Skip to main content

Enabling Single Sign-On for LiveRamp Applications

Enabling single sign-on (SSO) allows your users who have logged in to your identity platform to access LiveRamp applications without having to re-enter any credentials. Likewise, removing a user from your identity provider prevents them from logging in to any LiveRamp applications.

Caution

Before starting the SSO configuration process, create a Safe Haven case in the LiveRamp Community portal.

Configuring Your Identity Provider

Procedure. To enable LiveRamp SSO:
  1. Configure a SAML 2.0 app.

  2. Send SSO information to LiveRamp (by creating a support case in the LiveRamp Community portal or by sending this information to your Implementation Manager).

  3. Use the information provided by LiveRamp to complete the configuration.

Configure a new SAML 2.0 application in your identity provider, with the following additional guidelines:

  • You can use dummy values for the "ACS URL" field (also known as "SSO URL") and for the "Audience URL" field.

Note

After you send the SSO information to LiveRamp, your LiveRamp representative will provide you with the correct values for those fields.

  • Include a "NameID" in the app's SAML assertions. This "NameID" might look like the following:

    <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">userName</saml2:NameID>
  • Include these three required SAML attributes (lowercase):

  • "firstname"

  • "lastname"

  • "email"

The required attributes in your SAML assertion should look similar to the following:

All-Enable_SSO_for_LiveRamp_Applications-nonOkta_SAML_assertion_attributes-ZQw.png

Create a support case in the LiveRamp Community portal with the information listed below. A LiveRamp representative will reply with the URL to use to replace the dummy values in the "ACS url" and "Audience url" fields. LiveRamp will also send you a LiveRamp site verification token. For your security, this token must be added as a DNS TXT record on the email domain(s) your users will be logging in with.

Include this required information in your support case:

  • The email domain(s) that will be logging in to your identity provider (for example, "@example.com and @liveramp.com")

    Caution

    For security, LiveRamp can only allow email domains that a client owns to log in with their IdP.

  • The IdP metadata XML file, which includes the Entity ID, the SSO url, and the public certificate

  • The application entity ID

  • The Single-Sign On URL

  • The x509 public certificate

  • The auth flows that your IdP supports: IdP-initiated, Service Provider-initiated, or both. If you don't know the auth flows that your IdP supports, ask your IT department.

Once LiveRamp has provided the URL to use in the "ACS url" and "Audience url" fields, go back into your app and replace the dummy values with the new URLs.

You must add the site-verification token that LiveRamp provided as a DNS TXT record to any email domains your users will be logging in with.

Once you enter the new URLs into your app and complete domain verification, the configuration is complete. See the "Log In To LiveRamp Applications" section to begin using LiveRamp applications.

Logging in to LiveRamp Applications

Once you've finished configuring your identity provider, you can start logging into LiveRamp applications immediately. You can log in directly from your identity provider or from the LiveRamp application itself.

Logging in from Your Identity Provider

If your identity provider allows for IdP-initiated flows, you can log into LiveRamp applications directly:

  1. Initiate a login from your identity provider.

  2. You will now be authenticated with the LiveRamp application.