--- title: "How do I set up SAML SSO?" date: "2025-03-01T15:53:41+00:00" summary: "Streamline user authentication with SAML SSO for Acquia DAM to enhance security and simplify access management. Set up, configure, and test single sign-on using any SAML 2.0-compliant identity provider. ." image: type: "page" url: "/acquia-dam/how-do-i-set-saml-sso" id: "925483c5-315e-4300-aa0d-a8f13ec0fade" --- Table of contents will be added The Acquia DAM supports SAML 2.0 to authorize access using the redirect POST binding. You can use any identity provider (IdP) that supports SAML 2.0. Acquia has specific setup documentation for these IdPs: * [ADFS](/acquia-dam/how-do-i-configure-saml-sso-adfs "How do I configure a SAML SSO for ADFS?") * [Mic](/node/66571)[r](/node/66571)[osoft Entra ID](/acquia-dam/how-do-i-configure-saml-sso-microsoft-entra-id "How do I configure a SAML SSO with Microsoft Entra ID?") * [Okta](/acquia-dam/how-do-i-integrate-okta-acquia-dam "How do I integrate Okta with Acquia DAM?") This article provides setup instructions for all other SAML version 2.0-compliant IdPs. Enable SAML in the DAM ---------------------- First, the SAML SSO feature needs to be enabled in the DAM. Admins cannot turn it on themselves, so you need to contact your implementation consultant or customer success manager. To check if it’s already enabled on your site: 1\. Log in to the DAM.  2\. Go to the **Admin app**.  3\. Select **Features**. ![Dashboard interface showing features settings. "Analyze" section details options for collecting intended use on external collections, order pickup, and within site.](https://acquia.widen.net/content/36469e90-bac7-46ac-b764-1d5b4acbed67/web/ka0Pb000000AhRt00N6g00000WDN1a0EM6g000005Lw1q.png) 4\. Find **SAML Integration** under **Manage Users** in the Features list.    ![Manage Users page detailing user rights, permissions, and integration options for Single Sign-On, including Custom, SAML, and Simple One-way SSO.](https://acquia.widen.net/content/77efc5bc-b957-4a0d-8f1c-b837cbca521e/web/ka0Pb000000AhRt00N6g00000WDN1a0EM6g000005Lw1i.png) Check admin permissions -------------------------- Once we have enabled the SAML Integration, you may need to be given permission to customize single sign-on by a DAM admin. Or, if you're an admin already, here's how you can assign the correct permissions. 1\. In the Admin app, select **Permission Settings** and **Roles**.  ![Dashboard showing user roles, descriptions, and options for editing, viewing, duplicating, or deleting roles. Includes user counts for each role.](https://acquia.widen.net/content/1a304143-f801-4e52-ab5e-6a20dd0bf88b/web/ka0Pb000000AhRt00N6g00000WDN1a0EM6g000005Lw1p.png) 2\. Select **Edit Permissions** for an admin role.  3\. Select the **Application Permissions** tab.  4\. Edit the DAM application.    ![Application permissions interface showing role setup tips and a table of user rights options for different applications, including checkboxes and customization icons.](https://acquia.widen.net/content/33c9036d-136f-4c5a-9706-30d7369bdbba/web/ka0Pb000000AhRt00N6g00000WDN1a0EM6g000005Lw1l.png) 5\. Select **Single Sign-On Administrator** and Update.   Set up SAML -------------- In the Admin app, select **Single Sign-On Settings** and **SAML settings**. Now, configure the information for the SP, IdP, and attributes.    Complete the SP info -------------------- Most of the fields in the Service Provider tab are filled in by the system automatically. The Issuer / Entity ID is a unique string that identifies the provider issuing a SAML request. It will display during AuthnRequests and within SP metadata. You can customize the end of the value. You can also edit the Name ID Format value. Here are the formats for those fields.  Issuer/Entity ID https://www.widen.com/saml2/{name}/{unique ID string} Name ID Format urn:oasis:names:tc:SAML:2.0:nameid-format:persistent One field needs to be manually entered: registration code. Select a SAML-specific registration code and save. If you haven’t set one up yet, learn [how to create registration codes](/acquia-dam/what-are-registration-codes "What are registration codes?").  ![SAML Administration interface showing issuer ID, name ID format, and registration code set to "DEFAULT," with tabs for Service Provider and Identity Provider.](https://acquia.widen.net/content/d279fbc2-b99d-4497-8c51-44eabf064184/web/ka0Pb000000AhRt00N6g00000WDN1a0EM6g000005Lw1j.png) The remaining fields cannot be edited. Some IdPs allow you to export SP information to the IdP using the SP Metadata value. Otherwise, you can download an XML file of SP information and enter it manually into the IdP.    ![SAML Administration interface showing service provider settings, including issuer ID, metadata URL, SP-initiated URL, and logout redirect URL.](https://acquia.widen.net/content/5b60c0bc-0854-4a64-a417-cc568a946dd7/web/ka0Pb000000AhRt00N6g00000WDN1a0EM6g000005Lw1o.png) With DAM SAML SSO, every customer gets:  * A SP-initiated URL (to perform AuthnRequests) * A logout redirect URL * Assertion Consumer Service (ACS) URLs for each hostname Complete the IdP info --------------------- Select the Identify Provider tab. Open your IdP in a new browser tab, so you can quickly copy and paste the info from your IdP into these fields.   1\. Enter the SSO URL from the IdP in **Authorization Endpoint**.  2\. For the IdP certificate, enter a URL in **Metadata Endpoint** or upload a file in **Certificate Files**. 3\. Add a **Support Email** that users can contact if they have trouble authenticating into your system. This email should be internal to your organization.    