Information for: DEVELOPERS   PARTNERS

Custom identity provider integration with Cloud Platform

With Enterprise Single Sign-On (SSO), Cloud Platform enables you to register an external identity provider (IdP) for your Cloud Platform organization to ensure members of your organization have authenticated using your organization’s specific security policies. After integrating with a custom IdP, your users will authenticate with both Cloud Platform and your IdP.

Your IdP must support SP-initiated single sign-on (SSO) using the Redirect-POST method. Cloud Platform redirects sign-in requests to your IdP through a GET request, and your IdP responds with a POST request. Cloud Platform doesn’t support IdPs authenticating with a POST-POST method.

Although users can belong to several organizations (even if one organization manages users through an external IdP and one doesn’t), an application can belong to only a single organization. All applications belonging to an organization using an external IdP must first login with Cloud Platform and then use the IdP for authentication.

Note

Custom identity provider integration is incompatible with the Cloud Platform pipelines feature. For more information, see Known issues in Acquia Cloud.

Eligibility for external identity providers

This feature is available only to organizations containing subscriptions of the following types:

  • Cloud Platform Elite with the Enterprise Single Sign-On (SSO) add-on
  • Subscribers with specific regulatory or compliance requirements

For access to this feature, contact your Account Manager.

Security information for external identity providers

When considering integrating Cloud Platform with an external IdP, be aware of the following security implications:

  • Integrating with a custom IdP affects all subscriptions managed by your organization.
  • Acquia employees can still access your subscription even after you enable this feature.
  • For security reasons, Acquia Support can’t debug SSO issues during phone calls.
  • Deactivating a user in your custom IdP will prevent the user from signing in to Cloud Platform, but won’t deactivate Git or SSH access. To completely remove the user’s access, you must also remove the user from any associated teams manually or by using Cloud Platform API v2. See Best practices for team member departures for more help.

Adding an external identity provider

To add an external IdP to your Cloud Platform organization, complete the following steps:

  1. Sign in to Cloud Platform as the user account owning the organization you want to change, or as a user with the Admin role for that organization.

  2. Click Manage.

  3. Identify the organization you want to change, and then select it.

  4. In the menu to the left, click Security.

  5. Click Register an identity provider.
    Cloud Platform will display the Register an Identity Provider page.

  6. In the Label field, enter a human-readable name for the IdP configuration.

  7. In the Entity ID field, enter the entity ID of your IdP.

  8. In the SSO URL field, enter the SSO URL of your IdP.

  9. In the Public Certificate field, paste the public certificate of your IdP in PEM format.

  10. Click Submit.
    The Cloud Platform user interface will display a summary of your IdP information (as displayed in the following example), but the IdP isn’t yet enabled:

    Identity provider page that shows your identity provider information

  11. Provide the Entity ID, SSO URL, and ACS Link to your IdP.

    Important

    Don’t enable the external IdP in Cloud Platform until you have configured your IdP, or you and all members of your organization may be locked out of the Cloud Platform user interface. If you are locked out, contact Acquia support for help.

  12. Click Enable. Cloud Platform will display a confirmation dialog box.

  13. Select the confirmation check box, and then click Enable.

The Cloud Platform user interface will display a confirmation screen indicating your IdP is now enabled:

Confirmation screen showing that your identity provider is enabled

The next time you refresh the page, the Cloud Platform user interface will redirect you to sign in using your external IdP.