Single sign-on (SSO) setup consists of several steps. Usually, SSO is set up during Acquia DAM implementation.
Step 1: Check whether SSO is turned on for your site. First, go to the Admin app and select Global Settings then Features. Go to Manage Users in the features list.
Step 2: If SSO isn't turned on, decide on the type of SSO that will work best for your site: SAML SSO or simple one-way SSO. Contact your implementation consultant or customer success manager to get SSO turned on. Admins are not able to turn it on themselves. Step 3: View our configuration documentation and share it with your developers or IT personnel. It's technical in nature and will walk them through any work that needs to be done to set up SSO.
Step 4: Consider how you want to manage users through SSO, and whether they'll initiate the process by clicking a service provider-initiated login button on the DAM login page. If you decide on the button, contact Acquia DAM Support to add it as a login option.
The default text for SSO on the login page is:
First header: [Your organization name] users
Subtitle: Access DAM using single sign-on
Button: SSO Sign In
Second header: External users
DAM admins can customize the default text by submitting change requests to their account rep or implementation consultant. Production releases, including updates to the login page, happen once every two weeks.Step 5: SSO is now in place, so you can start training users on how to use SSO. Here's how SP-initiated login works in detail:
-
The user clicks the SSO login button, which performs a 302-redirect back to the identity provider to authenticate. The user will either have an existing browser session with the identity provider or create a new browser session by logging in to the identity provider.
-
The identity provider then builds the SAML response in the form of an XML document that contains the user’s email address or username along with other supported attributes. This SAML response is signed using an X.509 certificate and the response is then posted back to the DAM.
-
The DAM verifies the response with the identity provider using a public certificate you’ve uploaded to the site.
-
The identity of the user is verified by the DAM and the user account is created using just in time provisioning or the existing user is logged in to the DAM.
Note that IdP-initiated logins are similar but instead, the user would click on a DAM link within your portal or intranet.