Information for: DEVELOPERS   PARTNERS

Integrating Acquia DAM with SAML

SAML integration with Acquia DAM is an add-on feature. Contact your Account Manager to add this feature to your subscription.

By integrating with your company’s identity provider (IdP), your users can sign in to Acquia DAM using the same credentials they use elsewhere.

The Security Assertion Markup Language (SAML) integration with Acquia DAM should be handled by your company’s SAML administrator. The SAML administrator will require a Acquia DAM account with admin privileges.

Acquia recommends setting up SAML sign-ins during the initial onboarding process. Customers that implement SAML sign-ins post-implementation may create duplicate user accounts. To avoid duplicating existing users, ensure that the Username attribute returned by your identity provider is the same as the current username in Acquia DAM. When the username attribute is not located in Acquia DAM, a new Acquia DAM user account will be created.

This page discusses the following topics:

Configuring SAML sign-ins

To configure single sign-on for your Acquia DAM with SAML, perform the following steps:

  1. Sign in to Acquia DAM as an admin.

  2. Click Settings, and then click System Preferences.

  3. In the left navigation menu, click SAML Settings.

  4. Download Acquia DAM’s service provider metadata XML file by clicking the Download link in the SAML 2.0 Metadata XML file pane.

  5. Add Acquia DAM’s service provider metadata XML file into your company’s identity provider (IdP).

  6. If you are using Microsoft ADFS (Active Directory Federation Services), complete the following steps:

    1. Under Relying Party Trusts, create a claim rule based on Transform an incoming claim template with the following settings:

      Option Value
      Incoming claim type Windows Account Name
      Outgoing claim type Name ID
      Outgoing name ID format Transient Identifier
      Pass through all claim values Enabled
    2. Create a second claim rule based on Send LDAP attributes as Claims template, and select Active Directory as Attribute store. Configure claim rules to send the following attributes to Acquia DAM: username, email, first name, and last name. For example:

      • SAM-Account-Name - Name
      • Given Name - Given Name
      • Surname - Surname
      • Email-Addresses - Email Address

      Note

      Do not set a claim with Name ID as an Outgoing Claim Type. For instance, you may want to transmit User-Principal-Name as Outgoing Claim Type set to UPN.

    3. Export your SAML 2.0 Metadata XML from your IdP system using the mechanism it provides for this.

    4. Import the XML file by clicking the Select file link in the Upload Identity Provider’s SAML 2.0 Metadata XML file panel and choosing the correct XML file on your computer.

  7. Acquia DAM requires the following attributes from the IdP:

    • Username
    • First Name
    • Last Name
    • Email

Configure the attributes returned by the IdP to properly map to Acquia DAM’s defined fields in the Custom Attribute Field Mappings panel.

The Last parsed attribute fields pane displays the attribute information returned by the IdP from the last sign in. Use this panel to help properly map the IdP attributes to the Acquia DAM fieldnames.

Last parsed example

Note

This pane will be empty until the SAML sign in is performed. See Testing SAML sign-ins in the following section. If the panel remains empty after SAML sign in, your identity provider may not be properly configured to return attributes to Acquia DAM.

ADFS attribute mappings:

ADFS attributes

OneLogin attribute mappings:

OneLogin attributes

Shibboleth attribute mapping:

Shibboleth attributes

Testing SAML sign-ins

Complete the following steps to verify that SAML sign-ins are working properly for your Acquia DAM instance:

  1. Use the following URL to test your SAML sign in, replacing company.exampledam.com with your Acquia DAM domain: http://company.exampledam.com/saml.php. The browser will redirect to your company’s identity provider (IdP).

  2. Enter SAML credentials for the account you want to test with. You should be redirected back to Acquia DAM as an authenticated user.

    Note

    Receiving the registration successful notification indicates SAML authentication was successful, but the new user account created in Acquia DAM has been set to inactive. To allow new users to automatically sign in to Acquia DAM, sign in to Acquia DAM as an admin and navigate to Settings > System Preferences, and uncheck New users must be approved after registering.

  3. In the upper right corner of the page, click the username, and then click Logout.

  4. Sign in to Acquia DAM as an admin.

  5. Click Settings, and then click System Preferences.

  6. In the left navigation menu, click Users.

  7. Verify the account you used to sign in exists.

If the user account is not created, make sure you configured the SAML integration correctly.

Enabling SAML sign-ins

After verifying SAML sign-ins work correctly, complete the following steps to enable SAML sign-ins for your Acquia DAM instance:

  1. Sign in to Acquia DAM as an admin.
  2. Click Settings, and then click System Preferences.
  3. In the left navigation menu, click SAML Settings.
  4. In the Splash Page panel, click the check box for Enable login button on Splash page, and then click Save.

The Acquia DAM splash page (http://company.exampledam.com/splash.php) should now display the Internal Login button triggering SAML sign in.