Single Sign-On (SSO) Technical

1. Feature Purpose (System-Level)

Single Sign-On (SSO) enables external users to authenticate to the Event Cadence platform using their organization's existing identity provider (IdP) rather than managing separate credentials. The system implements SAML 2.0 protocol to establish a trust relationship between the customer's IdP and Event Cadence services. Once configured, users are redirected to their organization's authentication portal during login and returned to Event Cadence with authenticated access.
The feature supports multi-tenant SSO configurations, allowing different organizations to maintain separate SSO integrations within the same platform instance. Access control operates at two levels: the IdP determines who can authenticate, while Event Cadence determines who has an active account.

2. High-Level Flow (System Behavior)

When a user attempts to log in with an SSO-enabled email domain, the system initiates a SAML authentication request and redirects the user to their organization's IdP. The IdP validates the user's credentials and generates a SAML response containing the user's email address and authentication assertions. This response is sent to the Assertion Consumer Service URL ( https://account.eventcadence.com/authsaml/signonendpoint ), where the authentication service validates the SAML signature and assertions.
The system extracts the email address from the SAML response and queries the user database. If a matching user account exists, access is granted. After successful authentication, the user is redirected to the event platform with an authenticated session.
On mobile platforms, Android uses Chrome Custom Tabs for the SSO login flow, while iOS implements SSO through native web views.

3. System Diagrams

System Architecture Diagram

This element (diagram) isn't supported, or may require an update to be displayed. You can try to refresh the app.

Dependency Map

This element (diagram) isn't supported, or may require an update to be displayed. You can try to refresh the app.

Processing Flow

This element (diagram) isn't supported, or may require an update to be displayed. You can try to refresh the app.

4. Key Components and Data Objects

Authentication Components

  • SAML SSO Service: Validates SAML responses, manages metadata exchange, and enforces trust relationships
  • Authentication Service: Verifies user credentials and manages SSO sessions with support for specific domains
  • User Account Database: Stores user records matched by email address

Configuration Data Objects

  • Entity ID: Unique identifier for the Event Cadence SAML configuration
  • Reply URL (Assertion Consumer Service URL): Endpoint for SAML responses at  https://account.eventcadence.com/authsaml/signonendpoint 
  • Logout URL: Optional endpoint for Single Logout at  https://account.eventcadence.com/authsaml/logoutendpoint 
  • Metadata URL: Organization-specific metadata endpoint with format  https://account.eventcadence.com/authsaml/info/[org-id] 
  • IdP Metadata XML: Contains Identity Provider Single Sign-On URL, Identity Provider Issuer, and signing certificates

SAML Configuration Settings

  • Name ID Format: EmailAddress
  • Name ID Attribute: Primary user email
  • Responses Signed: Yes
  • Assertions Signed: Yes
  • Authentication Context: PasswordProtectedTransport (default)

5. Dependencies and Constraints

External Dependencies

  • Identity Providers: Okta, Azure AD, Google Workspace, OneLogin, and other SAML 2.0 compliant IdPs
  • SAML 2.0 Protocol: Required for authentication exchange
  • SSL/TLS Certificates: IdP signing certificates must be current and valid
  • Metadata Exchange: Bidirectional metadata sharing between Event Cadence and customer IdP

System Constraints

  • Users without a corresponding Event Cadence account cannot log in via SSO unless the IdP is configured to auto-create accounts
  • User accounts are matched by email address; email mismatches between IdP and Event Cadence prevent authentication
  • When an SSO user's email changes, the IdP must update the email attribute, or the user's third-party-id field must be set to the old email to maintain account continuity
  • Certificate rotation in the IdP requires updated metadata to be provided to Event Cadence to maintain the trust relationship

Configuration Options

  • Organizations can disable email login completely and enforce SSO-only authentication
  • Available login options: Email Magic Link or Email with Password (default), Email with Password only, or SSO only

Provisioning Workflow

  • Event Cadence supplies a unique metadata page for the customer's account that contains the necessary values and metadata.
  • IT team applies the metadata to your IdP provided by Event Cadence
  • IT team provides your IdP metadata XML or metadata URL to Event Cadence
  • Event Cadence completes setup, typically within 1 business day


Ongoing Maintenance Requirements

The only maintenance requirement mentioned is related to certificate rotation:
  • Certificate rotation in the IdP requires updated metadata to be provided to Event Cadence to maintain the trust relationship
  • SSL/TLS Certificates: IdP signing certificates must be current and valid
This is typically an as-needed activity that occurs when the Identity Provider's signing certificates expire (usually annually or every few years, depending on the IdP's certificate lifecycle).