To begin using SSO on the Airalo Partner Platform, you will need to configure your SSO settings. You can do this from the Company settings, located under the user account profile in the top right corner.
Step 1: Create an application for Airalo in your Identity Provider (IdP). Airalo supports the following identity providers, among others.
- Okta
- OneLogin
- GSuite
- Microsoft Azure
Step 2: Configure Airalo in your Identity Provider (IdP) by mapping the following attributes.
What are the permissions associated with each role?
- admin: eSIM Store, Top-up, Credits, Orders, API Orders, eSIMs, Analytics, Users, Billing, Help & Support
- operations: eSIM Store, Top-up, Orders, API Orders, eSIMs, Analytics, Billing, Help & Support
- finance: Orders, API Orders, Help & Support, Credits, Analytics, Billing
- employee: airalo.com, Airalo apps only
Please note: The "employee" role is exclusively for partners using our Airalo for Business platform.
If you are using Microsoft Azure as an identity provider, do not enter a namespace under Attribute.
Leave this field blank, as it is optional and may cause an error in Azure.
Step 3: Add your domain and verify ownership within 3 days. If you do not verify ownership in time, your domain will be automatically removed, and all associated settings will be deleted.
How to verify your domain using a TXT record
What is a TXT record?
Every domain (like your-company.com) has DNS records that are publicly accessible on the internet.
Why is a TXT record necessary?
Only the domain owner can make changes to these DNS records. By verifying the domain through a TXT record, we ensure that you are the legitimate owner.
How do I add a TXT record?
- Obtain your verification code from the Airalo Partner Platform under the "How to Verify?" section.
- Log in to the platform where your domain is registered.
- In your domain management system, locate the DNS editor.
- Find and select the option to add a new TXT record.
- In the Name field (which might also be labeled as Host, Hostname, or Alias), enter @. Some systems may require your domain name or a subdomain instead.
- Paste the verification code you copied from the Airalo Partner Platform into the Value field.
- Save the changes, and your domain verification is complete.
Step 4: Establish the SSO connection between your identity provider and the Airalo Partner Platform.
Step 5: Assign a default user role to access the Partner Platform.
If a user does not have a role specified in your identity provider, they will be assigned the default role in the SSO settings.
To change a user’s role, make the necessary adjustments in your identity provider, as it serves as the authoritative source.
Step 6: Save the SSO settings. Users can log in to the Partner Platform using SSO at https://partners.airalo.com/sign-in-sso.
Optional security customizations
If you're using a service like Microsoft Azure, you have the option to customize your security settings:
-
Enforce SSO for all employees:
This feature, when enabled, requires all users to sign in via Single Sign-On (SSO) to access the Partner Platform. Employees will no longer be able to use a password to log in.
-
Enforce fresh authentication:
If your identity provider supports alternative authentication methods (e.g., fingerprint, face recognition), you can enable fresh authentication. This requires users to authenticate each time they access the Partner Platform, prompting a login each time.
-
Authorization context:
If you encounter an error like “AADSTS75011”, you may need to edit or remove the authorization context.
You can set the context according to your company’s security policies. Examples include:
urn:oasis:names:tc:SAML:2.0:ac:classes:Multifactorurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordlessPhoneSignInurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
If you have questions or need assistance, please contact our support team via the Partner Platform.
Configure Airalo in your Identity Provider (IdP) by mapping the following attributes.