Event Single Sign-On (SSO): Secure SAML 2.0 & OIDC Integration

The End of Password Fatigue

What are the benefits of SSO for events?

Yes. Single Sign-On (SSO) improves event security by centralizing authentication in the IdP and enhances attendee experience by eliminating new passwords. It reduces abandonment, lowers support tickets, and enables immediate deprovisioning when a user loses corporate access. (InEvent FAQ)

The operational problem SSO solves in event software

Events are high-volume, time-bound, and identity-hostile environments:

• Users arrive from email invites, calendar links, QR codes, and mobile app prompts.

• Many users have not touched the event portal before the day they need it.

• “Forgot password” spikes exactly when helpdesk capacity is tight.

• Events attract sensitive content: attendee lists, sponsor directories, session chats, internal employee groups, and sometimes gated materials.

Password fatigue turns into measurable loss:

• Registration drop-off when a user must create and confirm a password.

• Lower adoption of mobile and virtual lobby features when login friction exists.

• Increased support overhead for resets and account lockouts.

SSO replaces that with the identity UX users already understand: “Continue with Corporate Login.”

The security benefit is not abstract

SSO is not just convenience. It is the control plane for access decisions:

• MFA enforcement happens at the IdP, not inside the event platform.

• Conditional access can be applied (device posture, location risk, managed device).

• Credential lifecycle is owned by the organization (rotation, lockout, recovery).

• Deprovisioning becomes immediate: disable the account or remove app assignment in the IdP, and access stops at the next auth attempt.

InEvent supports SSO methods that integrate directly with InEvent endpoints. That matters because it preserves a clean trust boundary: one IdP, one Service Provider (SP), one set of signed assertions/tokens, and an auditable configuration. (InEvent FAQ)

Conditional Access & Event Threat Modeling

• Require MFA for all users, and step-up MFA for admins and staff roles. Keep it in the IdP so the policy is consistent across web and mobile.
• Restrict access by device posture for internal events. If your employees must use managed devices, enforce compliant device or MDM enrollment before tokens are issued.
• Apply location rules for high-risk programs. For example, allow corporate countries only, or block impossible travel patterns during the event.
• Use risk-based sign-in controls where available. If the IdP flags suspicious login attempts, the event access should be blocked automatically.
• Pair SSO with least-privilege inside the event. SSO answers “who are you,” but roles answer “what can you do.” Map staff users into restricted admin roles and avoid granting broad permissions “just for event week.”

Event-specific UX outcomes

SSO changes adoption mechanics in a way procurement and security both care about:

• Higher registration completion rates (less form abandonment).

• Faster time-to-content (sessions, agenda, attendee network, downloads).

• Cleaner identity consistency across web + mobile use cases.

• Less reliance on “temporary passwords” that create audit and governance issues.

Supported Protocols (SAML 2.0 vs OIDC)

Does InEvent support SAML 2.0?

Yes. InEvent supports direct SSO integration with SAML 2.0. Configure your IdP to send signed SAML responses to InEvent’s ACS endpoint and provide the issuer, SSO URL, and X.509 certificate. (InEvent FAQ)

What InEvent supports (at the protocol level)

InEvent supports direct integration with:

• SAML 2.0

• Azure Active Directory (OIDC)

• OpenID Connect (InEvent FAQ)

Configuration requirements are explicit:

• For SAML, you provide Issuer URL, SAML 2.0 URL/endpoint, SLO URL (optional), and an X.509 certificate. (InEvent FAQ)

• For OIDC, you provide the IdP’s openid-configuration URL (commonly /.well-known/openid-configuration). (InEvent FAQ)

A critical architectural constraint is also stated: InEvent does not support intermediary SSO layers acting as a middle step between your IdP and InEvent; the IdP must integrate directly with InEvent SAML/OIDC endpoints. (InEvent FAQ)

Protocol selection: how security architects decide

Both SAML and OIDC solve federated authentication, but they behave differently in practice.

SAML 2.0

• Mature enterprise standard, common in older and highly regulated IdP deployments.

• Uses a signed SAML assertion posted to the SP (InEvent).

• Strong fit for “portal-to-app” enterprise workflows and IdP catalogs.

OIDC (OpenID Connect)

• Modern standard layered on OAuth 2.0, designed for web and mobile apps.

• Issues ID tokens (typically JWT) and optionally access tokens.

• Cleaner claim models, easier incremental scopes, better aligned to API-driven products.

InEvent supports both, including a Microsoft Entra ID OIDC integration path and a generic OpenID Connect path. (InEvent FAQ)

The handshake (SP-initiated flow) in plain technical terms

SSO flows differ based on where the login starts.

