---
title: "Using single sign-on"
date: "2024-08-07T13:31:37+00:00"
summary: "Configure and test single sign-on (SSO) for your Customer Data Platform with our step-by-step guide. Streamline user access securely."
image:
type: "page"
url: "/customer-data-platform/using-single-sign"
id: "9e14a72c-cf12-417e-8931-9dd024d6f220"
---

Use the following checklist to configure single sign-on (SSO) for your Customer Data Platform (CDP) tenant:

Important

Acquia recommends you to first test SSO in your pre-production environment.

S. No.

Task

1

[Submit a Support ticket](#submit-acquia-support-ticket)

2

[Configure SAML metadata in IdP](#configure-saml-metadata-IdP)

3

[Share the metadata.xml file with Acquia Support](#share-metadata-file)

4

[Test the SSO](#test-sso)

5

[Add users to CDP](#add-users)

Submitting a Support ticket
---------------------------

1.  [Submit a Support ticket](/service-offerings/support "Support") as an administrator with access to Acquia Support.
    
    After receiving the ticket, Acquia provides the following details for your pre-production tenant:
    
    *   TenantId
    *   Assertion Consumer Service (ACS)
    *   Service Provider (SP) EntityId
    
    If you do not have access to the pre-production tenant, mention this in your request. If you are not a security gatekeeper for your tenant, a gatekeeper must approve the access request.
    

Configuring SAML metadata in IdP
--------------------------------

Use the information provided by Acquia Support to configure your IdP for SSO with CDP.

1.  In your staging and production environments, configure Acquia metadata with the following information:
    *   SAML Assertion Consumer Service (ACS)
        
        For example, `https://cs-auth.agilone.com/sso/tenantId/vega/saml`.
        
    *   Service Provider EntityId
        
        For example, `https://cs-vega-green.agilone.com/tenantId`.
        
    *   NameId-format = **urn:oasis:names:tc:SAML:1. 1:nameid-format:emailAddress**.
    *   Application username = **Email**
    *   Assertion encryption = **Unencrypted**
    *   Signed response = **true**
    *   Signing option = **Sign SAML response**
    *   Signing algorithm = **SHA 256**
2.  Generate the metadata.xml file with the mentioned information.

Sharing the metadata.xml file with Acquia Support
-------------------------------------------------

Share the generated metadata.xml with Acquia Support through the Support ticket. The file must include the following:

*   EntityId
*   Login url
*   x509 certificate

Acquia Support configures your tenant using the metadata.xml file. When you send the metadata.xml file, provide the names and emails of three user accounts for testing your SSO setup.

Important

You must send a new metadata.xml file to Acquia before your x509 certificate expires. Ensure that your organization is aware and knows how to regenerate the file before it expires. CDP cannot refresh the x509 certificate.

Testing the SSO
---------------

After Acquia Support sets up SSO for your tenant, test it with the three accounts you provided in the previous step. Each tester can test one scenario. Acquia sets the appropriate access in the staging environment and asks you to set the testers up in your IDP. The testers can test positive and negative access. The following are the scenarios:

**User**

**Has Acquia CDP account**

**Has IDP permission on your end**

**Expected successful outcome**

**User A**

Yes

No

User cannot access CDP

**User B**

Yes

Yes

User can access CDP

**User C**

No

Yes

User cannot access CDP

Adding users to CDP
-------------------

Important

Skip this step, if you are configuring SSO after users already exist in your CDP tenant.

Administrators must create new user profiles in CDP for any new users before they can log in using the IdP.

Once you test the SSO configuration in pre-production, create user profiles in the production tenant with the appropriate roles for each user.

*   Customers with a single CDP tenant in the production environment must visit the [User Permissions](/customer-data-platform/user-permissions "User permissions") page.
    
*   Customers with multiple CDP tenants on production servers, including UAT tenants, must complete the access requests through Acquia Support. For more information, visit the [User management](/customer-data-platform/user-management "User management") page.
    

Important

The standard SSO configuration is a single domain authentication credential specific to your organization. If users have an email with a domain different from your company's domain, you must implement Federated Identity Management in your IdP before activating SSO for your tenants. Otherwise, those users cannot log in to CDP when SSO is set up. This may include internal employees with a different domain, partners, and third-party vendors.

Configuring SSO in your production tenant
-----------------------------------------

After confirming access with the test cases, respond on the same support ticket to request the TenantId, Assertion Consumer Service (ACS), and Service Provider (SP) EntityId for your production tenant. Then, repeat steps 2 through 5.