Acquia DAM

Integrating Acquia DAM Classic with SAML

SAML integration with Acquia DAM Classic is an add-on feature. Contact your Account Manager to add this feature to your subscription.

By integrating with your company’s identity provider (IdP), your users can sign in to Acquia DAM Classic using the same credentials they use elsewhere.

The Security Assertion Markup Language (SAML) integration with Acquia DAM Classic should be handled by your company’s SAML administrator. The SAML administrator will require a Acquia DAM Classic account with admin privileges.

Acquia recommends setting up SAML sign-ins during the initial onboarding process. Customers that implement SAML sign-ins post-implementation may create duplicate user accounts. To avoid duplicating existing users, ensure that the Username attribute returned by your identity provider is the same as the current username in Acquia DAM Classic. When the username attribute is not located in Acquia DAM Classic, a new Acquia DAM Classic user account will be created.

This page discusses the following topics:

Configuring SAML sign-ins

To configure single sign-on for your Acquia DAM Classic with SAML, perform the following steps:

  1. Sign in to Acquia DAM Classic as an admin.

  2. Click Settings, and then click System Preferences.

  3. In the left navigation menu, click SAML Settings.

  4. Download Acquia DAM Classic’s service provider metadata XML file by clicking the Download link in the SAML 2.0 Metadata XML file pane.

  5. Add Acquia DAM Classic’s service provider metadata XML file into your company’s identity provider (IdP).

  6. If you are using Microsoft ADFS (Active Directory Federation Services), complete the following steps:

    1. Under Relying Party Trusts, create a claim rule based on Transform an incoming claim template with the following settings:

      Option

      Value

      Incoming claim type

      Windows Account Name

      Outgoing claim type

      Name ID

      Outgoing name ID format

      Transient Identifier

      Pass through all claim values

      Enabled

    2. Create a second claim rule based on Send LDAP attributes as Claims template, and select Active Directory as Attribute store. Configure claim rules to send the following attributes to Acquia DAM Classic: username, email, first name, and last name. For example:

      • SAM-Account-Name - Name

      • Given Name - Given Name

      • Surname - Surname

      • Email-Addresses - Email Address

      Note

      Do not set a claim with Name ID as an Outgoing Claim Type. For instance, you may want to transmit User-Principal-Name as Outgoing Claim Type set to UPN.

    3. Export your SAML 2.0 Metadata XML from your IdP system using the mechanism it provides for this.

    4. Import the XML file by clicking the Select file link in the Upload Identity Provider’s SAML 2.0 Metadata XML file panel and choosing the correct XML file on your computer.

  7. Acquia DAM Classic requires the following attributes from the IdP:

    • Username

    • First Name

    • Last Name

    • Email

Configure the attributes returned by the IdP to properly map to Acquia DAM Classic’s defined fields in the Custom Attribute Field Mappings panel.

The Last parsed attribute fields pane displays the attribute information returned by the IdP from the last sign in. Use this panel to help properly map the IdP attributes to the Acquia DAM Classic field names.

Note

This pane will be empty until the SAML sign in is performed. See Testing SAML sign-ins in the following section. If the panel remains empty after SAML sign in, your identity provider may not be properly configured to return attributes to Acquia DAM Classic.

Testing SAML sign-ins

Complete the following steps to verify that SAML sign-ins are working properly for your Acquia DAM Classic instance:

  1. Use the following URL to test your SAML sign in, replacing company.exampledam.com with your Acquia DAM Classic domain: http://company.exampledam.com/saml.php. The browser will redirect to your company’s identity provider (IdP).

  2. Enter SAML credentials for the account you want to test with. You should be redirected back to Acquia DAM Classic as an authenticated user.

    Note

    Receiving the registration successful notification indicates SAML authentication was successful, but the new user account created in Acquia DAM Classic has been set to inactive. To allow new users to automatically sign in to Acquia DAM Classic, sign in to Acquia DAM Classic as an admin and navigate to Settings > System Preferences, and uncheck New users must be approved after registering.

  3. In the upper right corner of the page, click the username, and then click Logout.

  4. Sign in to Acquia DAM Classic as an admin.

  5. Click Settings, and then click System Preferences.

  6. In the left navigation menu, click Users.

  7. Verify the account you used to sign in exists.

If the user account is not created, make sure you configured the SAML integration correctly.

Enabling SAML sign-ins

After verifying SAML sign-ins work correctly, complete the following steps to enable SAML sign-ins for your Acquia DAM Classic instance:

  1. Sign in to Acquia DAM Classic as an admin.

  2. Click Settings, and then click System Preferences.

  3. In the left navigation menu, click SAML Settings.

  4. In the Splash Page panel, click the checkbox for Enable login button on Splash page, and then click Save.

The Acquia DAM Classic splash page (http://company.exampledam.com/splash.php) should now display the Internal Login button triggering SAML sign in.