cancel
Showing results for 
Search instead for 
Did you mean: 
880members
459posts
stevestormoen
Employee
Employee

If your organization uses an identity provider such as Microsoft ADFS, Okta, or Azure to log into your apps, you can use that service to log in to Invoca as well. These identity providers use a standard called Security Assertion Markup Language Single Sign-On (SAML SSO) to exchange information, such as login details, with apps like Invoca. With this feature enabled, whenever someone in your organization tries to log in to Invoca, they’ll be directed to sign in through your SSO provider instead — with no Invoca usernames or passwords!

SAML SSO is a different feature from the similarly-named SSO for Affiliates and Advertisers, which allows performance marketers to more easily share Invoca access with Advertisers and Publishers on their network. For more help setting up Affiliate SSO, see How to share access to Invoca with Affiliates and Advertisers using SSO.
 

Who can use this article?
To complete this guide, you must be logged in to Invoca as a user with the role of Super User. Additionally, many of the steps in this article require administrator access to your SAML identity provider (such as Microsoft ADFS, Okta, or Azure), which is typically handled by an organization’s IT or Security team.

 

Step 1: Enable SAML SSO in your Invoca account

  1. Log in to your Invoca account and click settings in your sidebar menu, then select Users.
  2. In the Users pane, click the menu button, then select SSO Settings.
     
    Screen Shot 2022-02-03 at 5.55.39 PM.png
     
    Can’t find these settings?
    If you’re having trouble finding these settings, first make sure you’re logged in as a user with the role of Super User. If you are, and still can’t find these settings, contact your Invoca Account Manager to discuss enabling SAML SSO for your Invoca network.

   

  • In the SAML SSO drop-down menu, select how you want users on your Invoca network to log in with SAML:
     
    • Disabled: All users on your Invoca network must sign in to Invoca using a username and password.
    • Enabled - Mandatory for all users: All users on your Invoca network must sign in to Invoca through your identity provider.
    • Enabled - Optional for all users: Users on your Invoca network will be able to sign in either using a username and password or through your identity provider. Screen Shot 2022-02-03 at 5.57.21 PM.png
       
  • If your identity provider requires its connected apps to returned signed requests (standard X509 certificates) check the Require Signed Requests checkbox.
  • In the Login URL text box, enter your identity provider’s login URL. You should be able to find this in the settings of your identity provider account.
  • In the Logout URL text box, you may enter a URL to allow the use of Single Logout (SLO) support. Note that after 30 minutes of inactivity, SAML SSO-configured users will be automatically logged out of Invoca.
  • If required, enter the SHA-1 Fingerprint of your identity provider in the SHA-1 Fingerprint text box. You should also be able to find this in the settings of your identity provider account.: A Fingerprint is the digest of your identity provider certificate. Please provide the correct value to ensure security in your authentication. Please separate tuples with a colon (‘:’).
  • In the Default Role menu, select the default user role you’d like to assign to new users accessing your Invoca network through SAML Single Sign-on.
  • Download your Invoca SAML SSO identity provider configuration metadata file at https://[Your Invoca Network Here].invoca.net/sso/invoca-sso. When setting up your identity provider settings in step 2 of this guide, you’ll need access to this metadata file.

 

Step 2: Set up your identity provider to connect to Invoca

In this section, we’ll be setting up your identity provider to correctly access and authenticate with Invoca. Every identity provider works and looks slightly different, so don’t be discouraged if the names of the fields in this guide and your identity provider settings don’t match exactly. We’ve also included more specific instructions for connecting to Microsoft ADFS in step 3 of this guide. If you want more precise help, please contact your friendly Invoca account Customer Support Manager.
 

  1. When assigning a Name id (a unique identifier field) to your Invoca users, use the format “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”. This is because Invoca uses email address as unique identifiers for users.
  2. Set each user's Entity ID as “Invoca_SAML_Service_Provider”.
  3. To enable Single Sign-on workflow, please set the Setting Assertion Consumer Service URL to  “https://[Your Invoca Network Here].invoca.net/sso/consume
  4. To enable Single logout workflow, please set the Single Logout endpoint to “https://[Your Invoca Network Here].invoca.net/sso/logout
  5. Next, you’ll need to set up each user you want to create in your Invoca account, filling in each of the following SAML attributes for each user, according to the table below. For any SAML attribute that isn’t listed below, enter “urn:oasis:names:tc:SAML:2.0:attrname-format:basic” as its name format.

