displayed with a welcome message and the user is sent a confirmation email while waiting for access to be granted.
4. Platform admin receives an email confirming that a new user has requested access and containing a link to the Manage Logins page in the InnovidXP platform.
5. The InnovidXP team receive an email confirming a new user has requested access.
6. Admin grants the user access and assigns roles and permissions.
7. Innovid will alert the Admin team if there seems to be a delay, and offer assistance if required.
8.

Email is sent to the user which:

  • Confirms the account is set up
  • Lists the platforms they can access
  • Confirms user name (email address)
  • Provides a link to the product login
9.

The new user can:

  • Access and use the InnovidXP platform according to roles and permissions
  • Log in with company details and does not need to remember an Innovid username and password

How to set up single sign-on (SSO)

Summary

To integrate with our single sign-on solution, you must complete the following steps:

  • Step 1: Set up OpenID Connect (OIDC)
  • Step 2: Set up Innovid access to your internal system
  • Step 3: Provide Innovid with the required information
  • Step 4: Agree and complete a test plan with Innovid

Important: Note that once you have set up OIDC, the remaining steps can take up to two to four weeks to complete.

OpenID Connect (OIDC) Overview

We currently support the following Identity Providers when using OpenID Connect: Google, Microsoft and Okta. To use a different Identity Provider, contact your Account Manager and we will review this and let you know if it's possible.

Step 1 Setup OpenID Connect

The following table outlines what is required to integrate using OIDC:

Information Required Provided By
Authorized redirect URLs/callback URL Innovid
Email value (claim) Partner
OIDC Discovery URL* Partner
Client ID and Client Secret Partner
Test account for integration Partner

*OIDC Discovery URL - also known as Server Metadata URL, e.g., https://accounts.google.com/.well-known/openid-configuration

Step 2 Setup Innovid access to your internal system

Setup Innovid as an allowed partner on your system. The process differs depending on which platform you are using, e.g., Azure.

Step 3 Provide Innovid with the required information

Send Innovid the required information for your integration, as listed above, for example, client-id. We use this information to define your authentication configuration.

Step 4 Agree and complete a test plan with Innovid

Set up a test user account on your system and send Innovid the details. Once you have provided the necessary information, Innovid will start integrating your single sign-on. Innovid will test the integration before going live.


Related content
Single sign-on FAQs

 

Was this article helpful?
0 out of 0 found this helpful