Single Sign-On (SSO) Integration via SAML
Our liveblog SaaS supports Single Sign-On (SSO) via SAML 2.0, allowing your users to authenticate using your existing identity provider (IdP). This document outlines the steps required to configure SSO with our system.
Overview
Tickaroo acts as the SAML Service Provider (SP), while your system serves as the Identity Provider (IdP). The integration involves:
- Configuring your IdP with Tickaroo’s SP metadata.
- Providing Tickaroo with your IdP metadata URL and group mappings.
- Tickaroo configuring the SSO connection and role mappings on our side.
Upon successful setup, users can log in to Tickaroo using their existing credentials via your IdP. We also support automatic user provisioning and role-based access control based on group attributes.
Step 1: Configure Your Identity Provider (IdP)
To establish the SAML SSO connection, configure your IdP with the following Tickaroo Service Provider (SP) details:
Tickaroo SAML SP Details
| Field | Value |
|---|---|
| Entity ID | https://www.tickaroo.com/oauth/saml/metadata |
| Metadata URL | https://www.tickaroo.com/oauth/saml/metadata |
| SAML Version | 2.0 |
| Assertion Consumer Service (ACS) URL | https://www.tickaroo.com/oauth/saml/finalize |
| Consumer Binding | urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
| NameID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
Required SAML Attributes
Tickaroo requires the following attributes to be included in the SAML assertion for user authentication and provisioning:
| Attribute | Description | Example |
|---|---|---|
NameID |
User’s email address (required for identification) | user@example.com |
firstName + lastName OR displayName |
User’s full name for display purposes | John Doe |
groups |
Group names for role mapping (optional). Can be a single string or an array of strings for multiple groups | "tickaroo-admin-group" or ["organization1-admin-group", "organization2-user-group"] |
Step 2: Provide Tickaroo with Your IdP Metadata
After configuring your IdP, provide the following information to Tickaroo to complete the SSO setup:
- IdP Metadata URL: A URL exposing your IdP’s SAML metadata (e.g.,
https://your-idp.com/saml/metadata). - Group Names (optional): If you’re using groups for role mapping, list the exact group names as they appear in the
groupsattribute of the SAML assertion.
Step 3: Tickaroo Configuration
Once we receive your IdP metadata URL and group names, Tickaroo will:
- Configure our system to trust your IdP using the provided metadata URL.
- Set up user provisioning to automatically create accounts on the first login via SSO.
- Map your group names to our roles (if applicable).
Role Mapping
Tickaroo supports three roles with the following permissions:
| Role | Description |
|---|---|
Owner |
Full administrative access, including user management and billing. |
Admin |
Create and edit liveblogs, full access to all content and options. |
User |
Create and edit liveblogs. |
If you provide group names, we will map them to these roles. For example:
tickaroo-owner-group→Ownertickaroo-admin-group→Admintickaroo-user-group→User
Users without a mapped group will default to the User role unless otherwise specified.
Testing the Integration
After configuration is complete on both sides:
- Attempt to log in to Tickaroo via your IdP (e.g., through your SSO portal or directly at
https://www.tickaroo.com). - Verify that:
- Authentication succeeds.
- User details (name, email) are correctly populated.
- Assigned roles match your group mappings (if applicable).
If issues arise, contact Tickaroo support with details such as error messages or SAML assertion logs (if available).
Troubleshooting
- Login Fails: Ensure the
NameIDmatches the email format and that required attributes are sent. - Role Issues: Verify group names in the SAML assertion match those provided to Tickaroo.
- Metadata Errors: Confirm the IdP metadata URL is accessible and contains valid SAML 2.0 data.
For further assistance, reach out to Tickaroo support at support@tickaroo.com.