Use the following checklist to configure single sign-on (SSO) for your Customer Data Platform (CDP) tenant:
Acquia recommends you to first test SSO in your pre-production environment.
| S. No. | Task |
|---|---|
| 1 | Submit a Support ticket |
| 2 | Configure SAML metadata in IdP |
| 3 | Share the metadata.xml file with Acquia Support |
| 4 | Test the SSO |
| 5 | Add users to CDP |
Submit a Support ticket as an administrator with access to Acquia Support.
After receiving the ticket, Acquia provides the following details for your pre-production tenant:
If you do not have access to the pre-production tenant, mention this in your request. If you are not a security gatekeeper for your tenant, a gatekeeper must approve the access request.
Use the information provided by Acquia Support to configure your IdP for SSO with CDP.
SAML Assertion Consumer Service (ACS)
For example, https://cs-auth.agilone.com/sso/tenantId/vega/saml.
Service Provider EntityId
For example, https://cs-vega-green.agilone.com/tenantId.
Share the generated metadata.xml with Acquia Support through the Support ticket. The file must include the following:
Acquia Support configures your tenant using the metadata.xml file. When you send the metadata.xml file, provide the names and emails of three user accounts for testing your SSO setup.
You must send a new metadata.xml file to Acquia before your x509 certificate expires. Ensure that your organization is aware and knows how to regenerate the file before it expires. CDP cannot refresh the x509 certificate.
After Acquia Support sets up SSO for your tenant, test it with the three accounts you provided in the previous step. Each tester can test one scenario. Acquia sets the appropriate access in the staging environment and asks you to set the testers up in your IDP. The testers can test positive and negative access. The following are the scenarios:
| User | Has Acquia CDP account | Has IDP permission on your end | Expected successful outcome |
| User A | Yes | No | User cannot access CDP |
| User B | Yes | Yes | User can access CDP |
| User C | No | Yes | User cannot access CDP |
Skip this step, if you are configuring SSO after users already exist in your CDP tenant.
Administrators must create new user profiles in CDP for any new users before they can log in using the IdP.
Once you test the SSO configuration in pre-production, create user profiles in the production tenant with the appropriate roles for each user.
Customers with a single CDP tenant in the production environment must visit the User Permissions page.
Customers with multiple CDP tenants on production servers, including UAT tenants, must complete the access requests through Acquia Support. For more information, visit the User management page.
The standard SSO configuration is a single domain authentication credential specific to your organization. If users have an email with a domain different from your company's domain, you must implement Federated Identity Management in your IdP before activating SSO for your tenants. Otherwise, those users cannot log in to CDP when SSO is set up. This may include internal employees with a different domain, partners, and third-party vendors.
After confirming access with the test cases, respond on the same support ticket to request the TenantId, Assertion Consumer Service (ACS), and Service Provider (SP) EntityId for your production tenant. Then, repeat steps 2 through 5.
If this content did not answer your questions, try searching or contacting our support team for further assistance.
Tue Jul 29 2025 22:05:27 GMT+0000 (Coordinated Universal Time)