Loading...

Using single sign-on

Use the following checklist to configure single sign-on (SSO) for your Customer Data Platform (CDP) tenant:

Submitting a Support ticket

  1. Submit a Support ticket as an administrator with access to Acquia Support.

    After receiving the ticket, Acquia provides the following details for your pre-production tenant:

    • TenantId
    • Assertion Consumer Service (ACS)
    • Service Provider (SP) EntityId

    If you do not have access to the pre-production tenant, mention this in your request. If you are not a security gatekeeper for your tenant, a gatekeeper must approve the access request.

Configuring SAML metadata in IdP

Use the information provided by Acquia Support to configure your IdP for SSO with CDP.

  1. In your staging and production environments, configure Acquia metadata with the following information:
    • SAML Assertion Consumer Service (ACS)

      For example, https://cs-auth.agilone.com/sso/tenantId/vega/saml.

    • Service Provider EntityId

      For example, https://cs-vega-green.agilone.com/tenantId.

    • NameId-format = urn:oasis:names:tc:SAML:1. 1:nameid-format:emailAddress.
    • Application username = Email
    • Assertion encryption = Unencrypted
    • Signed response = true
    • Signing option = Sign SAML response
    • Signing algorithm = SHA 256
  2. Generate the metadata.xml file with the mentioned information.

Sharing the metadata.xml file with Acquia Support

Share the generated metadata.xml with Acquia Support through the Support ticket. The file must include the following:

  • EntityId
  • Login url
  • x509 certificate

Acquia Support configures your tenant using the metadata.xml file. When you send the metadata.xml file, provide the names and emails of three user accounts for testing your SSO setup.

Testing the SSO

After Acquia Support sets up SSO for your tenant, test it with the three accounts you provided in the previous step. Each tester can test one scenario. Acquia sets the appropriate access in the staging environment and asks you to set the testers up in your IDP. The testers can test positive and negative access. The following are the scenarios:

UserHas Acquia CDP accountHas IDP permission on your endExpected successful outcome
User AYesNoUser cannot access CDP
User BYesYesUser can access CDP
User CNoYesUser cannot access CDP

Adding users to CDP

Administrators must create new user profiles in CDP for any new users before they can log in using the IdP.

Once you test the SSO configuration in pre-production, create user profiles in the production tenant with the appropriate roles for each user.

  • Customers with a single CDP tenant in the production environment must visit the User Permissions page.

  • Customers with multiple CDP tenants on production servers, including UAT tenants, must complete the access requests through Acquia Support. For more information, visit the User management page.

Configuring SSO in your production tenant

After confirming access with the test cases, respond on the same support ticket to request the TenantId, Assertion Consumer Service (ACS), and Service Provider (SP) EntityId for your production tenant. Then, repeat steps 2 through 5.

Did not find what you were looking for?

If this content did not answer your questions, try searching or contacting our support team for further assistance.

Back to Section navigation