Description: This article applies to our Sell Side customers, explains Innovid's approach to single sign-on (SSO), and provides guidelines for setting up SSO for InnovidXP.
SSO is currently available to customers who typically have many users accessing the InnovidXP platform. If you are interested in SSO for your business, please contact your Sales representative or submit a request via InnovidXP support.
Single sign-on overview
Important: Our solution allows SSO as well as username and password authentication. We are unable to enforce authentication via single sign-on only.
What is single sign-on?
Single sign-on (SSO) allows users to authenticate with a single ID/username/email and password to any of several related, yet independent, software applications.
Important: To use SSO, the user credentials must have the same domain as the existing email for the Innovid credentials.
The benefits of using single sign-on
Single sign-on simplifies the way in which users connect to applications, for example, the Innovid platform, and ensures consistent security and access policies. It provides a secure, approved method of authentication that works with a variety of authentication sources.
The user experience
Users who want to use InnovidXP can authenticate using their company credentials, or by using an Innovid password or social provider, as agreed with you. Once verified, users can access the platform in line with the roles and permissions they have been granted. First-time users are taken through an authorization workflow to ensure the correct roles and permissions are granted.
The Innovid single sign-on solution
Innovid utilizes a trusted, scalable single sign-on solution provided by Amazon AWS’s Cognito service. This approach provides us with a highly efficient, responsive, “always on”, and scalable authentication platform, which allows us to extend our enterprise-grade infrastructure.
The following flow diagram shows the single sign-on process (IdP = Identity Provider):
What is authorization?
Authorization is the process used to grant a verified user the correct access within InnovidXP.
How does Innovid implement authorization?
This flow will not apply to users who have already been authorized; those users will be able to authenticate and use the platform according to the access they have been granted.
All first-time users, including administrators, will go through an authorization “access request/approval” workflow.
The diagram and steps below outline the process and stages of the authorization workflow:
|The user selects the Login with SSO Details button on the login page.
|The login is authenticated via the SSO API.
|The landing page is displayed with a welcome message and the user is sent a confirmation email while waiting for access to be granted.
|Platform admin receives an email confirming that a new user has requested access and containing a link to the Manage Logins page in the InnovidXP platform.
|The InnovidXP team receive an email confirming a new user has requested access.
|Admin grants the user access and assigns roles and permissions.
|Innovid will alert the Admin team if there seems to be a delay, and offer assistance if required.
Email is sent to the user which:
The new user can:
How to set up single sign-on (SSO)
To integrate with our single sign-on solution, you must complete the following steps:
- Step 1: Set up OpenID Connect (OIDC)
- Step 2: Set up Innovid access to your internal system
- Step 3: Provide Innovid with the required information
- Step 4: Agree and complete a test plan with Innovid
Important: Note that once you have set up OIDC, the remaining steps can take up to two to four weeks to complete.
OpenID Connect (OIDC) Overview
We currently support the following Identity Providers when using OpenID Connect: Google, Microsoft and Okta. To use a different Identity Provider, contact your Account Manager and we will review this and let you know if it's possible.
Step 1 Setup OpenID Connect
The following table outlines what is required to integrate using OIDC:
|Authorized redirect URLs/callback URL
|Email value (claim)
|OIDC Discovery URL*
|Client ID and Client Secret
|Test account for integration
*OIDC Discovery URL - also known as Server Metadata URL, e.g., https://accounts.google.com/.well-known/openid-configuration
Step 2 Setup Innovid access to your internal system
Setup Innovid as an allowed partner on your system. The process differs depending on which platform you are using, e.g., Azure.
Step 3 Provide Innovid with the required information
Send Innovid the required information for your integration, as listed above, for example, client-id. We use this information to define your authentication configuration.
Step 4 Agree and complete a test plan with Innovid
Set up a test user account on your system and send Innovid the details. Once you have provided the necessary information, Innovid will start integrating your single sign-on. Innovid will test the integration before going live.
Single sign-on FAQs