Single sign-on
Single sign-on (SSO) allows you to log in to Amplience (including Content Hub and Dynamic Content) without having to have an Amplience specific user name and password. You can use your own identity provider and the credentials you already have.
SSO provides many benefits, including:
- You can switch between Content Hub and Dynamic Content easily. You don't need to log in to each app.
- You use your existing credentials and do not need a new user name and password for Amplience.
- For an organization it provides more control over who has access to the systems they use. For example, if someone leaves an organization and is removed from their identity provider platform, then they can no longer log in.
- You can also take advantage of multi factor authentication and the password complexity and password expiry settings implemented by your identity provider.
Logging in using Single sign-onLink copied!
When our provisioning team have enabled single sign-on on your account, you will be provided with a login URL to use to access Amplience services.
If you're not currently logged in, then you will be taken to the login screen. Clicking "Log in" will take you to your identity provider's login screen.
If you're already logged in, you'll be taken to the Amplience landing page.
After clicking "Log in" on the Amplience login page, you'll be redirected to your identity provider's login page. The example below is using JumpCloud, but your chosen identity provider will be shown instead.
Log in using the name and password that you use for this identity provider and click the "SSO Login" button. The name and password will be verified with your identity provider and you'll be logged in to Amplience.
From the Amplience landing page you can launch Dynamic Content or Content Hub, view the documentation site and Dynamic Media playground, or launch the support portal.
Switching between appsLink copied!
In both the Dynamic Content and Content Hub apps, you can open the app switcher which will allow you to switch between apps easily. Once logged in to Amplience, you won't need to log in to any of these services again.
Single sign-on configurationLink copied!
Single-sign on (SSO) allows users to log in to Amplience using their organization's identity provider and without requiring an Amplience specific user name and password.
SSO login processLink copied!
When using SSO, the login process will be as follows:
- The user visits the Amplience single sign-on page for their organization and clicks the "Log in" button.
- The user is redirected to the single sign-on page of the identity provider configured for their organization and enters their usual name and password.
- The identity provider then authenticates the user and sends a "claim" to the Amplience authentication service. This will include the user's email address.
- Amplience will then check that the user is allowed access and if so logs the user in. If the user has not been set up for access to Amplience, then an error will be displayed.
Note that you must inform Amplience of the email address of each user that you wish to grant access. See adding a user.
Identity providersLink copied!
Amplience single sign-on supports most enterprise identity providers, including (but not limited to) the following:
Almost all of the identity providers use Security Assertion Markup Language (SAML) or OpenID Connect authentication protocol (OIDC), as the authentication protocol to communicate between the identity provider and the service provider, which in this case will be Amplience.
The authentication protocol you use will determine how Amplience will be configured with your identity provider. In all cases we will provide you with some information to set up Amplience with your identity provider, while you will provide us with information to authenticate your users. Some identity providers support both SAML and OIDC and in this case the protocol you choose will depend on your information security requirements.
Configuring an identity provider using SAMLLink copied!
To configure SSO with SAML you will need to do the following:
- Tell Amplience the domain you wish to use as part of your login URL:
- Provide Amplience with the login URL. This is the identity provider URL to which the user will be redirected when they login from the Amplience SSO landing page.
Set up an app in your identity providerLink copied!
The app you create in the identity provider will need to be configured with SAML metadata, including the following information provided to you by Amplience:
- Assertion customer service URL.
This the URL of the Amplience API endpoint where the identity provider should send the authenticated user's data.
- EntityID.
This URI is a unique identifier used for the connection between Amplience and the identity provider.
X.509 certificatesLink copied!
Requests and responses between Amplience and your identity provider are signed using X.509 certificates. We will send you the Amplience X.509 certificate and you need to send us your identity provider's X.509 certificate. Using certificates ensures that requests and responses can be verified as originating from Amplience or the identity provider, and that the data has not been modified in transit.
User identifierLink copied!
SAML allows you to include extra information in the request and Amplience requires that the user's email address is sent as a user identifier.
All the above can be exchanged in XML format.
Configuring an identity provider using OIDCLink copied!
To configure SSO with an OIDC identity provider you will need to do the following:
- Tell Amplience the domain you wish to use as part of your login URL:
Provide Amplience with the login URL. This is the identity provider URL to which the user should be redirected when they log in from the Amplience SSO landing page.
Set up an app in your identity provider. As part of this process you will generate a key and secret which should be sent to Amplience in a secure manner.
Adding a userLink copied!
While the identity provider lets you authenticate a user's credentials, that user will still need to be provided with access to Amplience. When you want to add a new user, contact your Customer Success Manager or raise a support ticket that includes the email address of the user to add. Once set up, the user will be able to log in to Amplience using their usual identity provider credentials.