Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
SequenceCompleted task to configure and enable an IdP
1

-

-

-

Add a domain and

Verify domain ownership

Configure an OIDC or SAML v2.0 IdP

Step 1 tasks (add and verify a domain, or configure an IdP) can be completed in any order
2
-
Confirm the association of your IdP to the domain
3

-

Enable the IdP configuration for all domain users

4

-

(Optional) Add a subdomain

 

This section includes details on configuring a SAML v2.0 Identity Provider with an example of a Microsoft Azure Active Directory SAML-based Single Sign-On configuration. 

Info

Although the example in this section is for Microsoft Azure Active Directory, any SAML v2.0 Identity Provider is compatible.

Refer to the Microsoft configure SAML-based configure single sign on article for details.

To create a new Identity Provider

  1. From the Identity Provider page, click the Actions (...) menu, and then select Configure Identity Provider. The New Identity Provider form will be presented. 
  2. Select SAML v2.0. A blank form is presented.
    Image Modified

  3. Complete the fields based on the values that are configured for your Identity Provider. The example is for SAML v2.0 for Azure Active Directory. For example, the SAML v2.0 Identity Provider values are found in the Azure Active Directory admin center in the Single sign-on menu. Refer to the Microsoft configure SAML-based configure single sign on article and the following example for details.

    Section
    Column
    width15%

    Section 1: These URLs (for example, Assertion Consumer Service URL) will be provided after the AMPLIFY Platform Identity Provider configuration is saved, and then can be used on your Identity Provider.

    Section 2: The values to set in the NameID Format and Attribute Mapping fields in the AMPLIFY Platform Identity Provider configuration form.

    Section 3: The values that will be set on the Signature Algorithm and Validating X509 Certificates section of the AMPLIFY Platform Identity Provider configuration form. The certificate file whose contents will be used for that section of the AMPLIFY Platform Identity Provider configuration page will be available from the download button for Certificate (Base64) on this view.

    Section 4: The values that will be used in the Single Sign-On Service URL and Single Logout Service URL fields on the AMPLIFY Platform Identity Provider configuration page.

    Column
    width85%

    Image Modified

  4. Copy the mapping values from the Identity Provider configuration to complete Single Sign-On Service URL and Single Logout Service URL . See section 4 from the SAML v2.0 for Azure Active Directory example.
  5. Copy the mapping values from the Identity Provider configuration to complete the NameID Policy FormatSignature Algorithm, and Validating X509 Certificate. See sections 2 and 3 from the SAML v2.0 for Azure Active Directory example.

    • NameID Policy Format: Click the field under Required Claim to show the format that will be used for the NameID Policy Format section in the Identity Provider configuration form.
      Image Modified
    • Signature Algorithm: Select the value that is configured for your Identity Provider.
    • Validating X509 Certificates: Download the contents. Then copy and paste the X509 certificate value into the text box making sure to omit ------BEGIN CERTIFICATE ----- and ------END CERTIFICATE--------.

      Info
      If you have multiple certificates that are required for your configuration, add the X509 certificate value for each certificate in that field, separated by a comma.


      Image Modified

      Image Modified

  6. Copy the mapping values from the Identity Provider configuration to complete the Attribute Mapping fields (Email AddressFirst Name, and Last Name). See the Additional claims area in section 2 from the SAML v2.0 for Azure Active Directory example.
    Image Modified

    Image Modified

    The following is an example for a completed SAML v2.0 form (before clicking Save).
    Image Modified
  7. Click Save. A Confirmation dialog appears with a message that once the Identity Provider is verified, all users on that domain will be required to log into the AMPLIFY Platform with their Identity Provider credentials.
    Image Modified
        

  8. To complete the configuration, you must add the values configured in the AMPLIFY Platform identity configuration page to your Identity Provider's configuration. 
    • Copy the Entity IDAssertion Consumer Service URL, and optionally the Post-Logout URLvalues individually from the Platform's page manually or by clicking the clipboard icon.
       Image Modified 

      Info
      The SAML Descriptor may include additional content that is applicable to your Identity Provider, such as the public key used for signed assertions. The SAML Descriptor includes options that may be applicable to your IdP: View, Download, or Download Signing Certificate.
    • Paste the copied values into their respective fields in the SAML v2.0 configuration page.
      Image Modified 
    • Click Save in the Azure Active Directory page. 

When a new Identity Provider is being configured, the organization administrator can edit any field. After a SAML v2.0 Identity Provider is verified, the organization administrator is permitted to edit some of the fields.

Section
Column
width15%
  • Basic Attributes
    • Single Sign-On Service UR
    • NameID Policy Format
    • Signature Algorithm
    • Validating X509 Certificates
  • Advanced Attributes
    • Single Logout Service URL
    • Backchannel Logout
    • HTTP-POST Binding Response
    • HTTP-POST Binding for AuthnRequest
    • HTTP-POST Binding Logout
    • Want AuthnRequests Signed
    • SAML Signature Key Name
    • Want Assertions Signed
    • Want Assertions Encrypted
    • Force Authentication
  • Attribute Mapping
    • Email Address
    • First Name
    • Last Name
    • Phone Number
    • Country
Column
width85%

Image Modified