Federated Authentication is an Acquia Cloud Platform feature that enables you to register and integrate with an external Identity Provider (IdP). This ensures that your users need to authenticate using the IdP to access resources within a Cloud Platform organization. You can purchase Federated Authentication as an add-on to your Cloud Platform subscription, if it is not included in your plan.
Note
Federated Authentication enforces additional authentication, provided by the customer’s IdP, to access protected resources within your Cloud Platform organization. Resources within a Cloud Platform organization include applications and associated environments, logging, crons, and organization management like teams and permissions. Federated Authentication uses a Service Provider (SP)-initiated authentication flow. In an SP-initiated flow, your user attempts to access a protected resource, such as environment, and is redirected to the external IdP to verify the identity. After the IdP verifies the user’s identity, the requested protected resource is provided.
All Cloud Platform users must have an Acquia account, including the users who will authenticate with an IdP through Federated Authentication. In addition, such users must have an account with their IdP. Acquia accounts belong to users and not the subscription holder because certain users, such as consultants, may work across different subscriptions and have access to multiple Cloud Platform organizations. Users are only required to authenticate with an IdP through Federated Authentication when they are attempting to access resources within a protected Cloud Platform organization.
To integrate with Cloud Platform, your IdP must support SP-initiated SAML using
the Redirect-POST
method. Cloud Platform redirects sign-in requests to your
IdP through a GET
request and your IdP responds with a POST
request.
Cloud Platform doesn’t support the IdPs authenticating with a POST-POST
method or the IdPs that only support IdP-initiated SAML authentication flows.
Federated Authentication does not support SCIM, user provisioning, or user management. Federated Authentication does not map roles nor use the SAML attributes for user role permissions mapping. Each user must have an Acquia account, even when they have access to a Cloud Platform organization that is integrated with an IdP. Acquia user roles and permissions are managed through the Cloud Platform and not through the IdP. For more information on provisioning users, deprovisioning users, and managing Cloud Platform user permissions, see Managing users, teams, roles, and permissions.
Before integrating a Cloud Platform organization with an IdP, note the following security implications:
When Federated Authentication is enabled, users sign in using their Cloud Platform account credentials on the Acquia Cloud Platform login page. Users are redirected to authenticate with the IdP when attempting to access protected resources. This means that users must log in twice:
Sign in to the Acquia Cloud Platform user interface.
Navigate to the Cloud Platform organization to access applications and their environments.
Authenticate with IdP. For example, Google.
Proceed with access to the Cloud Platform Organization and its applications.
401 Unauthorized Access
error response.