SP-initiated means the user starts at the Service Provider (InEvent) and is redirected to the IdP.

SAML SP-initiated flow (typical):

1. User hits an InEvent login URL.

2. InEvent (SP) generates an AuthnRequest and redirects to the IdP.

3. IdP authenticates user (password + MFA + policy).

4. IdP posts a signed SAML Response back to InEvent’s ACS endpoint.

5. InEvent validates signature, audience, issuer, timestamps, and creates a session. (Microsoft Learn)

OIDC SP-initiated flow (typical):

1. User hits an InEvent login URL.

2. InEvent redirects to the IdP’s authorization endpoint.

3. IdP authenticates user and returns an authorization code.

4. InEvent exchanges the code at the token endpoint for ID token (and possibly access/refresh tokens).

5. InEvent validates token signature and claims, then creates a session.

IdP-initiated login: when it matters

Some enterprises want users to click the app tile inside the IdP portal and land directly in the event platform.

InEvent supports multiple SSO integrations and controls how SSO buttons display at company and/or event login surfaces, which is how IdP-initiated patterns are typically operationalized in event contexts. (InEvent FAQ)

Session duration and logout behavior: the details that break real deployments

SSO “works” in a lab. It breaks in production at session edges.

InEvent exposes an SSO login session duration setting:

• Default is 120 minutes.

• For SAML, InEvent prioritizes the session duration configured in InEvent (or defaults to InEvent’s if none is set).

• For OIDC, InEvent relies on the default session duration time. (InEvent FAQ)

Logout behavior can also differ by protocol and IdP. InEvent documents that with Azure AD:

• If integrated via SAML, users may be redirected to a SAML logout page.

• If integrated via OIDC, users may be redirected to Microsoft’s logout interface with manual confirmation. (InEvent FAQ)

The Ecosystem (Okta, Azure, Google, OneLogin, Ping)

Compatibility model: standards first, vendor second

InEvent’s SSO is standards-driven. If your IdP can act as a SAML 2.0 IdP or an OIDC provider, you can integrate by exchanging endpoints, certificates, and claim mappings.

InEvent explicitly supports:

• Azure Active Directory (OIDC) (InEvent FAQ)

• OpenID Connect with “certified SSO OIDC Identity Providers, such as OneLogin, G Suite,” and other IdPs using OAuth 2.0 (InEvent FAQ)

• SAML 2.0 (example configuration shown with OneLogin) (InEvent FAQ)
  
  
  
  
  
  
  

Microsoft Entra ID (Azure AD)

If you want the cleanest “enterprise default” rollout for internal events, Entra ID is usually the easiest:

• Register an application in Entra ID.

• Capture Tenant ID, Client ID, and generate a Client Secret.

• Configure redirect URI from InEvent’s Azure AD OIDC configuration page.

• Complete the linkage in InEvent using the collected IDs and secret. (InEvent FAQ)

Operational note: client secrets expire. InEvent explicitly recommends renewing the client secret and integration before expiration to avoid outage. (InEvent FAQ)

Google Workspace

InEvent’s OpenID Connect path references G Suite as an example OIDC IdP category. (InEvent FAQ)
In practice, the pattern is standard:

• Configure an OIDC client in your Google environment (or use a compatible OIDC provider).

• Provide the /.well-known/openid-configuration URL and required client credentials to the SP (InEvent). (InEvent FAQ)
  
  
  
  
  
  
  
  

Okta (and similar IdPs)

Okta is commonly deployed as either:

• A direct IdP for apps (standard SAML/OIDC), or

• An “identity hub” sitting between upstream identity sources and downstream apps.

InEvent’s constraint is clear: do not place an intermediary layer between the IdP and InEvent. Your IdP must integrate directly with InEvent SAML/OIDC endpoints. (InEvent FAQ)

If Okta is your actual IdP, you treat InEvent as a standard SAML 2.0 SP:

• Create a SAML app in Okta.

• Set ACS URL to InEvent’s SSO redirect/ACS endpoint.

• Provide Okta’s issuer and signing certificate to InEvent, which aligns with InEvent’s required SAML parameters. (InEvent FAQ)
  
  
  
  
  
  
  
  

OneLogin / PingIdentity / OneLogin-style federation

InEvent’s documentation uses OneLogin as a SAML 2.0 integration example and also references OneLogin as an OIDC-capable IdP category. (InEvent FAQ)
For PingIdentity and similar enterprise federation products, the SAML 2.0 profile is typically the fastest path because it matches “issuer + SSO URL + signing cert” exchange patterns. (InEvent FAQ)

Setup speed: why “metadata XML exchange” is usually quick

SAML setups tend to collapse into two actions:

1. InEvent provides redirect/ACS URL patterns for your tenant/company nickname.

2. Your IdP provides issuer, SSO endpoint, and X.509 certificate back to InEvent. (InEvent FAQ)

OIDC setups collapse into:

1. InEvent provides redirect URI.

2. Your IdP provides openid-configuration URL and client credentials. (InEvent FAQ)

Most delays are not technical. They come from governance:

• Who owns the IdP change window.

