Enable Single Sign-On for LiveRamp Applications

Enabling single sign-on (SSO) allows your users who have logged in to your identity platform to access LiveRamp applications without having to re-enter any credentials. Likewise, removing a user from your identity provider prevents them from logging in to any LiveRamp applications.

To enable LiveRamp SSO, perform the following steps:

  1. Configure a SAML 2.0 app

  2. Send SSO information to LiveRamp (by creating a case in the LiveRamp Community portal).

  3. Use the information provided by LiveRamp to complete the configuration

Configure a new SAML 2.0 application in your identity provider, with the following additional guidelines:

  • You can use dummy values for the “ACS url” (a.k.a “SSO url”) field and for the “Audience url” field.

Note

After you send the SSO information to LiveRamp, your LiveRamp representative will provide you with the correct values for those fields.

  • Include a “NameID” in the app’s SAML assertions. This “NameID” might look like the following:

    <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">userName</saml2:NameID>
  • Include these three required SAML attributes (lowercase):

  • “firstname”

  • “lastname”

  • “email”

The required attributes in your SAML assertion should look similar to the following:

All-Enable_SSO_for_LiveRamp_Applications-nonOkta_SAML_assertion_attributes-ZQw.png

Create a case in the LiveRamp Community portal with the information listed below. A LiveRamp representative will reply with the URL to use to replace the dummy values in the “ACS url” and “Audience url” fields. LiveRamp will also send you a LiveRamp site-verification token. For your security, this token must be added as a DNS TXT record on the email domain(s) your users will be logging in with.

Include this required information in your support case:

  • The email domain(s) that will be logging in to your identity provider (for example, "@acme.com and @liveramp.com")

  • The IdP metadata XML file, which includes the Entity ID, the SSO url, and the public certificate

  • The application entity ID

  • The Single-Sign On URL

  • The x509 public certificate

  • The auth flows that your IdP supports: IdP-initiated, Service Provider-initiated, or both

Caution

For security, LiveRamp can only allow email domains that a client owns to log in with their IdP.

Tip

Ask your IT department if you don't know the auth flows that your IdP supports.

Once LiveRamp has provided the URL to use in the “ACS url” and “Audience url” fields, go back into your app and replace the dummy values with the new URLs.

Additionally, you will need to add the site-verification token that LiveRamp provided as a DNS TXT record to any email domains your users will be logging in with.

Once you enter the new URLs into your app and complete domain verification, the configuration is complete. See the “Log In To LiveRamp Applications” section to begin using LiveRamp applications.

After you’ve finished configuring your identity provider, you can start logging into LiveRamp applications immediately. You can log in directly from your identity provider or from the LiveRamp application itself.

If your identity provider allows for IdP-initiated flows, you can log into LiveRamp applications directly:

  1. Initiate a login from your identity provider.

  2. You will now be authenticated with the LiveRamp application.

The following instructions will use Connect as an example application.

  1. Navigate to your LiveRamp application (in this case, https://connect.liveramp.com).

  2. From the login popup that appears, click “Log in with identity provider”.

    Enable_SSO_for_LiveRamp_Applications-Logging_in_from_LR_app-idp_link-ClI.jpg
  3. Enter the unique company identifier that your LiveRamp representative sent to you while completing the configuration process, and then click Log In.

    Enable_SSO_for_LiveRamp_Applications-Logging_in_from_LR_app-enter_company_name-FFk.jpg
  4. Enter your email address and then click Next.

    Enable_SSO_for_LiveRamp_Applications-Logging_in_from_LR_app-enter_email-R9E.png

if you are not already logged in to your identity provider,you’ll be directed to your identity provider. Log in with your identity provider credentials.

After logging into your identity provider, you will be directed back to Connect (in this example).

All users from your identity provider will be able to log in to Connect. However, they cannot view your customer information until they are granted permission. Only admins can assign new users to a customer.

If you are an admin-level user, see “Add Users to Your Company Account” for instructions.