Information for: DEVELOPERS   PARTNERS   SUPPORT

Managing user access for Federated Authentication

Each user must have an Acquia account, even when they have access to a Cloud Platform organization that is integrated with an IdP. Acquia user roles and permissions are managed through the Cloud Platform and not through the IdP. For more information on provisioning users, deprovisioning users, and managing Cloud Platform user permissions, see Managing users, teams, roles, and permissions.

Note

Federated Authentication does not support SCIM, user provisioning, or user management. Federated Authentication neither maps roles nor uses the SAML attributes for user role permissions mapping.

User account provisioning (accounts.acquia.com)

  • When a user signs up for an account, the user must validate the ownership for the email address.
  • When a user is invited to a Cloud Platform organization, the invitation is sent through an email.
  • When a user belongs to a Cloud Platform organization that requires IdP authentication, the user can view the organization but cannot access the organization or any resources that belong to the organization, without authenticating with the IdP. For more information, see Controlling access to Cloud Platform.

User account deprovisioning

  • SSH access is not managed through the IdP. To restrict access after an employee’s departure, change the passwords for the private keys or generate new keys entirely. For more information, see Controlling access to Cloud Platform.
  • When an employee departs, delete such users from the Cloud Platform organization and delete all outstanding invitations.
  • Cloud Platform provides an API endpoint to automate the removal of a user’s membership from a Cloud Platform organization. For more information, see here. For more information, see Best practices for team member departures.