If your organization uses SAML single sign-on (SSO) with Purplepass, you can restrict specific ticket types to particular users based on the identity data your identity provider (IdP) passes during login. Purplepass supports four types of identity data for this purpose: groups, roles, custom claims, and boolean flags. This article explains what each one is and when to use it.
How restricted access via SSO works
When a user logs in through SSO, your identity provider sends a set of claims (pieces of identity data) to Purplepass as part of the SAML assertion. Purplepass reads these claims and checks them against the SSO groups you've configured in your Purplepass dashboard. If a match is found, the user is granted access to any ticket types restricted to that SSO group.
A note on terminology:
The configuration object you create in the Purplepass dashboard is called an "SSO group." Despite the name, it isn't limited to matching a literal group claim from your IdP. An SSO group can target a group, a role, a custom claim value, or a flag, any of the four data types covered below.
All claim matching in Purplepass is case-insensitive. For example, student, Student, and STUDENT are all treated as the same value.
The four types of identity data
You can mix and match these based on whatever is easiest to configure in your identity provider.
Groups and roles
Standard group and role membership, picked up automatically with no special claim labeling required. Best for broad, ongoing access categories that don't change often, such as FacultyStaff or Undergraduate.
See Configuring SSO Groups & Roles for Restricted Ticket Access for setup details.
Custom claims (attributes)
Name and value pairs that let you pass any attribute you choose, such as a student's graduation term or campus. Best when you need to target one specific value out of several possibilities, for example, separating commencement attendees by ceremony session.
See Configuring SSO Custom Claims & Flags for Restricted Ticket Access for setup details.
Boolean flags
A simpler, true or false version of a custom claim. Best for a straightforward yes/no condition, such as whether a student belongs to a specific graduating class.
See Configuring SSO Custom Claims & Flags for Restricted Ticket Access for setup details.
Why use a custom claim or flag instead of a group?
Groups and roles work well for broad, stable categories, but they require creating and maintaining a separate group in your identity provider for every variation you want to target. Custom claims and flags remove that overhead. For example, a school running multiple commencement sessions doesn't need a separate SSO group in their IT system for each session time. Instead, they can pass a single attribute (such as GraduationStatus) or flag per student, and Purplepass handles the targeting on its end.
Who this applies to
Any client using SAML SSO with Purplepass can take advantage of groups, roles, custom claims, and flags. This is especially useful for universities, community colleges, and other institutional clients that manage user access through an identity provider such as Okta, Azure AD, or Google Workspace.
Related articles
- Configuring SSO Groups & Roles for Restricted Ticket Access
- Configuring SSO Custom Claims & Flags for Restricted Ticket Access