How to Setup SSO for LiveRamp Clean Room
How to set up Single Sign-On (SSO) for LiveRamp Clean Room, including configuring the identity provider, setting up the service provider, and verifying the SSO configuration
These instructions provide the required steps needed to enable SAML-based SSO for LiveRamp Clean Room console access to your account.
Note
LiveRamp Clean Room defaults to service provider (SP)-initiated SSO flows, as recommended by industry experts.
Configure the ACS URL and Entity ID
You must configure the ACS URL and Entity ID in your IdP (identity provider).
EntityId: urn:auth0:habu:HABU-<ACCT_NAME>
ACS URL: https://auth.console.habu.com/login/callback?connection=HABU-<ACCT_NAME>
<ACCT_NAME> is a placeholder for the unique name of your LiveRamp Clean Room account, which should contain letters and dashes only. Talk to your LiveRamp representative to get the connection name for your account.
Note
<ACCT-NAME>is just a placeholder. Do not use it as part of your ACS URL and Entity ID.When applying the provided ACCT-NAME, note that it is case-sensitive. You must apply it exactly how it is provided to you by LiveRamp Clean Room.
If you have multiple organizations within the same account, the ACS URL and Entity ID may or may not be the same across organizations depending on your requirements.
Once, you configure the ACS URL and Entity ID, please send your LiveRamp Clean Room representative the following three things:
Sign in URL
X509 Signin Certificate - This should be in PEM or CER format
Sign out URL
The sign-in URL is a SAML URL (and not your browser login URL). It is typically of the format: https://.../app/../../sso/saml.
Your LiveRamp Clean Room representative will confirm once the configuration is complete and work with you to test it to make sure everything is working as expected.
Troubleshooting
Before logging in to LiveRamp Clean Room via SSO, confirm the user is added as a valid user in your IdP. If the user is not added to the IDP, it will raise an error such as: "This user is not part of the SAML Application".
For Clean Room users who have access to multiple organizations, logging in works in the following manner:
If all organizations are non-SSO enabled, users can log in using a username and password.
If at least one organization is SSO enabled, a user has to log in via the SSO provider.
If your organization wants to allowlist specific IP addresses for logging in to LiveRamp Clean Room using SSO (such that logins are only accepted from your designated IP addresses on your end when logging in to Clean Room), we recommend contacting your organization's IdP to manage the allowlisting process.