• Whether you require security review of new app registrations.
  
  
• Whether claims and group assignments are already standardized.

Mixed Audiences, Partner Access, and Federation Patterns

• Lane 1: Employees authenticate via corporate SSO and receive staff entitlements based on IdP group assignment.
• Lane 2: Partners authenticate via a partner IdP (second SSO integration) or via OIDC/SAML from their federation product, receiving partner-only entitlements.
• Lane 3: Guests authenticate without SSO using email-based access, limited permissions, and narrower visibility by default.

Security Governance (The Kill Switch)

What governance means in event SSO

Events create temporary access surfaces:

• An internal event with sensitive content.

• A partner event where only specific domains or partner orgs should enter.

• A hybrid event where staff has elevated access and attendees have limited access.

Governance is the ability to shut access off instantly and prove policy enforcement.

The kill switch: centralized deprovisioning

SSO makes the IdP the enforcement point:

• Disable the user account, rotate tokens, or remove application assignment in the IdP.

• The next login attempt fails at the IdP, not in the event platform.

To prevent “shadow access” via local credentials, you enforce SSO-only entry where required.

InEvent provides:

• Mandatory SSO Auth to require users to authenticate through integrated SSO methods to enroll in the event. (InEvent FAQ)

• Allow non-SSO login as a separate toggle (company and event level configurations are independent). For strict governance, disable non-SSO login when you want SSO-only. (InEvent FAQ)
  
  
  
  
  
  

Domain control without guessing platform-specific features

If your policy is “only @company.com can access,” enforce it where it is strongest:

• In the IdP: assign the app only to managed users/groups.

• In event configuration: require SSO for enrollment with Mandatory SSO Auth, and disable non-SSO login. (InEvent FAQ)

This avoids relying on brittle, email-string checks and ensures access follows directory truth.

Multiple SSO integrations: real-world enterprise need

Mergers, subsidiaries, and agency structures often require more than one IdP directory.

InEvent supports multiple SSO integrations and lets you decide where each appears (company level only, event level only, or both). (InEvent FAQ)

Use cases:

• Separate SSO for internal staff vs external partners.

• Distinct IdPs for different agencies participating in the same event portfolio.

• Phased migration: legacy IdP + new IdP during transition.
  
  
  
  
  
  

Login surface control: reduce confusion, reduce risk

InEvent allows you to show/hide the SSO login button at:

• Company level login

• Event level login

• Both (InEvent FAQ)

That is how you prevent users from choosing the wrong directory when multiple integrations exist.

Custom domains and redirect stability

If you use a custom domain for your company or event, redirect URLs can change.

InEvent provides a setting: Use custom domain for redirect to ensure SSO is not interrupted by domain changes. (InEvent FAQ)

This is a practical control: it prevents SSO outages caused by URL drift during branding or domain migration work.

Just-In-Time (JIT) Provisioning

What is JIT provisioning for events?

Yes. Just-in-Time (JIT) provisioning creates (or activates) a user in the event platform at first SSO login using attributes from the IdP. It removes manual imports and keeps identity aligned with the corporate directory. (InEvent FAQ)

How JIT looks in InEvent: auto-registration + claim mapping

Event platforms often require the attendee to exist before access. JIT flips it: “authenticate first, create access footprint automatically.”

InEvent provides Auto register with SSO:

• Allows users who log in using SSO to be automatically registered to the event, even if they were not added to the attendee list.

• If not enabled, users must already exist in the attendee list before they can log in with SSO.

• Not compatible with the “Ticket requirement” tool (enabling both can block access). (InEvent FAQ)

This is the event-specific equivalent of JIT provisioning: SSO is the creation trigger.

Attribute mapping: make the profile useful on first login

Creating an account is not enough. You need the right attributes for:

• badge printing fields

• attendee segmentation

• access policies inside the event (tracks, networking visibility)

• reporting by department or role

InEvent supports mapped fields (claims) after SSO authentication. Fields that can be automatically mapped include:

• First name & Last name

• Company

• Role

• Phone number (InEvent FAQ)

For Azure AD (OIDC), InEvent documents:

• Creating claims in Entra ID

• Using attributes such as user.companyname and user.jobtitle to populate Company/Role

• Entering unique claim names in InEvent (InEvent FAQ)
  
  
  
  
  
  
  

Extra scopes (OIDC): when default claims are not enough

OIDC commonly provides openid, profile, and email. In enterprise cases, you want more.