 

Attribute NameDescriptionValue/Data-typeTypeDefault Value
first_nameThe user’s first nameStringRequired 
last_nameThe user’s last nameStringRequired 
contact_phone_numberThe user’s phone numberValid phone number stringRequired 
organization_type>The Account Level at which you want this user to access your Invoca account.Enter one of: “Network”, “Advertiser” (profile), or “Affiliate” (publisher).OptionalNetwork
organization_id_from _networkSpecifies which profile(s) in your invoca account you want this user to be able to access.If Advertiser or Affiliate is specified as your user’s organization_type, list the ID number of each Advertiser or Affiliate you want this user to access, separated by commas.Required if organization_type is Advertiser or Affiliate 
time_zoneThe user’s time zone, if different from your Network’s default time zone.StringOptionalYour network’s default time zone
roleThe user's role within the networkEnter one of: "Super", "Manager", "Member", "Observer", or "Reporting"OptionalThe default user role in your network

 

Microsoft ADFS Configuration

As a courtesy, we've included more detailed instructions to set up your SAML SSO for Invoca with Microsoft Active Directory Federation Services (AD FS) as your identity provider. Note that these instructions are subject to change, and may not be accurate, depending on your Microsoft AD FS version.

Step 1: Create a Relying Party in Microsoft AD FS for Invoca
Log in to your AD FS Management snap-in, then follow this article from Microsoft to create a new Relying Party Trust, using the following options:
 

  • Configure certificate: Don’t select or browse for a certificate, just click next. Invoca does not support encrypted communication for this feature.
  • Configure URL: Select Enable support for SAML 2.0 WebSSO Protocol. In the Service URL text box, enter https://yournetwork.invoca.net/sso/invoca-sso, replacing yournetwork with the url name of your Invoca network.
  • Configure Identifiers: In the Relying party trust identifier text box, add Invoca_SAML_Service_Provider 
  • Access Control Policy: Permit Everyone is selected by default
  • Configure Claims: Leave checkbox checked to configure claims issuance policies. See this article from Microsoft on configuring claim rules for more details.



Step 2: Configure your Invoca Relying Party AD FS metadata and endpoints
 

  1. Right click your newly created Invoca Relying Party Trust and select properties.
  2. Enter the service URL you used above (https://yournetwork.invoca.net/sso/invoca-sso) into the relying party metadata URL field.
  3. Click the Endpoints tab, highlight SAML Assertion Consumer Endpoints URL and click edit.
  4. Modify URL to Invoca consume URL (https://yournetwork.invoca.net/sso/consume).
  5. Click on checkbox to set trusted URL as default and click OK.
  6. Click Add SAML to bring up SAML endpoint screen. Select SAML Logout as the endpoint type and enter the proper URL for trusted and response URL (https://yournetwork.invoca.net/sso/logout). Click OK.
  7. Validate you have both Assertion and Logout endpoints defined.
  8. Click the Advanced tab and change the hash from SHA-256 to SHA-1.  Click Apply then OK.

 
Step 3: Configure Claims Rules for your Invoca Relying Party Trust 

Right click your new Invoca Relying Party Trust and select edit claims issuance policy. Take a look at Microsoft's general guide to Configuring Claim Rules, then follow each of these guides to create new Claims Rules for the following claims:
 
1. Create a Rule to Send LDAP Attributes as Claims (Get Email)

  • Name: Get Email
  • Active Directory: Attribute Store
  • LDAP attributes: Email-Addresses
  • Outgoing claim type: Email Address

 
2. Create a Rule to Send Claims Using a Custom Rule (Transform Email to NameID)

  • Name: Transform Email to NameID
  • Custom Code: Paste the following code:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress");

 
3. Create a Rule to Send LDAP Attributes as Claims (Get Required Attributes) 

  • Name: Get Required Attributes
  • Active Directory: Attribute Store
  • LDAP attributes: Given-Name, Surname, Telephone-Number
  • Outgoing claim types: Enter first_name, last_name, and contact_phone_number — matching each to the LDAP attributes listed above.
  • Validate minimum rules configured as shown

 
Step 4: Obtain Signing Fingerprint from AD FS

  1. Inside the ADFS Management snap-in, navigate to Service -> Certificates. Take a look at this guide from Microsoft to Obtain and Configure TS and TD Certificates for AD FS , and follow the following instructions:
  2. Right click the token signing certificate and select view certificate.
  3. Click details and navigate to fingerprint.  Copy the fingerprint and upload into relevant location in Invoca platform.

 
Step 5: Configure Invoca Single-Sign On

  1. Follow part 1 of this article to enable SAML Single-Sign On in your Invoca account. Edit both the Login and Logout URLs to https://youradfsdomain.com/adfs/ls, replacing youradsfdomain with the domain name of your AD SF server instance.
  2. Paste the SHA-1 Fingerprint you retrieved in step 4 of this AD FS mini-guide, above — delimited by colons instead of spaces (ex. 05:59:51:D6:29:F8:26:2C:E6:8A:AC:FB:C5:2D:B7:2D:83:E5:2A:35).
  3. When you're finished, click Save.

 

Need more help?

Don't see what you are looking for? You can ask the Community or contact support.