With DAM SAML SSO, every customer gets: 

• A SP-initiated URL (to perform AuthnRequests)
• A logout redirect URL 
• Assertion Consumer Service (ACS) URLs for each hostname

 ¶

Complete the IdP info¶

Select the Identify Provider tab. Open your IdP in a new browser tab, so you can quickly copy and paste the info from your IdP into these fields.  

1. Enter the SSO URL from the IdP in Authorization Endpoint. 
2. For the IdP certificate, enter a URL in Metadata Endpoint or upload a file in Certificate Files.
3. Add a Support Email that users can contact if they have trouble authenticating into your system. This email should be internal to your organization. 
 

Review attributes¶

Select the Attributes tab. The DAM accepts these attributes from the IdP. Email address, first name, and last name are required to be passed in the SAML assertion for every user that logs in through SSO. The others are optional. You will need to enter those values into your IdP. If the attributes are not matching across both the DAM and IdP, this may result in the user's first and last names coming into the DAM as "Unknown Unknown." 

Roles attribute
This attribute allows you to assign DAM user roles through SSO. Each time a user is authenticated via SAML SSO, the DAM compares its role names with role names in the IdP active directory. IdP role names that match are considered valid. If there are no valid roles, the user’s DAM role assignments are left as is. If there is more than one valid, the user’s DAM role assignments are updated to match the IdP roles. 

Passcode attribute
This attribute relates to registration codes in the DAM. If you set up this attribute in the IdP to send values that match registration code names, you can segment users into groups by applying a specific registration code automatically.

Custom attribute
You can also create custom attributes for just about any information you want attached to user login. For example, if you create the custom attribute Region, users who sign in via SAML will have a value, such as Northeast, attached to their profile. 
 

Security and validation¶

Encryption
To accept only encrypted SAML responses, contact the Customer Support team and they will help you download the encryption certificate with an encoded public key. The encryption certificate is valid for 10 years after download. If needed, the support team can remotely revoke this certificate as an added security reminder. 

Enable encryption within your IdP and upload the encryption certificate. When you’re ready to require encrypted SAML responses, we will update your DAM configuration. If any SAML responses are not properly encrypted, they will be rejected.

SAML assertion conditions 
If supplied, these conditions will be taken into account when assessing the validity of the SAML assertion.

• NotBefore: A DateTime that specifies the earliest moment when the SAML assertion is valid.
• NotOnOrAfter: A DateTime that specifies the moment when the SAML assertion expires.

Replay attack mitigation 
To enhance security, we record and store the unique SAML identifier from responses, ensuring that we reject any duplicate SAML requests. 
 

Perform a test¶

After setup, test the SAML sequence. Create a test user in your IdP and assign them to a group associated with the DAM application. Log out of your administrator account, then log in as the test user in your IdP and perform a SAML login to the DAM. Consult your IdP support documentation for specific instructions. 

You can also test SP-initiated authentication by visiting the SP-initiated URL, found in the Acquia DAM SAML settings SP tab. We recommend testing it in an incognito window. 
 

Add an SSO button¶

To add a button for SP-initiated login to your DAM login page, follow the instructions from our SSO setup article. 

Perform a test by again logging into your IdP as a test user, going to your DAM login page, and clicking the SSO button. 

Go live¶

In your IdP, you can start giving users access to log in to Acquia DAM via SSO. Activating SSO will not force a log out of existing users, but will cause all new or expired sessions to authorize through your IdP. 

New employees can access the DAM based on their membership in your active IdP directory group. When they’re included in that, new DAM accounts are created with just-in-time provisioning based on the user permissions in that group.

If a user no longer needs access to the DAM SSO, their permissions can be deleted within your active directory.


Update your SAML certificate

DAM admins are able to update the SAML certificate. 

1. Go to the Admin app. 
2. Click Single Sign-On Settings, then SAML settings. 
3. On the SAML Administration page, click the Identity Provider (IdP) tab.
4. In Certificate Files, do one of the following:
   • If you have a certificate from your local machine, upload it.
   • If you are using a new Metadata Endpoint, enter it in and click the Refresh icon next to the Metadata Endpoint field to pull in the new certificate.
   • If you are continuing to use an existing Metadata Endpoint that is already entered in, click the Refresh icon next to the Metadata Endpoint field to pull in the new certificate.
     The new certificate is displayed in the Certificate Files chart.
5. Click Save.

Note: Previous certificates remain on the chart for historical reference. However, they are no longer usable. DAM uses the latest uploaded certificate.