Skip to main content

Enable Single Sign-On for LiveRamp Applications

Enabling single sign-on (SSO) allows your users who have logged in to your identity platform to access LiveRamp applications without having to re-enter any credentials. Likewise, removing a user from your identity provider prevents them from logging in to any LiveRamp applications.

Configure Your Identity Provider

Procedure. To enable LiveRamp SSO:
  1. Configure a SAML 2.0 app.

  2. Send SSO information to LiveRamp (by creating a case in the LiveRamp Community portal).

  3. Use the information provided by LiveRamp to complete the configuration.

Configure a new SAML 2.0 application in your identity provider, with the following additional guidelines:

  • You can use dummy values for the "ACS URL" field (also known as "SSO URL") and for the "Audience URL" field.

Note

After you send the SSO information to LiveRamp, your LiveRamp representative will provide you with the correct values for those fields.

  • Include a "NameID" in the app's SAML assertions. This "NameID" might look like the following:

    <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">userName</saml2:NameID>
  • Include these three required SAML attributes (lowercase):

  • "firstname"

  • "lastname"

  • "email"

The required attributes in your SAML assertion should look similar to the following:

All-Enable_SSO_for_LiveRamp_Applications-nonOkta_SAML_assertion_attributes-ZQw.png

Create a case in the LiveRamp Community portal with the information listed below. A LiveRamp representative will reply with the URL to use to replace the dummy values in the “ACS url” and “Audience url” fields. LiveRamp will also send you a LiveRamp site-verification token. For your security, this token must be added as a DNS TXT record on the email domain(s) your users will be logging in with.

Include this required information in your support case:

  • The email domain(s) that will be logging in to your identity provider (for example, "@acme.com and @liveramp.com")

  • The IdP metadata XML file, which includes the Entity ID, the SSO url, and the public certificate

  • The application entity ID

  • The Single-Sign On URL

  • The x509 public certificate

  • The auth flows that your IdP supports: IdP-initiated, Service Provider-initiated, or both

Caution

For security, LiveRamp can only allow email domains that a client owns to log in with their IdP.

Tip

Ask your IT department if you don't know the auth flows that your IdP supports.

Once LiveRamp has provided the URL to use in the “ACS url” and “Audience url” fields, go back into your app and replace the dummy values with the new URLs.

Additionally, you will need to add the site-verification token that LiveRamp provided as a DNS TXT record to any email domains your users will be logging in with.

Once you enter the new URLs into your app and complete domain verification, the configuration is complete. See the “Log In To LiveRamp Applications” section to begin using LiveRamp applications.

Log In To LiveRamp Applications

After you’ve finished configuring your identity provider, you can start logging into LiveRamp applications immediately. You can log in directly from your identity provider or from the LiveRamp application itself (see "Log In to Connect" for instructions).

Log In From your Identity Provider

If your identity provider allows for IdP-initiated flows, you can log into LiveRamp applications directly:

  1. Initiate a login from your identity provider.

  2. You will now be authenticated with the LiveRamp application.

Assign Users to Connect

All users from your identity provider will be able to log in to Connect. However, they cannot view your customer information until they are granted permission. Only admins can assign new users to a customer.

If you are an admin-level user, see “Add Users to Your Company Account” for instructions.