Skip to main content

Enable Single Sign-On for LiveRamp Applications

Enabling single sign-on (SSO) allows your users who have logged in to your identity platform to access LiveRamp applications without having to re-enter any credentials. Likewise, removing a user from your identity provider prevents them from logging in to any LiveRamp applications. Enabling SSO also empowers you to enforce your own authentication policies, including password requirements and multi-factor authentication (MFA).

Caution

Before starting the SSO configuration process, create a Customer Profiles case in the LiveRamp Community portal.

Configuring Your Identity Provider

Procedure. To enable LiveRamp SSO:
  1. Configure a SAML 2.0 app.

  2. Send SSO information to LiveRamp (by creating a support case in the LiveRamp Community portal or by sending this information to your Implementation Manager).

  3. Use the information provided by LiveRamp to complete the configuration.

Configuring a SAML 2.0 App

Configure a new SAML 2.0 application in your identity provider, with the following additional guidelines:

  • You can use dummy values for the "ACS URL" field (also known as "SSO URL") and for the "Audience URI" field.

    Note

    After you send the SSO information to LiveRamp, your LiveRamp representative will provide you with the correct values for those fields.

  • IMPORTANT: LiveRamp requires you to include one additional SAML custom attribute, named “email”, containing the user’s email address. The attribute name must be exactly "email", no prefixes or suffixes. If this attribute is not set correctly, logins will not work.

The required attribute in your SAML assertion should look similar to the following:

<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
  <saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">john.doe@example.com</saml2:AttributeValue>
  </saml2:Attribute>
</saml2:AttributeStatement>

Send SSO Information to LiveRamp

Create a support case in the LiveRamp Community portal with the information listed below. A LiveRamp representative will reply with the URL to use to replace the dummy values in the "ACS URL" and "Audience URI" fields. LiveRamp will also send you a LiveRamp site verification token. For security, this token must be added as a DNS TXT record on the email domain(s) your users will be logging in with, before the SSO integration can be activated.

Include this required information in your support case:

  • The email address domain(s) of your users who will be covered by the SSO integration (for example, "@example.com and @example.org")

    Caution

    For security, LiveRamp can only allow email domains that a client owns to log in with their IdP. A DNS TXT challenge will be required to prove ownership.

  • A valid SAML IDP metadata XML file, which includes the Entity ID, the SSO url, and the public certificate

Finish the Configuration

Once LiveRamp has provided the URL to use in the "ACS URL" and "Audience URI" fields, go back into your app and replace the dummy values with the new URLs.

You must add the site-verification token that LiveRamp provided as a DNS TXT record to any email domains your users will be logging in with. After you’ve added the DNS records, contact your LiveRamp representative to let them know they’re ready to be verified.

Once you enter the new URLs into your app and complete domain verification via DNS TXT records, the SAML configuration is complete. However, SSO will only be enabled for the testing users you supplied earlier. See the "Log In To LiveRamp Applications" section to begin testing the login flow.

Once you are satisfied that your SAML integration is working for your test users, contact your LiveRamp representative to request finalization of the integration, which includes a rollout to all of the users on your domains, and mandates SSO as the only way for them to log in.

Logging in to LiveRamp Applications

Once you've finished configuring your identity provider, you can start logging into LiveRamp applications immediately. You can log in directly from your identity provider or from the LiveRamp application itself.

Logging in from Your Identity Provider

If your identity provider allows for IdP-initiated flows, you can log into LiveRamp applications directly:

  1. Initiate a login from your identity provider.

  2. You will now be authenticated with the LiveRamp application.