SAML Authentication setup
Setting up SAML (Security Assertion Markup Language) will allow your team members to quickly log in to the team CloudAMQP account using the credentials stored in your organization’s Identity Provider (IdP).
In the CloudAMQP Console under
Team Settings
and the tab
SAML
you will find the information needed for setting up and where to upload your IdP metadata.
https://customer.cloudamqp.com/team/saml
To enforce specific roles, your IdP must send an extra
84codes.roles
attribute in the SAML response. You can see some examples on your SAML page above.
When SAML has been configured, the first login for any new accounts will have to be initiated from your IdP. You will not be able to sign in
for the first time using the 'Sign in with SAML' on the CloudAMQP login page. Instead, you need to log
in through the application created in your SAML provider.
This guide will provide step-by-step instructions on configuring SAML for the most popular IdPs:
Okta - SAML login on CloudAMQP
-
Navigate to the admin portal. in the
Applications view, click
Create App Integration
-
In the dialog that opens, select the
SAML 2.0
option, then click
next
-
In Step 1
General Settings,
enter
Cloudamqp,
as an example, in the
App name
field, then click the green
Next
button.
-
In Step 2A
SAML Setting
do the following.
-
In the
Single sign on URL
field, enter
https://customer.cloudamqp.com/login/saml
and check the box
Use this for Recipient URL and Destination URL
-
For
Audience URI (SP Entity ID),
go to
https://customer.cloudamqp.com/team/saml
and copy your
SAML Audience URL/Audience URI/SP Entity ID/SAML Metadata
to this field.
-
In the field
Name ID format
pick
EmailAddress
from the drop down list
-
If you wish to assign the users CloudAMQP roles in Okta, do the following.
-
Continue down to
Attribute Statement
section enter
84codes.roles
under name and
appuser.roles
under value.
Click
Next
and proceed with the following steps including step 12.
-
In the step
Feedback
select
I'm an Okta customer adding an internal app,
and
This is an internal app that we have created,
then click
Finish
-
The IdP Metadata now has to be uploaded to
https://customer.cloudamqp.com/team/saml.
Download the file from Okta, under the menu option
Applications,
click on your recently created application, and the tab
Sign On
From here you can download the file that you have to upload to CloudAMQP by clicking
Metadata URL
and save the file as XML.
-
Depending on your setup, you might have to assign users to your new app. You can do this under
Applications -> Applications.
Click on your created app in the list, followed by the green button
Assign
and assign to the users who have access to the app.
-
If you wish to assign the users CloudAMQP roles or specific tags in Okta and have done the setup in step 8, do the following to define your CloudAMQP Team roles in Okta:
Azure Active Directory - SAML login on CloudAMQP
-
Go to
https://portal.azure.com
> Enterprise applications > New application > Create new application > Non-gallery application
-
Click
New Application
-
Click
Non-gallery Application.
Enter the name of your new app in the right hand section, i.e. CloudAMQP and click
Add
The application is now created.
-
Go back to
Home - Enterprise Applications - All applications
and search for your newly created app if you dont see it in the list.
Click on the app to open it.
-
Go to
Single sign-on
using the link on the left side.
-
Click
SAML
-
Click the edit pen for
Basic SAML Configuration
-
Add
Identifier (Entity ID)
and
Reply URL (Assertion Consumer Service URL)
with the values you'll find at
https://customer.cloudamqp.com/team/saml.
NOTE: Leave the
Sign on URL
field BLANK. Click
Save
-
Download the
Federation Metadata XML
and upload it at
https://customer.cloudamqp.com/team/saml
-
Add users and/or groups that should have access
-
Enforce user roles via Azure SAML (optional)
-
Open the application, click single sign-on, and click the pen symbol at the
User attributes and Claims section
-
Click
Add new claim
and enter the following
Name: 84codes.roles
Source: Transformation, this opens the option to select Transformation: Join().
Parameter 1: Enter the key found at
https://customer.cloudamqp.com/team/saml
Separator: "/"
Parameter 2: select
user.jobtitle,
or any field from the Azure user profile you wish to use to specify the CloudAMQP role to assign.
Click
Save
-
Go back to your application and click
Users and Groups.
Click on one of the users and in the field corresponding to the on chosen one in the previous step, in this case
Job title,
enter any of the roles specified at
https://customer.cloudamqp.com/team/saml
Specify for each user what role they are to be assigned in CloudAMQP.
-
Assign multiple roles via Azure SAML (optional)
-
Start by creating a separate Azure AD group per role/tag and assign to users.
-
In your CloudAMQP Enterprise application, click
Single sign-on
and the pen symbol next to attributes and claims. In the claim, assign attribute
user.assignedroles
to
84codes.roles
-
Under app roles, create an app role per role/tag and assign them the correspondent value.
-
Initiate a SAML sign-on. Tags and roles should now be assigned as requested.
Google Workspace - SAML login on CloudAMQP
Set up SAML on Google Workspace.
-
Using a Super Administrator account, Navigate to
Apps > Web and Mobile Apps.
-
Select
'Add new App' - Add Custom SAML app.
-
Give your new app a name and press
'Continue'.
-
On the next screen, download IdP metadata. Once downloaded, upload this file to your CloudAMQP
portal. In CloudAMQP, Navigate to
Team Settings > Team > SAML Configuration
and upload the IdP metadata file.
-
On the next screen in your Google Workspace setup, paste the
SAML Consumer URL/ACS (Consumer) URL
from your CloudAMQP console to the
ACS URL field.
For
EntityID,
paste the
SAML Audience URL/Audience URI/SP Entity ID/SAML Metadata
value. Select
EMAIL
as Name ID, and leave the rest as-is.
-
Press
Finish.
Now assign the app to a user and they will be able to sign in. The first login will have to be performed from the Google Workspace app dashboard (9 points menu).
-
If you wish to provision roles or tags to the users, you can create a custom attribute and bind it to
84codes.roles.
Pass the
Entity ID followed by role, eg.
xxxx-xxxx-xxxx-xxxx-xxxx/monitor.
You can find your Entity ID on the CloudAMQP SAML Configuration page.
If you need assistance or have any questions you can get in touch with support through support@cloudamqp.com