The Acquia DAM supports SAML 2.0 to authorize access using the redirect POST binding. You can use any identity provider (IdP) that supports SAML 2.0.
Acquia has specific setup documentation for these IdPs:
This article provides setup instructions for all other SAML version 2.0-compliant IdPs.
First, the SAML SSO feature needs to be enabled in the DAM. Admins cannot turn it on themselves, so you need to contact your implementation consultant or customer success manager. To check if it’s already enabled on your site:
1. Log in to the DAM.
2. Go to the Admin app.
3. Select Features.
Once we have enabled the SAML Integration, you may need to be given permission to customize single sign-on by a DAM admin. Or, if you're an admin already, here's how you can assign the correct permissions.
1. In the Admin app, select Permission Settings and Roles.
2. Select Edit Permissions for an admin role.
3. Select the Application Permissions tab.
4. Edit the DAM application.
5. Select Single Sign-On Administrator and Update.
In the Admin app, select Single Sign-On Settings and SAML settings. Now, configure the information for the SP, IdP, and attributes.
Most of the fields in the Service Provider tab are filled in by the system automatically. The Issuer / Entity ID is a unique string that identifies the provider issuing a SAML request. It will display during AuthnRequests and within SP metadata. You can customize the end of the value. You can also edit the Name ID Format value.
Here are the formats for those fields.
|
Issuer/Entity ID |
https://www.widen.com/saml2/{name}/{unique ID string} |
|
Name ID Format |
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent |
One field needs to be manually entered: registration code. Select a SAML-specific registration code and save. If you haven’t set one up yet, learn how to create registration codes.
The remaining fields cannot be edited. Some IdPs allow you to export SP information to the IdP using the SP Metadata value. Otherwise, you can download an XML file of SP information and enter it manually into the IdP.
With DAM SAML SSO, every customer gets:
Select the Identify Provider tab. Open your IdP in a new browser tab, so you can quickly copy and paste the info from your IdP into these fields.
1. Enter the SSO URL from the IdP in Authorization Endpoint.
2. For the IdP certificate, enter a URL in Metadata Endpoint or upload a file in Certificate Files.
3. Add a Support Email that users can contact if they have trouble authenticating into your system. This email should be internal to your organization.
Select the Attributes tab. The DAM accepts these attributes from the IdP. Email address, first name, and last name are required to be passed in the SAML assertion for every user that logs in through SSO. The others are optional. You will need to enter those values into your IdP. If the attributes are not matching across both the DAM and IdP, this may result in the user's first and last names coming into the DAM as "Unknown Unknown."
|
Field name |
|
|
Email address |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
|
First name |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
|
Last name |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname |
|
Title | |
|
Department | |
|
Company | |
|
Phone |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone |
|
Street address |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress |
|
City |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality |
|
State/province |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince |
|
ZIP/postal code |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode |
|
Country |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country |
|
Roles |
http://schemas.microsoft.com/ws/2008/06/identity/claims/role |
|
Passcode |
Roles attribute
This attribute allows you to assign DAM user roles through SSO. Each time a user is authenticated via SAML SSO, the DAM compares its role names with role names in the IdP active directory. IdP role names that match are considered valid. If there are no valid roles, the user’s DAM role assignments are left as is. If there is more than one valid, the user’s DAM role assignments are updated to match the IdP roles.
Passcode attribute
This attribute relates to registration codes in the DAM. If you set up this attribute in the IdP to send values that match registration code names, you can segment users into groups by applying a specific registration code automatically.
Custom attribute
You can also create custom attributes for just about any information you want attached to user login. For example, if you create the custom attribute Region, users who sign in via SAML will have a value, such as Northeast, attached to their profile.
Encryption
To accept only encrypted SAML responses, contact the Customer Support team and they will help you download the encryption certificate with an encoded public key. The encryption certificate is valid for 10 years after download. If needed, the support team can remotely revoke this certificate as an added security reminder.
Enable encryption within your IdP and upload the encryption certificate. When you’re ready to require encrypted SAML responses, we will update your DAM configuration. If any SAML responses are not properly encrypted, they will be rejected.
SAML assertion conditions
If supplied, these conditions will be taken into account when assessing the validity of the SAML assertion.
Replay attack mitigation
To enhance security, we record and store the unique SAML identifier from responses, ensuring that we reject any duplicate SAML requests.
After setup, test the SAML sequence. Create a test user in your IdP and assign them to a group associated with the DAM application. Log out of your administrator account, then log in as the test user in your IdP and perform a SAML login to the DAM. Consult your IdP support documentation for specific instructions.
You can also test SP-initiated authentication by visiting the SP-initiated URL, found in the Acquia DAM SAML settings SP tab. We recommend testing it in an incognito window.
To add a button for SP-initiated login to your DAM login page, follow the instructions from our SSO setup article.
Perform a test by again logging into your IdP as a test user, going to your DAM login page, and clicking the SSO button.
In your IdP, you can start giving users access to log in to Acquia DAM via SSO. Activating SSO will not force a log out of existing users, but will cause all new or expired sessions to authorize through your IdP.
New employees can access the DAM based on their membership in your active IdP directory group. When they’re included in that, new DAM accounts are created with just-in-time provisioning based on the user permissions in that group.
If a user no longer needs access to the DAM SSO, their permissions can be deleted within your active directory.
Update your SAML certificate
DAM admins are able to update the SAML certificate.
Note: Previous certificates remain on the chart for historical reference. However, they are no longer usable. DAM uses the latest uploaded certificate.
If this content did not answer your questions, try searching or contacting our support team for further assistance.
Thu May 15 2025 11:11:18 GMT+0000 (Coordinated Universal Time)