Cloud Platform

Setting up Federated Authentication

To add an IdP to your Cloud Platform organization:

  1. Confirm that Federated Authentication is available to your Cloud Platform organization.

  2. Submit information from your IdP.

  3. Register your Cloud Platform organization with your IdP.

  4. Enable Federated Authentication.

  5. Implement the workaround for using Federated Authentication with Acquia CLI.

Note

  • The setup process requires you to register the Cloud Platform organization with your IdP.

  • The Cloud Platform’s SAML integration may be different from others that you have managed because it is an SP-initiated flow. For more information on the SP-initiated flow, see How does Federated Authentication work?.

  • The labels that Acquia uses for SAML concepts, as outlined in the following instructions, may be different from the labels that your IdP uses for the same concepts. Every IdP labels items differently.

Part 1: Confirm that Federated Authentication is available to your Cloud Platform organization

  1. Confirm with your Account Manager that Acquia has enabled Federated Authentication for the Cloud Platform organization that you want to protect.

  2. Sign in to the Cloud Platform user interface with the user account that owns the organization or as a user with the Admin role for that organization.

  3. Select Manage.

  4. Select the organization you want to change.

  5. In the left navigation pane, select Security.

  6. Verify if you can see the Register an IDP option. The system displays this option if Federated Authentication is enabled for your account. If you do not see the Register an IDP option, contact your Account Manager.

Note

For IDP-specific instructions, see:

Part 2: Submit information from your IdP

  1. After you complete the earlier steps, click Register an Identity Provider and specify the following information:

  2. In Label, specify a human-readable name for the IdP configuration.

  3. In Entity ID, specify the entity ID that you obtain from your IdP.

    Note

    If you integrate multiple Cloud Platform organizations with your IdP, you must have a unique entity ID for each organization. Therefore, you might need to set up a new application within your IdP where each application has a unique entity ID.

  4. In SSO URL, specify the URL that you obtain from your IdP. Every IdP structures its SSO URL differently. Ensure that this URL uses the SP-initiated SSO method.

  5. In Public Certificate, paste the public certificate of your IdP in the PEM format.

  6. Select Submit.

Note

Some IdPs require an ACS link before they provide the entity ID or SSO URL. Cloud Platform generates the ACS link once all the listed values are specified. To avoid this issue, enter dummy values for the information that your IdP does not provide. Cloud Platform generates the ACS link despite the dummy values. Before enabling Federated Authentication, ensure that you specify the correct values once they are available.

Part 3: Register your Cloud Platform organization with your IdP

After you complete these steps, the Cloud Platform user interface displays a summary of the information that you must provide to your IdP. Do not forget to update any dummy values you provided while specifying IdP details in Cloud Platform. To update these values, select Edit.

  1. To register with your IdP, provide the entity ID of Cloud Platform and your IdP’s ACS link.

    Cloud Platform uses the information provided in Part 2 to generate an ACS link specific to your IdP.

  2. If you specified dummy values in Entity ID or SSO URL in the previous section, update these fields with the values provided by the IdP.

  3. Ensure that your IdP is configured with the following:

    • The response from your IdP and the assertion within the response must be signed. If not, validation fails. Your IdP must have ds:Signature... as a child of <saml:Assertion….

    • Ensure that your IdP sends the RelayState to Cloud Platform.

Important

Do not enable the external IdP in Cloud Platform until you register your Cloud Platform organization with your IdP and update any dummy values used in this section. If the configuration is incorrect, you and all members of your organization may be locked out of the Cloud Platform user interface. If you are locked out, create a Support ticket.

Part 4: Enable Federated Authentication

  1. After completing these steps, select Enable.

    Cloud Platform displays a confirmation dialog box.

  2. Select the confirmation checkbox and select Enable.

    The Cloud Platform user interface displays a confirmation window indicating that your IdP is enabled.

    After Federated Authentication is enabled, you and your users must authenticate with your external IdP when you access the Cloud Platform organization.