Loading...

How do I set up SAML SSO?

The Acquia DAM supports SAML 2.0 to authorize access using the redirect POST binding. You can use any identity provider (IdP) that supports SAML 2.0.

Acquia has specific setup documentation for these IdPs:

This article provides setup instructions for all other SAML version 2.0-compliant IdPs. 


Enable SAML in the DAM

First, the SAML SSO feature needs to be enabled in the DAM. Admins cannot turn it on themselves, so you need to contact your implementation consultant or customer success manager. To check if it’s already enabled on your site:

1. Log in to the DAM. 
2. Go to the Admin app
3. Select Features.




4. Find SAML Integration under Manage Users in the Features list.
 


Check admin permissions

Once we have enabled the SAML Integration, you may need to be given permission to customize single sign-on by a DAM admin. Or, if you're an admin already, here's how you can assign the correct permissions.

1. In the Admin app, select Permission Settings and Roles

 

2. Select Edit Permissions for an admin role. 
3. Select the Application Permissions tab. 
4. Edit the DAM application. 

 

 

5. Select Single Sign-On Administrator and Update.  


Set up SAML

In the Admin app, select Single Sign-On Settings and SAML settings. Now, configure the information for the SP, IdP, and attributes. 
 

Complete the SP info

Most of the fields in the Service Provider tab are filled in by the system automatically. The Issuer / Entity ID is a unique string that identifies the provider issuing a SAML request. It will display during AuthnRequests and within SP metadata. You can customize the end of the value. You can also edit the Name ID Format value.

Here are the formats for those fields. 

Issuer/Entity ID

https://www.widen.com/saml2/{name}/{unique ID string}

Name ID Format

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent


One field needs to be manually entered: registration code. Select a SAML-specific registration code and save. If you haven’t set one up yet, learn how to create registration codes


The remaining fields cannot be edited. Some IdPs allow you to export SP information to the IdP using the SP Metadata value. Otherwise, you can download an XML file of SP information and enter it manually into the IdP. 

With DAM SAML SSO, every customer gets: 

  • A SP-initiated URL (to perform AuthnRequests)
  • A logout redirect URL 
  • Assertion Consumer Service (ACS) URLs for each hostname

 

Complete the IdP info

Select the Identify Provider tab. Open your IdP in a new browser tab, so you can quickly copy and paste the info from your IdP into these fields.  

1. Enter the SSO URL from the IdP in Authorization Endpoint
2. For the IdP certificate, enter a URL in Metadata Endpoint or upload a file in Certificate Files.
3. Add a Support Email that users can contact if they have trouble authenticating into your system. This email should be internal to your organization. 

 

Review attributes

Select the Attributes tab. The DAM accepts these attributes from the IdP. Email address, first name, and last name are required to be passed in the SAML assertion for every user that logs in through SSO. The others are optional. You will need to enter those values into your IdP. If the attributes are not matching across both the DAM and IdP, this may result in the user's first and last names coming into the DAM as "Unknown Unknown." 


Roles attribute
This attribute allows you to assign DAM user roles through SSO. Each time a user is authenticated via SAML SSO, the DAM compares its role names with role names in the IdP active directory. IdP role names that match are considered valid. If there are no valid roles, the user’s DAM role assignments are left as is. If there is more than one valid, the user’s DAM role assignments are updated to match the IdP roles. 

Passcode attribute
This attribute relates to registration codes in the DAM. If you set up this attribute in the IdP to send values that match registration code names, you can segment users into groups by applying a specific registration code automatically.

Custom attribute
You can also create custom attributes for just about any information you want attached to user login. For example, if you create the custom attribute Region, users who sign in via SAML will have a value, such as Northeast, attached to their profile. 

 

Security and validation

Encryption
To accept only encrypted SAML responses, contact the Customer Support team and they will help you download the encryption certificate with an encoded public key. The encryption certificate is valid for 10 years after download. If needed, the support team can remotely revoke this certificate as an added security reminder. 

Enable encryption within your IdP and upload the encryption certificate. When you’re ready to require encrypted SAML responses, we will update your DAM configuration. If any SAML responses are not properly encrypted, they will be rejected.

SAML assertion conditions 
If supplied, these conditions will be taken into account when assessing the validity of the SAML assertion.

  • NotBefore: A DateTime that specifies the earliest moment when the SAML assertion is valid.
  • NotOnOrAfter: A DateTime that specifies the moment when the SAML assertion expires.

Replay attack mitigation 
To enhance security, we record and store the unique SAML identifier from responses, ensuring that we reject any duplicate SAML requests. 

 

Perform a test

After setup, test the SAML sequence. Create a test user in your IdP and assign them to a group associated with the DAM application. Log out of your administrator account, then log in as the test user in your IdP and perform a SAML login to the DAM. Consult your IdP support documentation for specific instructions. 

You can also test SP-initiated authentication by visiting the SP-initiated URL, found in the Acquia DAM SAML settings SP tab. We recommend testing it in an incognito window. 

 

Add an SSO button

To add a button for SP-initiated login to your DAM login page, follow the instructions from our SSO setup article

Perform a test by again logging into your IdP as a test user, going to your DAM login page, and clicking the SSO button. 


Go live

In your IdP, you can start giving users access to log in to Acquia DAM via SSO. Activating SSO will not force a log out of existing users, but will cause all new or expired sessions to authorize through your IdP. 

New employees can access the DAM based on their membership in your active IdP directory group. When they’re included in that, new DAM accounts are created with just-in-time provisioning based on the user permissions in that group.

If a user no longer needs access to the DAM SSO, their permissions can be deleted within your active directory.



Update your SAML certificate

DAM admins are able to update the SAML certificate. 

  1. Go to the Admin app
  2. Click Single Sign-On Settings, then SAML settings
  3. On the SAML Administration page, click the Identity Provider (IdP) tab.
  4. In Certificate Files, do one of the following:
    • If you have a certificate from your local machine, upload it.
    • If you are using a new Metadata Endpoint, enter it in and click the Refresh icon next to the Metadata Endpoint field to pull in the new certificate.
    • If you are continuing to use an existing Metadata Endpoint that is already entered in, click the Refresh icon next to the Metadata Endpoint field to pull in the new certificate.
      The new certificate is displayed in the Certificate Files chart.
  5. Click Save.

Note: Previous certificates remain on the chart for historical reference. However, they are no longer usable. DAM uses the latest uploaded certificate.

Did not find what you were looking for?

If this content did not answer your questions, try searching or contacting our support team for further assistance.

Back to Section navigation