SAML Identity Provider Integration
Rokt uses Auth0 for user authentication. You can connect your enterprise Identity Provider (IdP) to Rokt — acting as the Service Provider (SP) — yourself using Rokt's Self-Service SSO setup, without exchanging configuration details over email.
How it worksDirect link to How it works
Self-Service SSO is a guided, Rokt-branded setup wizard that walks you through creating your SAML connection end to end. You enter your IdP details directly in the wizard, copy Rokt's SP details into your IdP, test the connection, and go live — all on your own schedule. Rokt never needs you to email us certificates or configuration.
1. Request your setup linkDirect link to 1. Request your setup link
Contact your Rokt account manager (AM) and ask them to generate a Self-Service SSO setup link for your organization.
Your AM will send you a secure, single-use link. Opening it launches the Rokt Setup wizard for configuring your SAML connection.
The setup link is single-use and time-limited. If it expires or you need to start over, ask your account manager to issue a new one.
The setup link provisions SP-Initiated SSO, which is strongly recommended. If you need IdP-Initiated SSO, request it from your account manager when you ask for your link — Rokt must provision your connection to support IdP-Initiated sign-in, so it is not enabled by the standard self-service link.
Before requesting IdP-Initiated, please review the risks.
2. Complete the Rokt Setup wizardDirect link to 2. Complete the Rokt Setup wizard
Open the setup link from your account manager and follow the wizard:
-
Select your identity provider and SAML as the protocol.
-
Configure your IdP with Rokt's SP details. The wizard displays the values you need to register Rokt as an application in your IdP, including:
- Single Sign-On / Assertion Consumer Service (ACS) URL — where your IdP sends the SAML response.
- Entity ID / Audience — Rokt's SP identifier (for example,
urn:some:aud). - Rokt's SP metadata, which you can import directly into your IdP.
-
Enter your IdP details — your IdP's sign-in URL and signing certificate (in PEM or CER format).
-
Map user attributes. Include all of the following attributes in your SAML assertions — they are all required. Attribute keys must be lowercase, and custom attributes are not supported.
emailname(display name)given_namefamily_name
3. Test and finishDirect link to 3. Test and finish
Use the wizard's test step to verify the connection end to end. Once the test succeeds, complete the wizard to finish setup.
After your connection is live, users with an email from your configured domains will authenticate through your IdP. Users may be prompted to reverify their email the first time they sign in.
Provision users with SCIM (optional)Direct link to Provision users with SCIM (optional)
SCIM lets your IdP automatically provision and deprovision Rokt users. It runs on top of your SAML connection, so complete the SAML setup above first. Once your connection is live, ask your account manager to enable SCIM.
Attribute mappingDirect link to Attribute mapping
Rokt's SCIM server needs each user's identifier and active status. By default it expects the following fields in the SCIM request from your IdP:
| Expected field | Description |
|---|---|
userName | Primary identifier for the user via SAML (email) |
active | Whether the user should be active (true / false) |
If your data uses different field names or formats, you can either:
- Update your IdP to map your data to the fields above, or
- Provide Rokt with a custom mapping from your fields to the expected field names.
Enable and testDirect link to Enable and test
Tell your account manager you want to enable SCIM and discuss any mapping needs. Rokt will provide:
- SCIM Base URL
- API Key
After testing succeeds, you can provision and manage your active Rokt users via SCIM using the provided URL and API key.
Need a non-SAML provider (such as Active Directory or Google Workspace) or help while running the wizard? Let your account manager know.