Description: This article explains Innovid's approach to single sign-on (SSO) and provides guidelines for setting up SSO for InnovidXP.
Note that SSO is currently available to both Buy and Sell Side customers. If you are interested in SSO for your business, please contact your Sales representative or submit a request via InnovidXP support.
Single sign-on overview
Important: Our solution allows SSO as well as username and password authentication. We are unable to enforce authentication via single sign-on only.
What is single sign-on?
Single sign-on (SSO) allows users to authenticate with a single ID/username/email and password to any of several related yet independent software applications.
Important: To use SSO, the user credentials must have the same domain as the existing email for the Innovid credentials.
The benefits of using single sign-on
Single sign-on simplifies the way in which users connect to applications, for example, the Innovid platform, and ensures consistent security and access policies. It provides a secure, approved method of authentication that works with a variety of authentication sources.
The user experience
Users who want to use InnovidXP can authenticate using their company credentials, or by using an Innovid password or social provider, as agreed with you. Once verified, users can access the platform in line with the roles and permissions they have been granted. First-time users are taken through an authorization workflow to ensure the correct roles and permissions are granted.
The Innovid single sign-on solution
Innovid utilizes a trusted, scalable single sign-on solution provided by Amazon AWS’s Cognito service. This approach provides us with a highly efficient, responsive, “always on”, and scalable authentication platform, which allows us to extend our enterprise-grade infrastructure.
The following flow diagram shows the single sign-on process (IdP = Identity Provider):
What is authorization?
Authorization is the process used to grant a verified user the correct access within InnovidXP.
How does Innovid implement authorization?
This flow will not apply to users who have already been authorized; those users will be able to authenticate and use the platform according to the access they have been granted.
All first-time users, including administrators, will go through an authorization “access request/approval” workflow.
The diagram and steps below outline the process and stages of the authorization workflow:
Step-by-step process: | |
1. | The user selects the Login with SSO Details button on the login page. |
2. | The login is authenticated via the SSO API. |
3. | The landing page is displayed with a welcome message and the user is sent a confirmation email while waiting for access to be granted. |
4. | Platform admin receives an email confirming that a new user has requested access and containing a link to the Manage Logins page in the InnovidXP platform. |
5. | The InnovidXP team receives an email confirming a new user has requested access. |
6. | Admin grants the user access and assigns roles and permissions. |
7. | Innovid will alert the Admin team if there seems to be a delay and offer assistance if required. |
8. |
Email is sent to the user which:
|
9. |
The new user can:
|
Setting up single sign-on (SSO)
You can integrate with OpenID Connect or Security Assertion Markup Language (SAML) to set up single sign-on for XP.
We currently support the following Identity Providers (IdPs) in our SSO integrations: Google, Microsoft, and Okta. To use a different Identity Provider, contact your Account Manager, and we will review this and let you know if it's possible.
Integrating with OIDC
To integrate with our OpenID Connect (OIDC) single sign-on solution, you must complete the following steps:
- Step 1: Set up OpenID Connect (OIDC)
- Step 2: Set up Innovid access to your internal system
- Step 3: Provide Innovid with the required information
- Step 4: Agree and complete a test plan with Innovid
Important: Note that once you have set up OIDC, the remaining steps can take up to two to four weeks to complete.
Step 1 Set up OpenID Connect
The following table outlines what is required to integrate using OIDC:
Information Required | Provided By |
Authorized redirect URLs/callback URL | Innovid |
Email value (claim) | Partner |
OIDC Discovery URL* | Partner |
Client ID and Client Secret | Partner |
Test account for integration | Partner |
*OIDC Discovery URL - also known as Server Metadata URL, e.g., https://accounts.google.com/.well-known/openid-configuration
Step 2 Set up Innovid access to your internal system
Set up Innovid as an allowed partner in your system. The process differs depending on your platform, e.g., Azure.
Step 3 Provide Innovid with the required information
Send Innovid the required information for your integration, such as client ID, as listed above. We use this information to define your authentication configuration.
Step 4 Agree and complete a test plan with Innovid
Set up a test user account on your system and send Innovid the details. Once you have provided the necessary information, Innovid will start integrating your single sign-on. Innovid will test the integration before going live.
Integrating with SAML
To integrate with our SAML single sign-on solution, you must complete the following steps:
- Step 1: Set up SAML
- Step 2: Ask Innovid to set up a SAML Identity Provider
Step 1 Set up SAML
The following table outlines what is required to integrate using SAML:
Information Required | Provided By |
Authorized redirect URLs/callback URL | Innovid |
Innovid sign-in and sign-out URLs | Innovid |
Metadata URL or document | Partner |
SAML attribute mapping details:
|
Partner |
Callback URL | Partner |
Test account for integration | Partner |
Step 2: Ask Innovid to set up a SAML Identity Provider
Contact Innovid to complete the setup and start using SAML for your SSO.
Related content
Single sign-on FAQs