Information for: DEVELOPERS   PARTNERS

Acquia SimpleSAMLphp engagement

The goal of the Acquia SimpleSAMLphp add-on engagement is to assist customers in making the correct changes to the SimpleSAMLphp configuration that allow the system to work correctly with Acquia hosting — it is not meant as a replacement for customer involvement in the configuration.

The SimpleSAMLphp engagement offering is limited to ensuring the implementation of a standard configuration that allows Drupal to authenticate against the customer’s Identity Provider (IdP). This process requires that the customer either already have an IdP, or have someone available during the engagement with knowledge of how their IdP is configured.

While the platform supports IdP first-flow or IdP initiated authentication, Acquia has limited visibility into these configurations. This offering assumes SP initiated authentication. With SP initiated, Acquia can more thoroughly test the application from the SP side and view the corresponding logs.

The SimpleSAMLphp offering is not a general single sign-on solution. It does not cover customizing the interaction between Drupal and the IdP or the ability to shape and use the data returned by the IdP other than to the use the simpleSAMLphp Authentication Drupal module to allow Drupal users to be created and authenticated by the IdP.


  • The customer has one or more SAML 2.0 compliant IdPs identified and lined up.
  • The customer is able to identify a primary technical contact at each IdP.
  • The customer will use SimpleSAMLphp for the SP and the simpleSAMLphp Authentication module to integrate with Drupal.

Acquia responsibilities

  • Install and configure SimpleSAMLphp and the simpleSAMLphp Authentication module to communicate with the customer’s chosen IdP.
  • Assist and advise with troubleshooting SimpleSAMLphp to function against customer’s identified IdPs, including coordinating developer and IdP technical resources.
  • Perform the following services for up to three websites (service providers):
    • Each of a customer’s Dev, Stage, and Prod websites counts as a separate site. If the customer wants all three of these to authenticate against their IdP, that would account for the full scope of our work.
    • In a Drupal multisite, individual website domains on Dev, Stage, and Prod environments count as a separate website; for example,,, and are three distinct websites.
    • Coordination will occur with the use of Acquia’s ticketing system.
    • The customer is entitled to as many as three coordination calls per SimpleSAML subscription.
  • Collaborate with the Customer technical resources for the testing of the SimpleSAMLphp configuration.

Customer responsibilities

  • Obtain and install SP metadata at the IdP.
  • Collaborate with Acquia technical resources for the testing of the SimpleSAMLphp configuration.
  • Ensure the availability of technical resources with access to and knowledge of the IdP.
  • Own all custom code and testing of custom workflows beyond what is provided by the simpleSAMLphp Authentication Drupal module and the SimpleSAMLphp library.
  • Own testing and validation of all Drupal configurations and workflows that integrate with simpleSAMLphp Authentication module functionality (including custom role assignments and cookie based redirection).


There is no critical support around the deployment of SimpleSAMLphp configurations to the customer’s production environment. An Acquia engineer will be available to the customer during stated business hours to provide standard support around production deployments.