You can implement Single Sign-On (SSO) for your teammates to access Experience OS. This lets you apply the same authentication policies as you do with your other enterprise applications when signing in to the Experience OS console. You can implement SSO through OIDC or SAML 2.0, which are supported by most major identity providers (IDP), such as Okta and Azure Active Directory.
Some steps in the setup are done on your side, and some are done by Dynamic Yield, with information you provide to your Dynamic Yield technical account manager. This is a one-time process, and it is important to ensure that each step is done correctly for the integration to work.
Step 1: Add a new application to your Identity Provider
This step includes the following actions:
- In your IDP management, navigate to your applications.
- Create a new application for Dynamic Yield. This application is then set up to "call" Dynamic Yield.
- Set up the new application with the following:
- Upload the metadata file to your IDP. Select the file based on the integration type (SAML or OIDC) and the URL of your Experience OS console (.com or .eu).
SAML 2.0 metadata file SAML 2.0 XML file: .com
SAML 2.0 XML file: .euOIDC metadata file If your IDP does not support this type of upload, you can do the setup manually. We provide a step-by-step guide for SAML 2.0 integration with Okta, but other IDP processes might vary.
- Enter the relevant URI. Select the URI based on the URL of your Experience OS console (.com or .eu).
https://ssobroker.dynamicyield.com/auth/realms/admin/broker/[account_ID]/endpoint
https://ssobroker.dynamicyield.eu/auth/realms/admin/broker/[account_ID]/endpoint
If you don't know your account ID (part of the URI), you can find it in the footer of the Experience OS console:
- Upload the metadata file to your IDP. Select the file based on the integration type (SAML or OIDC) and the URL of your Experience OS console (.com or .eu).
-
Give all relevant internal users access to this application. Otherwise, they cannot sign in to Experience OS by SSO.
Step 2: Provide information to Dynamic Yield
Your technical account manager needs this information to set up the integration on the Experience OS system:
Test user:
Create an internal test user, and provide the credentials to your technical account manager. We use it to validate the integration success. Make sure the test user has access to the Dynamic Yield app in the IDP.
For SAML 2.0 integration:
- Identity provider name (Active Directory, Okta, or other)
- SAML metadata URL
For OIDC integration:
- Identity provider name (Active Directory, Okta, and so on)
- URI (Uniform Resource Identifier)
- Client ID
- Client Secret
Step 3: Implement the integration
Dynamic Yield uses the information provided to connect your SSO to the Experience OS console. This can take up to several days. In the meantime, your users still log in without SSO.
Dynamic Yield uses the test user you created in Step 2 to test the integration internally.
Step 4: Test the integration
As soon as your technical account manager informs you that the integration is set up and tested by Dynamic Yield, you should test the integration yourself. Note that once a user signs in using SSO, they can longer log in using their old credentials. Verify that the integration works for several users, and then let your technical account manager know you are done with the test.
Note: The users that test the integration must have an account in Dynamic Yield, and access to the Dynamic Yield app in your IDP.
SSO login flow
- Go to the sign in page of the Dynamic Yield platform, and select Sign In With SSO.
- In the Sign in with SSO page, enter your company email address, and click Continue.
Your email address is authenticated by your IDP, and then your company SSO sign-in page appears (this can look different for each SSO provider).
- Enter your IDP credentials, and click Sign In.
Step 5: Enforce the integration
Next, Dynamic Yield enforces SSO on the account. From this point on, all team members use SSO to log in, and can no longer use their old credentials. New teammates are directed to log in using SSO.
After SSO is launched on your Dynamic Yield account, you cannot go back to the former authentication functionality.
FAQ
Can I sign in using my regular email and password?
No. After SSO is enabled you can only sign in through your identity provider.
Can I invite teammates who are not listed under my identity provider?
No. Teammates not listed under your identity provider are not able to sign in.
Can I set a teammate’s permissions on my identity provider?
No. Permissions are managed within the Experience OS console. In your IDP, you can only set that the teammate is allowed or not allowed to log in to Dynamic Yield.
Can I connect my account to more than one identity provider?
No. We currently support connecting only one IDP.
Can I change my password or phone number?
Not in the Experience OS console. After SSO is enabled, your credentials can only be edited and managed by your identity provider.
How do I disable the two-factor authentication in an SSO account?
After SSO is enabled, two-factor authentication can only be disabled and managed by your identity provider.
How do I add a new teammate?
Make sure your teammate is listed within your identity provider with access to the Dynamic Yield app. Then, you can invite the teammate from the manage teammates screen in the Experience OS console.
How do I revoke a teammate's access?
This can be done by either removing the teammate's access in your identity provider or deleting the teammate in the Experience OS console.
Can I provide access to the platform to users who are not part of my organization?
No. When SSO is enabled, only users with access to your identity provider can log in to the Experience OS console.