Single Sign-On (SSO) allows users to securely access LiveRem using their existing corporate credentials, without needing to create or manage a separate username and password.
Once SSO is enabled, employees are redirected to their organisation’s identity provider (IdP) to sign in and are then seamlessly returned to LiveRem. This improves security by centralising authentication and access control, while also providing a faster and simpler login experience for users.
What is SSO?
SSO (Single Sign-On) is an authentication method that allows users to log in to multiple applications using one set of credentials managed by their organisation.
LiveRem supports SAML 2.0–based SSO, where:
LiveRem acts as the Service Provider (SP)
Your organisation’s system (for example, Okta or Azure AD) acts as the Identity Provider (IdP)
Before You Start
Before configuring SSO in LiveRem, make sure you have the following:
Admin access to LiveRem
Admin access to your organisation’s Identity Provider (IdP)
A SAML 2.0 application created in your IdP
You will need:
Issuer ID /Entity ID
SSO (Login) URL
X.509 Signing Certificate
Attribute or group values for role mapping
One or more email domains owned by your organisation (for domain verification)
Understanding the Two SSO URLs
When configuring SAML Single Sign-On (SSO), you will encounter two different Single Sign-On URLs.
Although they have similar names, they serve completely different purposes.
1️⃣ Single Sign-On URL (Configured in Your Identity Provider)
This is LiveRem’s ACS (Assertion Consumer Service) URL.
It is where your Identity Provider sends the SAML response after authentication.
Your Identity Provider may label this field as:
Single Sign-On URL
ACS URL
Reply URL
Callback URL
Set this value to : https://prodfunctions.liverem.com/api/sso/callback/saml
If your provider requests them separately:
Recipient URL → Use the same value
Destination URL → Use the same value
2️⃣ Identity Provider Single Sign-On URL (Configured in LiveRem)
This is your Identity Provider’s login endpoint.
It is where LiveRem redirects users to authenticate.
This value comes from your Identity Provider and may be labelled:
Identity Provider Single Sign-On URL
Login URL
SAML Endpoint
SSO Service URL
🔄 Why This Matters
These URLs represent opposite directions of the same authentication flow:
LiveRem → Redirects user → Identity Provider SSO URL
Identity Provider → Sends response → LiveRem ACS URL
⚠️ Mixing them up is the #1 cause of SSO setup failures.
Quick Reference
Configuration Location | Field | Value |
Identity Provider (Okta, Azure AD, etc.) | Single Sign-On / ACS URL |
|
Identity Provider | Audience Restriction / SP Entity ID |
|
LiveRem SSO Settings | SSO URL | (Provided by your Identity Provider) |
LiveRem SSO Settings | Issuer ID | (Provided by your Identity Provider) |
Important: LiveRem Values Required by Your IdP
When configuring your SAML application in your Identity Provider, you must enter the following LiveRem values.
Your IdP may label these fields differently
Identity Provider Field | Value to Enter |
Single Sign-On URL / ACS URL / Reply URL / Callback URL |
|
Recipient URL (if required) |
|
Destination URL (if required) |
|
Audience Restriction / SP Entity ID / Entity ID / Identifier |
|
⚠️ This must EXACTLY match: https://app.liverem.com/saml/metadata
If this value differs, authentication will fail.
SSO - Single Sign-On
Click on Configure SSO button to start configuring the SSO to LiveRem.
Configure SSO
Step 1 - Provider Configuration
The screen below shows the first step of setting up Single Sign-On (SSO) for your organization. In this step, you provide the core details of your identity provider so LiveRem can securely authenticate users via SSO.
1. Provider Name
A friendly name to identify your identity provider (e.g: Okta, Azure AD, or Company SSO).
2. Issuer ID
The unique identifier URL provided by your identity provider.
This is used to verify who issued the SAML authentication response.
3. SSO URL
The login URL where users are redirected to authenticate.
This is often called the Single Sign-On URL or Login URL in your identity provider settings.
4. SAML Certificate
The public certificate used to validate and verify SAML responses.
Copy the full certificate from your identity provider, including the
BEGINandENDmarkers.
It typically includes the following:
Public Key – Used by LiveRem to verify the digital signature on SAML assertions sent by the Identity Provider.
Issuer Information – Identifies the organization or identity provider that owns and issued the certificate.
Validity Period – Defines the start and expiry dates, ensuring assertions are only trusted within a valid time frame.
Signature Algorithm Details – Specifies how SAML responses are signed to guarantee integrity and prevent tampering.
This certificate ensures that SAML responses are authentic, untampered, and securely exchanged between the identity provider and LiveRem.