InEvent allows defining extra scopes to request more user information from the OIDC IdP, and then map those claims into InEvent fields. (InEvent FAQ)

Practical JIT constraints to plan for

JIT works best when you decide upfront:

• Which user population is allowed (IdP group assignment).

• Whether access should be automatic (auto-register) or moderated (approval workflows).

• Which attributes are authoritative (job title from HRIS, department, location).

Testing, Cutover, and Troubleshooting Checklist

• Verify user creation behavior. If you want first-login access, enable auto-registration and confirm it does not conflict with ticket gating or approval steps.
• Validate claim mapping with real accounts. Confirm name formatting, company, role, and phone fields populate correctly and do not overwrite curated data.
• Test on web and mobile. Some IdPs behave differently in embedded browsers and app webviews; confirm the flow works where attendees will use it.
• Confirm session duration expectations. Test idle timeouts and re-auth flows so users are not kicked out mid-session or forced through repeated MFA loops.
• Test logout redirects. Ensure users return to the right post-logout page and do not land on confusing IdP confirmation screens.
• Create a rollback plan. If the IdP change window closes, know whether non-SSO login will be temporarily allowed or whether you will pause access.
• Finally, publish a one-page IT runbook: login URL, test accounts, support contacts, and the exact error screenshots to capture. That single document prevents the “SSO works for me” chaos during go-live.

Implementation checklist (what a security architect actually wants)

1. Choose protocol: SAML 2.0 for classic enterprise federation; OIDC for modern token-based identity and richer claim/scopes.

2. Define trust boundary: direct IdP-to-InEvent integration; do not chain intermediary SSO brokers. (InEvent FAQ)

3. Set enrollment policy:

• SSO optional (allow non-SSO login) or

• SSO mandatory (Mandatory SSO Auth + disable non-SSO login). (InEvent FAQ)

4. Decide JIT behavior:

• Preload attendee list, or

• Enable Auto register with SSO (and avoid incompatible ticket gating). (InEvent FAQ)

5. Map attributes:

• Configure claims in the IdP,

• Map fields in InEvent (Company, Role, Phone, names),

• Add extra scopes for OIDC if needed. (InEvent FAQ)

6. Harden session controls:

• Set session duration appropriate for your risk profile,

• Validate logout behavior and redirect. (InEvent FAQ)

7. Scale:

• Use multiple SSO integrations where needed,

Frequently Asked Questions for IT Architects

Q: Do you support IdP-initiated login?

Yes. Enterprises commonly initiate access from the IdP application portal. InEvent supports multiple SSO integrations and controls where each SSO option appears (company and/or event login surfaces), which is the operational foundation for IdP-initiated access patterns. (InEvent FAQ)

Q: Can we map custom attributes?

Yes. InEvent supports mapped fields (claims) for profile fields including First/Last name, Company, Role, and Phone number. For Azure AD (OIDC), InEvent documents claim creation and mapping (for example, mapping user.companyname and user.jobtitle). (InEvent FAQ)

Q: Is 2FA enforced?

Yes, if it’s enforced at your IdP. SSO delegates authentication to your IdP, so MFA, conditional access, and device policies apply before the IdP issues the SAML assertion or OIDC tokens. (Enforce MFA at the IdP app policy level; do not rely on per-app optional MFA.)

Q: Can we force SSO-only access (no fallback passwords)?

Yes. Enable Mandatory SSO Auth so users can only enroll if authenticated through integrated SSO methods, and disable Allow non-SSO login to prevent local login paths. (InEvent FAQ)

Q: Can users be created automatically on first login?

Yes. Enable Auto register with SSO to automatically register users who authenticate via SSO, even if they were not preloaded into the attendee list. If you do not enable it, users must exist in the attendee list before SSO login works. (InEvent FAQ)

Q: How long does an SSO session last?

Configurable. InEvent allows configuring SSO login session duration; the default is 120 minutes. InEvent documents different behavior between SAML and OIDC regarding which session duration is applied. (InEvent FAQ)

Q: We use a custom domain. Will SSO break?

Not if you configure it. InEvent provides a Use custom domain for redirect option to prevent SSO interruption caused by domain changes in custom-domain-enabled environments. (InEvent FAQ)

Q: Can we redirect users after logout?