Use the following checklist to configure single sign-on (SSO) for your Customer Data Platform (CDP) tenant:
Submitting a Support ticket¶
Submit a Support ticket as an administrator with access to Acquia Support.
After receiving the ticket, Acquia provides the following details for your pre-production tenant:
- TenantId
- Assertion Consumer Service (ACS)
- Service Provider (SP) EntityId
If you do not have access to the pre-production tenant, mention this in your request. If you are not a security gatekeeper for your tenant, a gatekeeper must approve the access request.
Use the information provided by Acquia Support to configure your IdP for SSO with CDP.
- In your staging and production environments, configure Acquia metadata with the following information:
SAML Assertion Consumer Service (ACS)
For example, https://cs-auth.agilone.com/sso/tenantId/vega/saml
.
Service Provider EntityId
For example, https://cs-vega-green.agilone.com/tenantId
.
- NameId-format = urn:oasis:names:tc:SAML:1. 1:nameid-format:emailAddress.
- Application username = Email
- Assertion encryption = Unencrypted
- Signed response = true
- Signing option = Sign SAML response
- Signing algorithm = SHA 256
- Generate the metadata.xml file with the mentioned information.
Share the generated metadata.xml with Acquia Support through the Support ticket. The file must include the following:
- EntityId
- Login url
- x509 certificate
Acquia Support configures your tenant using the metadata.xml file. When you send the metadata.xml file, provide the names and emails of three user accounts for testing your SSO setup.
Testing the SSO¶
After Acquia Support sets up SSO for your tenant, test it with the three accounts you provided in the previous step. Each tester can test one scenario. Acquia sets the appropriate access in the staging environment and asks you to set the testers up in your IDP. The testers can test positive and negative access. The following are the scenarios:
User | Has Acquia CDP account | Has IDP permission on your end | Expected successful outcome |
User A | Yes | No | User cannot access CDP |
User B | Yes | Yes | User can access CDP |
User C | No | Yes | User cannot access CDP |
Adding users to CDP¶
Administrators must create new user profiles in CDP for any new users before they can log in using the IdP.
Once you test the SSO configuration in pre-production, create user profiles in the production tenant with the appropriate roles for each user.
Customers with a single CDP tenant in the production environment must visit the User Permissions page.
Customers with multiple CDP tenants on production servers, including UAT tenants, must complete the access requests through Acquia Support. For more information, visit the User management page.
Configuring SSO in your production tenant¶
After confirming access with the test cases, respond on the same support ticket to request the TenantId, Assertion Consumer Service (ACS), and Service Provider (SP) EntityId for your production tenant. Then, repeat steps 2 through 5.