Moloco Commerce Media (MCM) Campaign Manager provides enterprise-grade authentication and security through Single Sign-On (SSO) and Multi-Factor Authentication (MFA). These features can be used independently or together to meet your organization's security requirements.

Overview

MCM supports three authentication channels depending on your Campaign Manager deployment:

Channel	Authentication Method	SSO Support	MFA Support
Standalone Campaign Manager	Moloco Auth (email/password) or SAML SSO	✅ SAML 2.0	✅ TOTP-based
Widgetized Campaign Manager	Platform-managed via SSO URL	✅ Managed by Platform	✅ Managed by Platform
Management API	API Key	✅ Managed by Platform	✅ Managed by Platform

Key principle: SSO and MFA operate on separate axes. Platforms using SSO can also enable MFA for non-SSO users within the same platform. SSO users rely on their Identity Provider's MFA; Moloco's native MFA applies only to users authenticating through Moloco Auth.

Single Sign-On (SSO)

What It Is

SSO enables Platform users to log in to the Standalone Campaign Manager using their organization's Identity Provider (IdP), rather than managing separate Moloco credentials. This aligns user lifecycle management with your existing IT infrastructure.

Supported Identity Providers

MCM supports SAML 2.0-based SSO with the following IdPs:

Okta
Microsoft Entra ID (formerly Azure AD)
OneLogin

Other SAML 2.0-compliant IdPs may also work, provided they support SHA-256 signing and the emailAddress NameID format. Contact your Moloco representative to validate compatibility.

How It Works

MCM uses a Service Provider-initiated (SP-initiated) SSO flow:

User navigates to the Campaign Manager login page.
User enters their email address.
If the email domain is configured for SSO, the user is redirected to their corporate IdP.
After successful authentication at the IdP, the user is redirected back to the Campaign Manager with a SAML assertion.
MCM validates the assertion and grants access.

For non-SSO email domains, the standard email/password login form is displayed.

⚠️
Important!
Only SP-initiated login is supported. IdP-initiated login is not supported. We recommend hiding the MCM application from end-user app portals within your IdP to avoid confusion.

Scope and Behavior

Platform-level users only. SSO applies to Platform-role users. Advertiser and Agency users continue to use Moloco Auth (email/password).
All-or-nothing per Platform. When SSO is enabled, all Platform-role users must authenticate via SSO. Mixed authentication (some Platform users via SSO, others via password) is not supported.
Multiple IdPs per Platform. Organizations with subsidiary properties can configure multiple IdP entries. For example, users with both @company.com and @subsidiary.com email domains can use SSO on the same Platform.
Invitation required. SSO authentication does not auto-provision users. Users must be explicitly invited by a Platform Owner before they can log in via SSO.
Authorization remains internal. User roles and permissions are managed within the Campaign Manager, not derived from IdP or SAML attributes.

📘
Note
It is possible to remove access from a user either by removing their account from Campaign Manager or by removing them from the IdP list.

SSO Configuration

SSO is configured per Platform through the admin settings in the Standalone Campaign Manager.

STEP 1: Configure Your Identity Provider

Create a SAML 2.0 application in your IdP using the following settings:

Setting	Value
Single Sign-On URL / ACS URL	`https://<your-platform-domain>/saml/consume`
Audience URI / Entity ID	`https://<your-platform-domain>`
Name ID Format	`EmailAddress`
Application Username	User's email address
Signing Algorithm	`SHA-256`

⚠️
Common misconfiguration:
Leaving the Name ID format as "Unspecified" (the default in some IdPs) or setting the Application Username to something other than Email will cause SSO login failures because the SAML response will not contain the user's email in the expected format.

See the IdP-specific setup instructions section below for detailed steps.

STEP 2 : Provide SAML Metadata to MOLOCO

Once your IdP is configured, you must share the SAML Metadata with your Moloco representative to finalize the integration.

IdP-Specific Setup Instructions

📘
Okta

In the Okta Admin Console, create a new SAML 2.0 integration.

Set "Visible in portal" to No (IdP-initiated login is not supported).

Configure the SAML settings:

Single sign-on URL (ACS): https://<your-platform-domain>/saml/consume

Audience URI (SP Entity ID): https://<your-platform-domain>

Name ID format: Select EmailAddress (do not leave as "Unspecified").

Application username: Select Email.

Navigate to the Sign On tab and copy the Metadata URL to provide during configuration.

🚧
Microsoft Entra ID (formerly Azure AD)

Go to Enterprise Applications > + New application > Create your own application. Choose "Integrate any other application you don't find in the gallery."

Under Single sign-on, select SAML.