How to Find These Values
In your Identity Provider Admin Console:
Applications → Your SAML App → Sign On → View Setup Instructions
Common labels:
LiveRem Field IdP Label
Issuer ID Identity Provider Issuer / Entity ID
SSO URL Single Sign-On URL
Certificate X.509 Certificate
5. Auto-Provision Users
When enabled, user accounts are automatically created the first time a user signs in via SSO.
6. Auto-Update Roles
When enabled, existing user roles are automatically updated based on SAML assertions each time the user logs in.
Together, these two features reduce administrative effort while ensuring access remains accurate and aligned with your organization’s identity provider.
Clicking on the "Next Button" takes you to the next screen where you can set up your domain
Step 2 - Domains
The Domains section allows you to add and manage email domains associated with your organization’s SSO configuration. These domains are used to automatically identify users and route them to the correct identity provider during login. Only users with matching email domains will be authenticated using your configured SSO.
Add Domain
Clicking the Add Domain button allows you to add email domains to your SSO configuration. Here you can add any number of email domains.
Once added, the domain will appear in the Domain Mapping section.
Domain Verification
It’s important to verify any added domain to confirm ownership. To do this, click the Verify button, then select Check Verification to complete the process.
Verification usually completed within a few minutes. But may take upto 72 hours depending on DNS propagation. You can continue with the DNS setup - verification will complete automatically in the background
Delete Domain
Clicking the Delete button allows you to remove the domain mapping.
After adding and verifying your domain, clicking the Next button takes you to the next screen, where you can add roles to your configuration.
Step 3 - Roles
The Roles section allows you to map your organization’s SSO attributes or authentication groups to LiveRem roles. This ensures users are automatically assigned the correct permissions based on the information provided by your identity provider when they sign in.
Role Mapping
Default LiveRem Role
Defines the role that will be assigned to users when they sign in via SSO and do not match any specific role-mapping rules.
This ensures every authenticated user is granted appropriate access, even if no role information is provided by the identity provider.
Add Mapping
Add Mapping allows you to create rules that map SSO attributes or authentication groups to specific LiveRem roles.
These mappings are evaluated when a user signs in, ensuring users are automatically assigned the correct role based on the information received from your identity provider.
It’s important to ensure that the assertion values used for LiveRem role mapping exactly match the values provided by your identity provider.
Any mismatch may prevent users from being assigned the correct role during sign-in.
Attribute Mapping
The Attribute Mapping section allows you to map attributes sent by your identity provider to LiveRem user profile fields.
This ensures user information such as first name, last name, and phone number is automatically populated and kept up to date when users sign in via SSO.
The assertion names must exactly match the attribute names configured in your identity provider for the mapping to work correctly.
Clicking the Next button takes you to the next screen, where you can test your connection
Step 4 - Test Connection
Test Connection allows you to verify your SSO configuration before enabling it.
Clicking the Run Test button checks the connection to your identity provider and confirms that your SSO setup is working correctly.
Once you’ve completed the SSO configuration, your SSO tab will appear as shown below. From here, you can edit the configuration, test the connection, disable SSO, or delete the configuration as needed.
Edit Configuration
Allows you to update your existing SSO settings.
When you click Edit, you will be redirected to the same step-by-step flow used during the initial SSO setup, where you can review and modify your configuration.
Test Connection
Allows you to verify that the enabled SSO configuration is still working correctly by testing the connection to your identity provider.
Disable Configuration
Temporarily turns off SSO for your organization without removing the configuration.
While disabled, users will not be able to sign in using SSO, but the configuration is preserved and can be re-enabled at any time.
Delete Configuration
Permanently removes the SSO configuration for your organization.
Once deleted, users will no longer be able to sign in using SSO, and authentication will revert to standard login methods.
⚠️ Removing a domain will prevent users with that email address from signing in via SSO.
Add Domain
Add Domain lets you add one or more email domains to your SSO configuration.
Users with matching email addresses will be automatically routed to your identity provider when signing in.
Each added domain must be verified before it becomes active.
Security & Best Practices
For best results, we recommend:
Enabling multi-factor authentication (MFA) in your identity provider
Regularly reviewing SAML certificates and rotating them before expiry
Auditing login activity through your IdP logs
Testing SSO after making any IdP or role-mapping changes
Single Sign-on makes accessing LiveRem easier and more secure by allowing users to sign in using their existing work credentials. With SSO, organizations can centrally manage authentication, user access, and roles while reducing the need for separate passwords. This results in a smoother login experience for users and simpler access control for administrators.