The Acquia DAM supports the service provider-initiated single sign-on (SSO). When authentication is necessary, the DAM will redirect your browser to your Active Directory Federation Services (ADFS) server. The ADFS server will authorize you and instruct your browser to post the authentication result back to the DAM.
Our implementation is tested against the Microsoft Windows ADFS product. Many other providers, including Novell and IBM, have SAML-compliant products.
To add the DAM as a relying party:
ADFS claim rules control which user attributes are returned to the DAM. Instructions below are for a typical ADFS configuration. Use these instructions as a starting point if your company's ADFS deployment has been customized. Note that spelling and capitalization within many of the fields is significant.
c:[type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" ] |
Technical detail: The OpaqueIdStore takes three parameters: mode ("ppid") and two parameters that are used as a seed for generating a pseudo-random identifier. The result is also mixed with ADFS installation-specific secret entropy. This result is an identifier (GUID) unique to the Windows account and the DAM. The GUID is used to associate the Windows user with the DAM account. An example of the GUID is “FphnvXza1nkx//y32E++HZs8Z2HZgxot07i1aJ6KYtI=”.
This image shows the resulting rule.
The image below shows the resulting rule.
LDAP attribute | Outgoing claim type |
Email Address | Email address |
Given Name | Given name |
Surname | Surname |
Company | http://www.widen.com/saml2/claims/company |
The image below shows the resulting rule.
We accept user authorization roles generated by ADFS. Names of roles should be given the outgoing claim type of role and should be a simple list of names. Each time a user is authenticated via ADFS, the DAM performs the following actions:
Supply a fully-qualified endpoint URL to Acquia for your ADFS server. The endpoint URL for ADFS is typically https://{sso.example.com}/adfs/ls/.
The ADFS token signing key is used to verify that the SAML result XML originated from your server. Option 1 below is the preferred method.
Supply or grant access to ADFS metadata file located at https://{sso.example.com}/FederationMetadata/2007-06/FederationMetadata.xml.
To copy the ADFS signing public key to a file:
If this content did not answer your questions, try searching or contacting our support team for further assistance.
Tue Apr 29 2025 10:18:39 GMT+0000 (Coordinated Universal Time)