View Source

Sequence	Completed task to configure and enable an IdP
1	-	- -	Add a domain and Verify domain ownership
		✓	Configure an OIDC or SAML v2.0 IdP
		Step 1 tasks (add and verify a domain, or configure an IdP) can be completed in any order
2	-	Confirm the association of an IdP to the domain
3	-	Enable the IdP configuration for all domain users
4	-	(Optional) Add a subdomain

This section includes details on configuring a SAML v2.0 Identity Provider with an example of a Microsoft Azure Active Directory SAML-based Single Sign-On configuration.

Although the example in this section is for Microsoft Azure Active Directory, any SAML v2.0 Identity Provider is compatible.

Refer to the Microsoft configure SAML-based configure single sign on article for details.

To create a new Identity Provider

From the Identity Providers page, click the + Identity Provider. The New Identity Provider form will be presented.
Select SAML v2.0. A blank form is presented.

Complete the fields based on the values that are configured for your Identity Provider. The example is for SAML v2.0 for Azure Active Directory. For example, the SAML v2.0 Identity Provider values are found in the Azure Active Directory admin center in the Single sign-on menu. Refer to the Microsoft configure SAML-based configure single sign on article and the following example for details.

Section 1: These URLs (for example, Assertion Consumer Service URL) will be provided after the AMPLIFY Platform Identity Provider configuration is saved, and then can be used on your Identity Provider.

Section 2: The values to set in the NameID Format and Attribute Mapping fields in the AMPLIFY Platform Identity Provider configuration form.

Section 3: The values that will be set on the Signature Algorithm and Validating X509 Certificates section of the AMPLIFY Platform Identity Provider configuration form. The certificate file whose contents will be used for that section of the AMPLIFY Platform Identity Provider configuration page will be available from the download button for Certificate (Base64) on this view.

Section 4: The values that will be used in the Single Sign-On Service URL and Single Logout Service URL fields on the AMPLIFY Platform Identity Provider configuration page.

Documentation & Guides - 2.0 > Configuring a SAML v2.0 IdP > AD-Overview.png

Copy the mapping values from the Identity Provider configuration to complete Single Sign-On Service URL and Single Logout Service URL . See section 4 from the SAML v2.0 for Azure Active Directory example.
Copy the mapping values from the Identity Provider configuration to complete the NameID Policy Format, Signature Algorithm, and Validating X509 Certificate. See sections 2 and 3 from the SAML v2.0 for Azure Active Directory example.
- NameID Policy Format: Click the field under Required Claim to show the format that will be used for the NameID Policy Format section in the Identity Provider configuration form.
- Signature Algorithm: Select the value that is configured for your Identity Provider.
- Validating X509 Certificates: Download the contents. Then copy and paste the X509 certificate value into the text box making sure to omit ------BEGIN CERTIFICATE ----- and ------END CERTIFICATE--------.
  If you have multiple certificates that are required for your configuration, add the X509 certificate value for each certificate in that field, separated by a comma.
Copy the mapping values from the Identity Provider configuration to complete the Attribute Mapping fields (Email Address, First Name, and Last Name). See the Additional claims area in section 2 from the SAML v2.0 for Azure Active Directory example.
Complete the Role Assignments section. Refer to Role Assignments for details.

The following is an example for a completed SAML v2.0 form (before clicking Save).
Click Save. A Confirmation dialog appears with a message that once the Identity Provider is verified, all users on that domain will be required to log into the AMPLIFY Platform with their Identity Provider credentials.

To complete the configuration, you must add the values configured in the AMPLIFY Platform identity configuration page to your Identity Provider's configuration.

Copy the Entity ID, Assertion Consumer Service URL, and optionally the Post-Logout URLvalues individually from the Platform's page manually or by clicking the clipboard icon.
Documentation & Guides - 2.0 > Configuring a SAML v2.0 IdP > SAML-Overview.png

The SAML Descriptor may include additional content that is applicable to your Identity Provider, such as the public key used for signed assertions. The SAML Descriptor includes options that may be applicable to your IdP: View, Download, or Download Signing Certificate.

Paste the copied values into their respective fields in the SAML v2.0 configuration page.
Click Save in the Azure Active Directory page.

When a new Identity Provider is being configured, the organization administrator can edit any field. After a SAML v2.0 Identity Provider is verified, the organization administrator is not permitted to edit the Single Sign-On Service URL, NameID Policy Format, and Signature Algorithm fields.