Description: This article explains Innovid's approach to single sign-on (SSO) and provides guidelines for setting up SSO for InnovidXP.

Note that SSO is currently available to both Buy and Sell Side customers. If you are interested in SSO for your business, please contact your Sales representative or submit a request via InnovidXP support.


Single sign-on overview

Important: Our solution allows SSO as well as username and password authentication. We are unable to enforce authentication via single sign-on only.

What is single sign-on?

Single sign-on (SSO) allows users to authenticate with a single ID/username/email and password to any of several related yet independent software applications. 

Important: To use SSO, the user credentials must have the same domain as the existing email for the Innovid credentials.

The benefits of using single sign-on

Single sign-on simplifies the way in which users connect to applications, for example, the Innovid platform, and ensures consistent security and access policies. It provides a secure, approved method of authentication that works with a variety of authentication sources.

The user experience

Users who want to use InnovidXP can authenticate using their company credentials, or by using an Innovid password or social provider, as agreed with you. Once verified, users can access the platform in line with the roles and permissions they have been granted. First-time users are taken through an authorization workflow to ensure the correct roles and permissions are granted.

The Innovid single sign-on solution

Innovid utilizes a trusted, scalable single sign-on solution provided by Amazon AWS’s Cognito service. This approach provides us with a highly efficient, responsive, “always on”, and scalable authentication platform, which allows us to extend our enterprise-grade infrastructure.

The following flow diagram shows the single sign-on process (IdP = Identity Provider):

Single sign-on process flow.png

What is authorization?

Authorization is the process used to grant a verified user the correct access within InnovidXP.

How does Innovid implement authorization?

This flow will not apply to users who have already been authorized; those users will be able to authenticate and use the platform according to the access they have been granted.

All first-time users, including administrators, will go through an authorization “access request/approval” workflow.

The diagram and steps below outline the process and stages of the authorization workflow:

02_2024_v2_Flow diagram.png

Step-by-step process:
1. The user selects the Login with SSO Details button on the login page.
2. The login is authenticated via the SSO API.
3. The landing page is displayed with a welcome message and the user is sent a confirmation email while waiting for access to be granted.
4. Platform admin receives an email confirming that a new user has requested access and containing a link to the Manage Logins page in the InnovidXP platform.
5. The InnovidXP team receives an email confirming a new user has requested access.
6. Admin grants the user access and assigns roles and permissions.
7. Innovid will alert the Admin team if there seems to be a delay and offer assistance if required.
8.

Email is sent to the user which:

  • Confirms the account is set up
  • Lists the platforms they can access
  • Confirms user name (email address)
  • Provides a link to the product login
9.

The new user can:

  • Access and use the InnovidXP platform according to roles and permissions
  • Log in with company details and does not need to remember an Innovid username and password

Setting up single sign-on (SSO)

You can integrate with OpenID Connect or Security Assertion Markup Language (SAML) to set up single sign-on for XP.

We currently support the following Identity Providers (IdPs) in our SSO integrations: Google, Microsoft, and Okta. To use a different Identity Provider, contact your Account Manager, and we will review this and let you know if it's possible.

Integrating with OIDC

To integrate with our OpenID Connect (OIDC) single sign-on solution, you must complete the following steps:

  • Step 1: Set up OpenID Connect (OIDC)
  • Step 2: Set up Innovid access to your internal system
  • Step 3: Provide Innovid with the required information
  • Step 4: Agree and complete a test plan with Innovid

Important: Note that once you have set up OIDC, the remaining steps can take up to two to four weeks to complete.

Step 1 Set up OpenID Connect

The following table outlines what is required to integrate using OIDC:

Information Required Provided By
Authorized redirect URLs/callback URL Innovid
Email value (claim) Partner
OIDC Discovery URL* Partner
Client ID and Client Secret Partner
Test account for integration Partner

*OIDC Discovery URL - also known as Server Metadata URL, e.g., https://accounts.google.com/.well-known/openid-configuration

Step 2 Set up Innovid access to your internal system

Set up Innovid as an allowed partner in your system. The process differs depending on your platform, e.g., Azure.

Step 3 Provide Innovid with the required information

Send Innovid the required information for your integration, such as client ID, as listed above. We use this information to define your authentication configuration.

Step 4 Agree and complete a test plan with Innovid

Set up a test user account on your system and send Innovid the details. Once you have provided the necessary information, Innovid will start integrating your single sign-on. Innovid will test the integration before going live.

Integrating with SAML

To integrate with our SAML single sign-on solution, you must complete the following steps:

  • Step 1: Set up SAML
  • Step 2: Ask Innovid to set up a SAML Identity Provider

Step 1 Set up SAML

The following table outlines what is required to integrate using SAML:

Information Required Provided By
Authorized redirect URLs/callback URL Innovid
Innovid sign-in and sign-out URLs Innovid
Metadata URL or document Partner

SAML attribute mapping details:

  • Email attribute
  • Optional others you want to attribute, such as "username"
Partner
Callback URL Partner
Test account for integration Partner


Step 2: Ask Innovid to set up a SAML Identity Provider

Contact Innovid to complete the setup and start using SAML for your SSO.


Related content
Single sign-on FAQs

 

Was this article helpful?
0 out of 0 found this helpful