Information for: DEVELOPERS   PARTNERS

Custom identity provider integration with Acquia Cloud

With Enterprise Single Sign-On (SSO), Acquia Cloud enables you to register an external identity provider (IdP) for your Acquia Cloud organization to ensure members of your organization have authenticated using your organization’s specific security policies. After integrating with a custom IdP, your users will authenticate with both Acquia Cloud and your IdP.

Your IdP must support SP-initiated single sign-on (SSO) using the Redirect-POST method. Acquia Cloud redirects sign-in requests to your IdP through a GET request, and your IdP responds with a POST request. Acquia Cloud doesn’t support IdPs authenticating with a POST-POST method.

Although users can belong to several organizations (even if one organization manages users through an external IdP and one doesn’t), an application can belong to only a single organization. All applications belonging to an organization using an external IdP must first login with Acquia Cloud and then use the IdP for authentication.

Note

Custom identity provider integration is incompatible with the Acquia Cloud pipelines feature. For more information, see Known issues in Acquia Cloud.

Eligibility for external identity providers

This feature is available only to organizations containing subscriptions of the following types:

  • Acquia Cloud Elite with the Enterprise Single Sign-On (SSO) add-on
  • Subscribers with specific regulatory or compliance requirements

For access to this feature, contact your Account Manager.

Security information for external identity providers

When considering integrating Acquia Cloud with an external IdP, be aware of the following security implications:

  • Integrating with a custom IdP affects all subscriptions managed by your organization.
  • Acquia employees can still access your subscription even after you enable this feature.
  • For security reasons, Acquia Support can’t debug SSO issues during phone calls.
  • Deactivating a user in your custom IdP will prevent the user from signing in to Acquia Cloud, but won’t deactivate Git or SSH access. To completely remove the user’s access, you must also remove the user from any associated teams manually or by using Acquia Cloud API v2. See Best practices for team member departures for more help.

Adding an external identity provider

To add an external IdP to your Acquia Cloud organization, complete the following steps:

  1. Sign in to Acquia Cloud as the user account owning the organization you want to change, or as a user with the Admin role for that organization.

  2. Click Manage.

  3. Identify the organization you want to change, and then select it.

  4. In the menu to the left, click Security.

  5. Click Register an identity provider.
    Acquia Cloud will display the Register an Identity Provider page.

  6. In the Label field, enter a human-readable name for the IdP configuration.

  7. In the Entity ID field, enter the entity ID of your IdP.

  8. In the SSO URL field, enter the SSO URL of your IdP.

  9. In the Public Certificate field, paste the public certificate of your IdP in PEM format.

  10. Click Submit.
    The Acquia Cloud user interface will display a summary of your IdP information (as displayed in the following example), but the IdP isn’t yet enabled:

    Identity provider page that shows your identity provider information

  11. Provide the Entity ID, SSO URL, and ACS Link to your IdP.

    Important

    Don’t enable the external IdP in Acquia Cloud until you have configured your IdP, or you and all members of your organization may be locked out of the Acquia Cloud user interface. If you are locked out, contact Acquia support for help.

  12. Click Enable. Acquia Cloud will display a confirmation dialog box.

  13. Select the confirmation check box, and then click Enable.

The Acquia Cloud user interface will display a confirmation screen indicating your IdP is now enabled:

Confirmation screen showing that your identity provider is enabled

The next time you refresh the page, the Acquia Cloud user interface will redirect you to sign in using your external IdP.