If your organization uses an identity provider such as Microsoft ADFS, Okta, or Azure to log into your apps, you can use that service to log in to Invoca as well. These identity providers use a standard called Security Assertion Markup Language Single Sign-On (SAML SSO) to exchange information, such as login details, with apps like Invoca. With this feature enabled, whenever someone in your organization tries to log in to Invoca, they’ll be directed to sign in through your SSO provider instead — with no Invoca usernames or passwords!
SAML SSO is a different feature from the similarly-named SSO for Affiliates and Advertisers, which allows performance marketers to more easily share Invoca access with Advertisers and Publishers on their network. For more help setting up Affiliate SSO, see How to share access to Invoca with Affiliates and Advertisers using SSO.
In this section, we’ll be setting up your identity provider to correctly access and authenticate with Invoca. Every identity provider works and looks slightly different, so don’t be discouraged if the names of the fields in this guide and your identity provider settings don’t match exactly. We’ve also included more specific instructions for connecting to Microsoft ADFS in step 3 of this guide. If you want more precise help, please contact your friendly Invoca account Customer Support Manager.
|Attribute Name||Description||Value/Data-type||Type||Default Value|
|first_name||The user’s first name||String||Required|
|last_name||The user’s last name||String||Required|
|contact_phone_number||The user’s phone number||Valid phone number string||Required|
|organization_type||>The Account Level at which you want this user to access your Invoca account.||Enter one of: “Network”, “Advertiser” (profile), or “Affiliate” (publisher).||Optional||Network|
|organization_id_from _network||Specifies which profile(s) in your invoca account you want this user to be able to access.||If Advertiser or Affiliate is specified as your user’s organization_type, list the ID number of each Advertiser or Affiliate you want this user to access, separated by commas.||Required if organization_type is Advertiser or Affiliate|
|time_zone||The user’s time zone, if different from your Network’s default time zone.||String||Optional||Your network’s default time zone|
|role||The user's role within the network||Enter one of: "Super", "Manager", "Member", "Observer", or "Reporting"||Optional||The default user role in your network|
As a courtesy, we've included more detailed instructions to set up your SAML SSO for Invoca with Microsoft Active Directory Federation Services (AD FS) as your identity provider. Note that these instructions are subject to change, and may not be accurate, depending on your Microsoft AD FS version.
Step 1: Create a Relying Party in Microsoft AD FS for Invoca
Log in to your AD FS Management snap-in, then follow this article from Microsoft to create a new Relying Party Trust, using the following options:
Step 2: Configure your Invoca Relying Party AD FS metadata and endpoints
Step 3: Configure Claims Rules for your Invoca Relying Party Trust
Right click your new Invoca Relying Party Trust and select edit claims issuance policy. Take a look at Microsoft's general guide to Configuring Claim Rules, then follow each of these guides to create new Claims Rules for the following claims:
1. Create a Rule to Send LDAP Attributes as Claims (Get Email)
2. Create a Rule to Send Claims Using a Custom Rule (Transform Email to NameID)
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress");
3. Create a Rule to Send LDAP Attributes as Claims (Get Required Attributes)
Step 4: Obtain Signing Fingerprint from AD FS
Step 5: Configure Invoca Single-Sign On