Review attributes ----------------- Select the Attributes tab. The DAM accepts these attributes from the IdP. Email address, first name, and last name are required to be passed in the SAML assertion for every user that logs in through SSO. The others are optional. You will need to enter those values into your IdP. If the attributes are not matching across both the DAM and IdP, this may result in the user's first and last names coming into the DAM as "Unknown Unknown."  Field name   Email address http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress First name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Last name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname Title http://www.widen.com/saml2/claims/title Department http://www.widen.com/saml2/claims/department Company http://www.widen.com/saml2/claims/company Phone http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone Street address http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress City http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality State/province http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince ZIP/postal code http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode Country http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country Roles http://schemas.microsoft.com/ws/2008/06/identity/claims/role Passcode http://www.widen.com/saml2/claims/passcode _Roles attribute_ This attribute allows you to assign DAM user roles through SSO. Each time a user is authenticated via SAML SSO, the DAM compares its role names with role names in the IdP active directory. IdP role names that match are considered valid. If there are no valid roles, the user’s DAM role assignments are left as is. If there is more than one valid, the user’s DAM role assignments are updated to match the IdP roles.  _Passcode attribute_ This attribute relates to [registration codes](/acquia-dam/what-are-registration-codes "What are registration codes?") in the DAM. If you set up this attribute in the IdP to send values that match registration code names, you can segment users into groups by applying a specific registration code automatically. _Custom attribute_ You can also create custom attributes for just about any information you want attached to user login. For example, if you create the custom attribute Region, users who sign in via SAML will have a value, such as Northeast, attached to their profile.  Security and validation ----------------------- _Encryption_ To accept only encrypted SAML responses, contact the Customer Support team and they will help you download the encryption certificate with an encoded public key. The encryption certificate is valid for 10 years after download. If needed, the support team can remotely revoke this certificate as an added security reminder.  Enable encryption within your IdP and upload the encryption certificate. When you’re ready to require encrypted SAML responses, we will update your DAM configuration. If any SAML responses are not properly encrypted, they will be rejected. _SAML assertion conditions_  If supplied, these conditions will be taken into account when assessing the validity of the SAML assertion. * NotBefore: A DateTime that specifies the earliest moment when the SAML assertion is valid. * NotOnOrAfter: A DateTime that specifies the moment when the SAML assertion expires. _Replay attack mitigation_  To enhance security, we record and store the unique SAML identifier from responses, ensuring that we reject any duplicate SAML requests.  Perform a test -------------- After setup, test the SAML sequence. Create a test user in your IdP and assign them to a group associated with the DAM application. Log out of your administrator account, then log in as the test user in your IdP and perform a SAML login to the DAM. Consult your IdP support documentation for specific instructions.  You can also test SP-initiated authentication by visiting the SP-initiated URL, found in the Acquia DAM SAML settings SP tab. We recommend testing it in an incognito window.  Add an SSO button ----------------- To add a button for SP-initiated login to your DAM login page, follow the instructions from our [SSO setup article](/acquia-dam/what-sso-setup-process "What is the SSO setup process?").  Perform a test by again logging into your IdP as a test user, going to your DAM login page, and clicking the SSO button.  Go live ------- In your IdP, you can start giving users access to log in to Acquia DAM via SSO. Activating SSO will not force a log out of existing users, but will cause all new or expired sessions to authorize through your IdP.  New employees can access the DAM based on their membership in your active IdP directory group. When they’re included in that, new DAM accounts are created with just-in-time provisioning based on the user permissions in that group. If a user no longer needs access to the DAM SSO, their permissions can be deleted within your active directory. ### Update your SAML certificate DAM admins are able to update the SAML certificate.  1. Go to the **Admin app**. 2. Click **Single Sign-On Settings**, then **SAML settings**. 3. On the SAML Administration page, click the **Identity Provider (IdP)** tab. 4. In **Certificate Files**, do one of the following: * If you have a certificate from your local machine, upload it. * If you are using a new **Metadata Endpoint**, enter it in and click the **Refresh** icon next to the Metadata Endpoint field to pull in the new certificate. * If you are continuing to use an existing **Metadata Endpoint** that is already entered in, click the **Refresh** icon next to the **Metadata Endpoint** field to pull in the new certificate. The new certificate is displayed in the **Certificate Files** chart. 5. Click **Save**. **Note**: Previous certificates remain on the chart for historical reference. However, they are no longer usable. DAM uses the latest uploaded certificate.