--- title: "Acquia Single Sign-On" date: "2026-02-11T12:16:19+00:00" summary: "Simplify access across Acquia products with Single Sign-On. Authenticate via SAML 2.0, auto-provision accounts, and centralize identity management." image: type: "page" url: "/resources/acquia-single-sign" id: "040e8bbf-b9cd-4424-92f8-9a3ac0f999a3" --- Acquia single sign-on (SSO) provides a unified single sign-on experience across Acquia ecosystem. With Acquia SSO, users authenticate with their own identity provider credentials. After configuration, Acquia SSO requires users with verified email domains to authenticate through their identity provider instead of standard Acquia ID credentials. About Acquia SSO ---------------- Acquia SSO supports common enterprise authentication flow through Security Assertion Markup Language 2.0 for secure identity exchange. It provides enterprises with flexibility to initiate log in sessions. Authentication Flows -------------------- * Identity Provider-Initiated Flow: Users logged into the organizational identity provider access Acquia after they select an Acquia tile in the corporate portal. Authentication occurs transparently through the current identity provider browser session. * Service Provider-Initiated Flow: Users move directly to Cloud Platform and enter a corporate email address. Acquia redirects users to the organizational identity provider for authentication. ![Flowchart illustrating SAML authentication process between Identity Provider, End-user (Browser), and Service Provider on Acquia Cloud Platform. Arrows indicate request and response steps.](https://acquia.widen.net/content/ofmdl1rryu/web/cloud-platform_idp-fedauth.png?w=720&v=d1e9fef7-516b-48ac-89a4-84557618f3cf&itok=1cKCOMAb) Benefits -------- * Single Sign-On Experience: Users with configured email domains authenticate through corporate credentials to log in seamlessly to Cloud Platform without separate Acquia ID credentials. * Automatic Account Creation: After a user authenticates successfully through their corporate identity provider for the first time, Acquia ID automatically creates their account on the Cloud Platform. This action removes the requirement for IT administrators to manually provision users in advance on Acquia ID. * Centralized Identity Management: Authentication management through a current corporate identity provider reduces administrative overhead. This method centralizes user lifecycle management, such as account creation, account deletion, and password policies, in the enterprise identity system. * Product-Agnostic Authentication: After authentication through Acquia SSO, users access all Acquia products integrated with Acquia ID, such as Cloud Platform, Source, and Digital Asset Management, and Edge Standard, with a seamless sign-on experience. ### Configuration To enable Acquia SSO, an organization administrator must perform these steps. This configuration is managed at the subscription level and applies company-wide to all members with the configured email domain. 1. Claim the domains and identify which email domains must use Acquia SSO, for example, yourcompany.com. 2. Add a DNS TXT record to verify domain ownership and prove control of the domain. This action prevents unauthorized organizations from changing the configuration of the corporate domain. 3. Configure identity provider settings and enter corporate identity provider metadata, such as SAML endpoints and certificates, into Acquia. Domain-Level Setting -------------------- Acquia SSO is mandatory for all users with a configured domain. * Mandatory Authentication: All users with that email domain must authenticate through the corporate identity provider. * Administrative Control: Only organization administrators with an Acquia SSO entitlement can modify these settings. * Company-Wide Application: The configuration applies to any organization member who accesses any Acquia product with that domain. ### User experience for different roles * Employees: The system routes employees with the configured corporate domain to the corporate identity provider for authentication. Acquia SSO is mandatory for configured domains. Users cannot opt out. * Partners and Consultants: If external users require access through the corporate identity provider, the IT team must provision them with email addresses from the configured corporate domain. Alternatively, external users can access Acquia with Acquia ID credentials after they receive approval from organization administrators. These users authenticate through one of the following methods: * Corporate Identity Provider: If the email domain of the partner is also configured for Acquia SSO in the subscription, authentication occurs through their corporate identity provider. * Acquia ID: If the email domain is not configured in Acquia SSO, partners and consultants continue to use Acquia ID credentials, such as a username and password. ### Security and Compliance * Standardized Audits: Detailed logs capture authentication events to provide audit and report capabilities. * Identity Verification: The organizational identity provider enforces login requests to ensure that enterprise-grade security policies protect Acquia resources. * Compliance: Acquia standard compliance audit cycles include the federated authentication implementation. ### Authentication or Authorization * Authentication: This process verifies user identity through the identity provider or Acquia SSO. After authentication, the user receives an identity token. * Authorization: This process determines what the user can access based on team membership. Organization administrators manage authorization through the assignment of users to teams. ### Manage User Access After Deactivation Organization administrators are responsible for these actions: * Team Membership Management: Add or remove users from teams to control resource access. * User Lifecycle Oversight: Add new hires to teams and remove users who leave or change roles. * Identity Provider Deactivation: After a user leaves the organization, deactivate the account in the identity provider.