Information for: DEVELOPERS   PARTNERS   SUPPORT

Federated Authentication

Federated Authentication is an Cloud Platform feature that enables you to register and integrate with an external Identity Provider (IdP). This ensures that your users need to authenticate using the IdP to access resources within a Cloud Platform organization. You can purchase Federated Authentication as an add-on to your Cloud Platform subscription, if it is not included in your plan.

Note

  • Federated Authentication is a feature in Cloud Platform and is different from Site Factory’s Single Sign-On (SSO) offering. For more information on the SSO feature in Site Factory, see Managing Site Factory accounts.
  • Federated Authentication is separate from Acquia’s Single Sign-On (SSO) –Drupal SAML/LDAP configuration Professional Services engagement. For more information on configuring SAML/LDAP with your Drupal sites, see Single Sign-On – Drupal SAML/LDAP Configuration.

How does Federated Authentication work?

Federated Authentication enforces additional authentication, provided by the customer’s IdP, to access protected resources within your Cloud Platform organization. Resources within a Cloud Platform organization include applications and associated environments, logging, crons, and organization management like teams and permissions. Federated Authentication uses a Service Provider (SP)-initiated authentication flow. In an SP-initiated flow, your user attempts to access a protected resource, such as environment, and is redirected to the external IdP to verify the identity. After the IdP verifies the user’s identity, the requested protected resource is provided.

All Cloud Platform users must have an Acquia account, including the users who will authenticate with an IdP through Federated Authentication. In addition, such users must have an account with their IdP. Acquia accounts belong to users and not the subscription holder because certain users, such as consultants, may work across different subscriptions and have access to multiple Cloud Platform organizations. Users are only required to authenticate with an IdP through Federated Authentication when they are attempting to access resources within a protected Cloud Platform organization.

saml_flow

IdP compatibility with Federated Authentication

To integrate with Cloud Platform, your IdP must support SP-initiated SAML using the Redirect-POST method. Cloud Platform redirects sign-in requests to your IdP through a GET request and your IdP responds with a POST request. Cloud Platform doesn’t support the IdPs authenticating with a POST-POST method or the IdPs that only support IdP-initiated SAML authentication flows.

Managing Cloud Platform users

Federated Authentication does not support SCIM, user provisioning, or user management. Federated Authentication does not map roles nor use the SAML attributes for user role permissions mapping. Each user must have an Acquia account, even when they have access to a Cloud Platform organization that is integrated with an IdP. Acquia user roles and permissions are managed through the Cloud Platform and not through the IdP. For more information on provisioning users, deprovisioning users, and managing Cloud Platform user permissions, see Managing users, teams, roles, and permissions.

Security information about Federated Authentication

Before integrating a Cloud Platform organization with an IdP, note the following security implications:

  • Integrating with an IdP affects all users accessing the Cloud Platform organization, including partners or consultants who belong to a different company.
  • Acquia employees can access your subscription even after you enable the Federated Authentication feature.
  • Acquia Support can debug SSO configuration issues using information from the Cloud Platform and HAR files. However, Acquia Support can’t help with issues pertaining to a customer’s IdP.
  • Deactivating a user in your IdP prevents the user from accessing protected resources within the Cloud Platform organization. However, this won’t deactivate Git or SSH access. To completely remove the user’s access, you must remove the user from any associated teams either manually or by using the Cloud Platform API v2. For more information, see Best practices for team member departures.

User experience

When Federated Authentication is enabled, users sign in using their Cloud Platform account credentials on the Cloud Platform login page. Users are redirected to authenticate with the IdP when attempting to access protected resources. This means that users must log in twice:

  • Through the Cloud Platform login page
  • When attempting to access protected resources
  1. Sign in to the Cloud Platform user interface.

    log_in_cp

  2. Navigate to the Cloud Platform organization to access applications and their environments.

    navigate_cp

  3. Authenticate with IdP. For example, Google.

    authenticate_google

  4. Proceed with access to the Cloud Platform Organization and its applications.

    proceed_cp

Additional information

  • When Federated Authentication is enabled, the IdP manages access to restricted resources in the Cloud Platform user interface.
  • All access token sessions are cached for up to five minutes. After the token session expires, Cloud Platform re-authenticates with the IdP again.
    • A user who is authenticated with the IdP is not required to take any action. The redirect occurs silently from Cloud Platform to the IdP and back.
    • You manage session limits through your IdP. Federated Authentication requires a user to re-authenticate if the IdP session limit has expired. For example, you can manage session limits in Okta with an App Sign-on Policy. For more information on session limits with Okta, see Okta documentation.
    • A user who isn’t authenticated with the IdP must authenticate. Upon successful authentication, such a user is redirected to Cloud Platform and can access protected resources.
    • A user who isn’t authenticated with the IdP and can’t authenticate (account is inactivated or credentials are lost) can’t access the protected resources on Cloud Platform and will get a 401 Unauthorized Access error response.