Configure the Basic SAML Configuration:

Identifier (Entity ID): https://<your-platform-domain>

Reply URL (Assertion Consumer Service URL): https://<your-platform-domain>/saml/consume

Under Attributes & Claims, add a claim with the NameID format set to emailAddress and the source attribute set to user.mail.

Set "Visible to users" to No.

Under SAML Certificates, copy the App Federation Metadata URL.

🔢
OneLogin

In OneLogin, search for and add the SAML Custom Connector (Advanced) application.

Set "Visible in portal" to No.

Configure:

Audience (Entity ID): https://<your-platform-domain>

Recipient / ACS URL: https://<your-platform-domain>/saml/consume

Go to More Actions and download the SAML Metadata (XML) file.

Switching Authentication Methods

SSO configuration is mutable - you can switch between Moloco Auth and SSO, or update your IdP at any time:

Transition	Behavior
Moloco Auth → SSO	Existing passwords are deprecated. Users are redirected to the SSO flow on their next login. No new invitation email is sent.
SSO → Moloco Auth	Users who never set a Moloco password must use the "Forgot Password" flow to create one.
Changing IdP	Update the SAML metadata in Authentication Settings. We recommend validating the new configuration on a test environment first.

📘
Disabling SSO

SSO can only be disabled by Moloco internal staff. To revert your platform to email and password authentication, please contact your Moloco representative.

Users from previously SSO-enabled domains will fall back to password-based login. Users who do not have a Moloco password set can use the "Reset Password" flow to create one. Users from previously SSO-enabled domains will fall back to password-based login. Users who do not have a Moloco password set can use the "Reset Password" flow to create one.

Impact on Tools and Integrations

Tool	Impact
Bulk Operations Tool / MCM CLI	Accounts under SSO-enforced email domains cannot use email/password authentication. Use API keys for CLI and automated workflows, or use a separate account outside the SSO-enforced domain.
Management API	Unaffected - authentication uses API keys regardless of SSO configuration.
Widgetized Campaign Manager	Unaffected - authentication is managed by the Platform's own SSO URL.

Multi-Factor Authentication (MFA)

What It Is

MFA adds an additional verification step to the login process for users authenticating via Moloco Auth. MCM uses time-based one-time password (TOTP) MFA, compatible with standard authenticator apps.

Supported Authenticator Apps

Any TOTP-compatible authenticator app (RFC 6238), including:

Google Authenticator
Authy
Duo Mobile
Microsoft Authenticator
1Password, Bitwarden, and other password managers with TOTP support

MFA Modes

Platform Owners can configure MFA in one of three modes:

Mode	Behavior
Off (default)	MFA is disabled. No users see MFA prompts.
Optional	Individual users can choose to enable MFA from their Settings tab.
Enforced	All users authenticating via Moloco Auth are required to enroll in MFA before gaining access.

How to Enable MFA

Navigate to Admin > Authentication Settings and select the desired MFA mode (Off, Optional, or Enforced).

Enrollment

Enforced Mode

User enters their email and password.
If the user has not yet enrolled in MFA, they are prompted to set up their authenticator app.
User scans a QR code or manually enters a secret key in their authenticator app.
User enters the 6-digit TOTP code to confirm enrollment.
Recovery codes are displayed for the user to save securely.
User gains access to the Campaign Manager.

Optional Mode

User logs in normally with email and password.
User navigates to Settings > MFA Configuration.
User follows the same QR code / secret key setup flow.
User can toggle MFA on or off, or delete their MFA configuration at any time.

Login (After Enrollment)

User enters their email and password.
User is prompted for a 6-digit TOTP code from their authenticator app.
On successful verification, the user gains access.

Trusted Devices ("Remember This Device")

To reduce login friction, MFA supports a "Remember this device" feature, configurable from Developer > Authentication Settings of Campaign Manager:

After successful MFA verification, users can mark the current device as trusted.
Trusted devices skip the MFA challenge on subsequent logins.
Platform Owners can enable or disable the trusted device feature and set the trust duration (14 or 30 days).
Users can manage up to 5 trusted devices and revoke them at any time from Settings (If the limit is exceeded, the oldest trusted device is automatically removed)
Trusted devices are automatically revoked when a user enrolls a new authenticator.

Recovery and Reset

Method	Description
Recovery codes	During enrollment, users receive one-time backup codes. These can be used if the authenticator device is lost.
Admin reset	Platform Owners can view users' MFA enrollment status and reset a user's MFA from the Admin user management panel.

Error Handling and Lockout

After 5 consecutive failed TOTP attempts, the user is locked out for 15 minutes.
A message is displayed: "Too many failed attempts. Please try again later or reset MFA."
A link to the MFA reset flow is provided.

