Our SAML SSO integration uses a self-setup model that allows you to set up, manage, and edit your SAML integration in the Acquia DAM.
First, the SAML Integration feature must be enabled in Acquia DAM in order to configure SAML settings and set up SAML SSO with Azure Active Directory. See our general SAML setup instructions for how to enable the feature.
Use the instructions below to integrate Azure Active Directory (AD) after the SAML feature is enabled.
Add Acquia DAM as a new enterprise application in Azure AD ¶
- Log in to your Azure AD account.
- Click Enterprise applications under the Manage panel.
- Click New application.
- Click Create your own application.
- Enter a name for the application, such as Acquia DAM.
- Set the “What are you looking to do with your application?” field to “Integrate any other application you don't find in the gallery (Non-gallery).”
- Click Create.
- On the new application page, go to Single sign-on under the Manage panel.
- Select SAML as the single sign-on method to provision.
- You should now see five sections to complete for the SAML SSO process.
Find SAML settings in Acquia DAM¶
- Log in to your Acquia DAM.
- Go to the Admin app, expand Single Sign-On Settings, and click on SAML settings.
- You will need the information on the Service Provider (SP) tab for the next steps.
Service Provider info
The Issuer / Entity ID is a unique string that identifies the provider issuing a SAML request. It will display during AuthnRequests and within SP metadata. You can customize the end of the value. You can also edit the Name ID Format value. For the Registration code field, select a SAML-specific registration code and save. If you haven’t set one up yet, learn how to create registration codes, then contact your account rep or DAM Customer Support to lock your code as SSO-only.
The remaining fields cannot be edited.
You can export all of the information from the SP tab into a single file that you can upload into Azure. To do this, select Download under SP Metadata from the SP tab, then navigate back to Azure. Click Upload metadata file and select the file from your computer.
You can also manually enter the SP information into Azure instead. In Azure, edit section one, Basic SAML Configuration, using the corresponding information in the SP tab of the Acquia DAM.
- Identifier (Entity ID): The ID can be found on the SP tab under Issuer/Entity ID.
- Reply URL (Assertion Consumer Service URL): The URL can be found on the SP tab under Assertion Consumer Service URLs. If you have multiple URLs listed because you have a vanity URL, you may add both into Azure but mark the vanity URL as the default.
- Sign on URL: The URL can be found on the SP tab under SP-Initiated URL.
- Optionally, you may add the Logout URL: The URL can be found on the SP tab under Logout Redirect URL.
Attributes
In section two, Attributes & Claims, under Required claim, configure the Unique User Identifier (Name ID) to match the format of the Name ID Format found on the Acquia DAM SP tab. By default, email, first name, and last name attributes are required by the Acquia DAM. Add each of those attributes into Azure, then select its respective value in the corresponding dropdown. The attribute names you create must match the names in the Attributes tab in the Acquia DAM SAML settings.
Certificates
In section three, SAML Certificates, download the Certificate (Base64) file. Go to the Identity Provider (IdP) tab in the Acquia DAM SAML settings. In the Certificate Files section, upload the Certificate (Base64) file.
Identity Provider info
In section four, Set up Acquia DAM test, copy the Login URL. Navigate to the Identity Provider (IdP) tab in the Acquia DAM SAML settings. Paste the URL in the Authorization Endpoint field. In the Support Email field, enter an email address users can contact if they have issues authenticating into the system. Click Save.
In section five, Test single sign-on, test that SAML SSO is working by logging in through IdP-initiated authentication. To do this, click Test and sign in using an Azure user account that has access to the Acquia DAM enterprise application. You can also test SP-initiated authentication by visiting the SP-initiated URL, found in the Acquia DAM SAML settings SP tab. We recommend testing it in an incognito window.
Finally, to add a button for SP-initiated login to your DAM login page, follow the instructions from our SSO setup article.