How to set up SSO using SAML 2.0

Learn how to enable single sign-on in Eventsforce.

Ben Dharmanandan avatar
Written by Ben Dharmanandan
Updated over a week ago

Using single sign-on (SSO) with your website allows a user to sign in to multiple websites using a single set of credentials (example: email/username and password). In order to use SSO, the event identifier must be set to "email" or "username". With SSO enabled, a user could sign into one website, such as a corporate site, and then be able to access any other SSO-linked website, such as Eventsforce, without having to log in again. Eventsforce currently only supports SSO using SAML 2.0 only.

Important: Please note that SSO configuration should ONLY be done by a technical person who understands single sign-on and SAML 2.0, as technical expertise is required.

What do I need to start?

Before you can begin setting up SSO with SAML 2.0, you must first contact your Eventsforce account manager and get “Single sign-on (SAML 2.0)” added to your Eventsforce license.

Once added, you may need to update your “Administrator” user role, or whichever role the person tasked to set up SSO will use, and activate the “SAML Settings” role function. This will allow the user to access the necessary settings page in Eventsforce. View our “How to edit user roles” for further assistance.

You may also want to determine whether SSO will be enabled for accessing the event website and/or logging into the admin portal.

You will also need the following information:

  • Single sign-on service URL

  • Base64 encoded SAML2 response signing certificate

Allowing single sign-on for event website

SSO can be allowed for sign-on for the event website, which allows attendees to log in to register for the event. Enabling this option will create additional website URLs containing an “external login” identifier. Follow the steps below to allow single sign-on for event website:

  1. Go to System settings > Security > SAML Settings

  2. Select the checkbox to “Allow single sign-on for event website using SAML2”

  3. Enter the “Single sign-on service URL”

  4. Enter the “Base64 encoded SAML2 response signing certificate”

  5. Click “Save”

Once saved, you can find the external login URLs by going to Website > Settings > Addresses. The external login URLs can be used to test SSO with the event website as well as placed in various areas where SSO may be initiated.

Importing data to Eventsforce with SSO

When allowing single sign-on for the event website, you can also carry over attendee data to Eventsforce. SAML attributes can be used to map data from the IdP (identity provider) to Eventsforce data items. Reference the two sections below; ‘Registration data’ and ‘Attendee category’ for more information on how to map data successfully:

Registration data

The below items will help you map data successfully:

  • The SAML2 Attribute name must exactly match the database item name in Eventsforce

  • The attribute name is not case sensitive

  • The feature will never overwrite data in Eventsforce. You should, therefore, use event-specific data items if you want data updated for each registration

  • In the event of any validation error (example: the data doesn’t match any alternative in an item with fixed alternatives) then the data will be ignored

  • Dates should be in “ISO 8601” format (example: yyyy-mm-dd)

  • Times should be “24h” format (example: 23:59)

  • For multilingual alternatives, only the English alternative name will be matched

Attendee category

Within Eventsforce, an attendee category can be used to give a unique registration experience for a specific user type by allowing separate prices, registration questions, and the days and sessions they can attend.

If the SAML response contains an attribute called “Attendee Category” then:

  • Eventsforce will use the value to set that user’s attendee category

  • The value must exactly match an attendee category that is active in the event (this is not case-sensitive)

  • If the attendee category passed is blank, or does not match any in the event, then the user will be forced to choose one from the attendee category selection page

  • Users with a matching value will bypass the attendee category selection page

  • If the attendee category is “invitation only” SSO will disregard this restriction (example: the attendee does not need to be on the invitation list)

  • If all attendee categories are “invitation only” then the passed SSO attendee category value is honored. Those coming through the website (not SSO or invitations) will not be able to progress past the attendee category selection page.

Note: This feature is not compatible with group registration, abstract submitter login, or reviewer logins.

Allowing single sign-on for admin portal

Eventsforce provides a “SAML Settings” page in Eventsforce, allowing clients to take control of their SSO configuration. Once the necessary permissions have been given to the user, they can access the ‘SAML Settings’ page by taking the steps below:

  1. Go to System settings > Security > SAML Settings

  2. Select the checkbox to “Allow single sign-on for admin portal using SAML2” (if applicable)

  3. Select whether to restrict login to SSO only (prevent normal login and require SSO)

  4. Enter the “Single sign-on service URL”

  5. Enter the “Base64 encoded SAML2 response signing certificate”

  6. Click “Save”

Testing SSO Configuration

To test SSO for the admin portal:

  1. Create/pick a user on the IdP for testing purposes (example:

  2. Create an Eventsforce user with the above email address, allowing basic access to Eventsforce

  3. Visit the admin portal login page (example:

  4. On the login page, if SSO has been enabled for the admin portal, there should be a link to log in by SSO (usually it says “SSO”, unless customized). Click the link.

  5. You may be asked to sign-on on the IdP. Provide the credentials for the above email address.

  6. If successful, you should be able to see the Eventsforce admin portal.

To test SSO for event website registration/amendment:

  1. Create/pick a user on the IdP for testing purposes (example:

  2. Create a test event in Eventsforce. In this example, let’s say they created event ID 123.

  3. Visit the “external login” URL for the event’s registration/amendment page (example:

  4. You may be asked to sign-on on the IdP. Provide the credentials for the above email address.

  5. If successful, you should see a “registration details” page for the event, bypassing any email address or username input.

Did this answer your question?