Switching MFA Modes

Transition	Behavior
Optional ↔ Enforced	Preserves all existing MFA enrollments. Already-enrolled users do not need to set up MFA again.
Optional/Enforced → Off	Disables MFA for all users and removes all existing MFA configurations. This is a destructive action.

MFA Scope and Exclusions

MFA is not enforced for the following scenarios:

Scenario	Reason
SSO-authenticated users	MFA is managed by the user's corporate IdP. SSO users do not see Moloco MFA settings in the Campaign Manager.
API calls	Authentication uses API keys - no MFA required.
Widgetized Campaign Manager users	Authentication is managed by the Platform via SSO URL.

📘
Note for SSO Platform Owners:
Even though SSO users do not use Moloco's MFA, Platform Owners who are SSO-authenticated can still see and manage the MFA configuration in Admin > Authentication Settings to control the experience for non-SSO users on their platform.

Using SSO and MFA Together

Platforms can adopt both SSO and MFA simultaneously for a hybrid security posture:

Platform-role users authenticate via SSO. Their MFA is governed by the corporate IdP's policies (e.g., Okta MFA, Microsoft Entra Conditional Access).
Advertiser and Agency users on the same Platform authenticate via Moloco Auth. They can be required to use Moloco's TOTP-based MFA (via Enforced mode) or given the option (via Optional mode).

This hybrid setup ensures that all users - regardless of authentication method - have a multi-factor authentication option available to them.

Best Practices

For SSO

Best Practice	Description
Hide the MCM app in your IdP portal	Since IdP-initiated login is not supported, showing the app in your IdP portal may confuse users. Set visibility to "No" in your IdP configuration.
Use SHA-256 signing and EmailAddress NameID format	These are the only supported options. Verify your IdP configuration matches before enabling SSO.
Test on a staging environment first	When changing IdP or enabling SSO for the first time, validate the integration on a test platform before rolling out to production.
Prepare API keys for automation	If your organization uses the Bulk Operations Tool or MCM CLI, generate API keys before enabling SSO, as email/password authentication will no longer work for SSO-enforced domains.

For MFA

Best Practice	Description
Consider testing with Optional mode first	This allows your team to test the MFA experience before enforcing it for all users.
Communicate recovery code procedures	Ensure users understand the importance of saving their recovery codes during enrollment.

For API Keys and Secrets

Use a secure storage solution (e.g., AWS Secrets Manager, Azure Key Vault, Google Cloud Secret Manager) to store API keys and SSO secrets.
Follow the principle of least privilege when granting access to keys and secrets.
Do not store unencrypted secrets in source control or embed them in client-side code.
Regularly rotate API keys and revoke any that are no longer in use or may be compromised.

Frequently Asked Questions

Can a Platform use both SSO and Moloco Auth for Platform-level users?

No. When SSO is enabled for a Platform, all Platform-role users must log in via SSO. Mixed authentication for Platform-level users is not supported.

Does enabling SSO affect Advertiser users?

No. Advertiser and Agency users continue to use Moloco Auth (email/password), with optional MFA.

Is MFA compatible with SSO?

Yes. SSO users rely on their IdP's MFA. Non-SSO users on the same Platform can use Moloco's TOTP-based MFA. The two systems do not conflict.

What happens if a user loses access to their authenticator app?

Users can log in using a recovery code received during MFA enrollment. They can also initiate a self-service MFA reset from the login screen, or request their Platform Owner to reset their MFA from the Admin panel.

Can Platforms change their MFA configuration at any time?

Yes. Platform Owners can toggle between Off, Optional, and Enforced at any time via Admin > Authentication Settings. Switching between Optional and Enforced preserves existing enrollments.

Does MFA affect API access?

No. API access uses API keys and is not subject to MFA.

What happens to SSO users' access if SSO is disabled?

Users fall back to password-based login. Users who never set a Moloco password will need to use the "Forgot Password" flow to create one.

Can I use an IdP other than Okta, Microsoft Entra, or OneLogin?

Potentially yes. Any SAML 2.0-compliant IdP that supports SHA-256 signing and the emailAddress NameID format should work. Contact your Moloco representative to validate compatibility.

Does enabling SSO affect the Bulk Operations Tool or MCM CLI?

Yes. Accounts under SSO-enforced email domains cannot use email/password authentication for these tools. Use API keys or a non-SSO account instead.

Does this apply to the Widgetized Campaign Manager?

No. The Widgetized Campaign Manager uses its own SSO URL mechanism (HMAC-SHA256 signed URLs) managed by the Platform. The SAML SSO and MFA features described in this guide apply to the Standalone Campaign Manager only. See the Widgetized Campaign Manager documentation for details on its authentication model.