Introduction

CloudAMQP Console

Tutorials

Marketplaces

Features

Protocols

Code Sample

MQTT Code Sample

SAML Authentication setup

Setting up SAML (Security Assertion Markup Language) will allow your team members to quickly log in to the team CloudAMQP account using the credentials stored in your organization’s Identity Provider (IdP).

In the CloudAMQP Console under Team Settings and the tab SAML you will find the information needed for setting up and where to upload your IdP metadata. https://customer.cloudamqp.com/team/saml

To enforce specific roles, your IdP must send an extra 84codes.roles attribute in the SAML response. You can see some examples on your SAML page above.

When SAML has been configured, the first login for any new accounts will have to be initiated from your IdP. You will not be able to sign in for the first time using the 'Sign in with SAML' on the CloudAMQP login page. Instead, you need to log in through the application created in your SAML provider.

This guide will provide step-by-step instructions on configuring SAML for the most popular IdPs:

Okta - SAML login on CloudAMQP

  1. Click Admin Saml Okta Admin
  2. Switch to Classic UI in the top left dropdown
  3. Click Applications -> Add Application Saml Okta Add Application
  4. Click Create New App

    Saml Okta Create New app

  5. In the dialog that opens, select the SAML 2.0 option, then click the green Create button. Choose the option to create a New Application Integration Saml Okta Create app Next
  6. In Step 1 General Settings, enter CloudAMQP SAML Application, as an example, in the App name field, then click the green Next button. Saml Okta Create app next
  7. In Step 2A SAML Setting do the following.
    • In the Single sign on URL field, enter https://customer.cloudamqp.com/login/saml and check the box Use this for Recipient URL and Destination URL
    • For Audience URI (SP Entity ID), go to https://customer.cloudamqp.com/team/saml and copy your SAML Audience URL/Audience URI/SP Entity ID/SAML Metadata to this field.
    • In the field Name ID format pick EmailAddress from the drop down list Okta Create app settings
  8. If you wish to assign the users CloudAMQP roles in OKTA, do the following.
    • Continuing in the SAML Settings screen from the previous step; In the Attribute statement section enter 84codes.roles under name and appuser.roles under value. Saml Okta Atttibutes Roles Click Next and proceed with the following steps including step 12.

  9. In the step Feedback select I'm an Okta customer adding an internal app, and This is an internal app that we have created, then click Finish Okta Create app finalize
  10. The IdP Metadata now has to be uploaded to https://customer.cloudamqp.com/team/saml.

    Download the file from Okta, under the menu option Applications, click on your recently created application, and the tab Sign On From here you can download the file that you have to upload to CloudAMQP by clicking Identity provider Metadata Okta Create app Metadata
  11. Depending on your setup, you might have to assign users to your new app. You can do this under Applications -> Applications. Click on your created app in the list, followed by the green button Assign and assign to the users who have access to the app. Okta assign users
  12. If you wish to assign the users CloudAMQP roles or specific tags in OKTA and have done the setup in step 8, do the following to define your CloudAMQP Team roles in Okta:
    • Go to the menu option Directory -> Profile Editor and find the app you just created. Click the Profile button to the right of the app. Okta setup Roles
    • In the Attributes screen that opens, click the Add Attribute button. Okta setup Roles
    • Enter the information as requested, making sure the variable name is roles, as it is used in the previous step (appname.roles). Under Attribute Members, enter the roles you wish to be able to chose from. The Value field contains the teams' unique code followed by / and the role name or tag. The exact values to use are listed as examples in your CloudAMQP settings at: https://customer.cloudamqp.com/team/saml Okta setup Roles
    • Click Save

    • To assign the roles to your members go to the menu option Applications -> Applications, click on your created app in the list and the pen symbol next to a team member. From the drop-down, you should now be able to chose a role for this user. Okta setup Roles
    • Click Save

Azure Active Directory - SAML login on CloudAMQP

  1. Go to https://portal.azure.com > Enterprise applications > New application > Create new application > Non-gallery application Azure SAML Setup
  2. Click New Application
    3. Azure SAML Setup
  3. Click Non-gallery Application. Enter the name of your new app in the right hand section, i.e. CloudAMQP and click Add Azure SAML Setup The application is now created.

  4. Go back to Home - Enterprise Applications - All applications and search for your newly created app if you dont see it in the list. Azure SAML Setup Click on the app to open it.

  5. Go to Single sign-on using the link on the left side. Azure SAML Setup
  6. Click SAML Azure SAML Setup
  7. Click the edit pen for Basic SAML Configuration

  8. Add Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) with the values you'll find at https://customer.cloudamqp.com/team/saml. NOTE: Leave the Sign on URL field BLANK. Click Save Azure SAML Setup
  9. Download the Federation Metadata XML and upload it at https://customer.cloudamqp.com/team/saml Azure SAML Setup
  10. Add users and/or groups that should have access Azure SAML Setup
  11. Enforce user roles via Azure SAML (optional)

    • Open the application, click single sign-on, and click the pen symbol at the User attributes and Claims section Azure SAML Setup
    • Click Add new claim and enter the following

      Name: 84codes.roles

      Source: Transformation, this opens the option to select Transformation: Join().

      Parameter 1: Enter the key found at https://customer.cloudamqp.com/team/saml

      Separator: "/"

      Parameter 2: select user.jobtitle, or any field from the Azure user profile you wish to use to specify the CloudAMQP role to assign.

      Click Save Azure SAML Setup
    • Go back to your application and click Users and Groups.

      Click on one of the users and in the field corresponding to the on chosen one in the previous step, in this case Job title, enter any of the roles specified at https://customer.cloudamqp.com/team/saml Azure SAML Setup

      • Specify for each user what role they are to be assigned in CloudAMQP.

  12. Assign multiple roles via Azure SAML (optional)

    • Start by creating a separate Azure AD group per role/tag and assign to users. Azure SAML Setup
    • In your CloudAMQP Enterprise application, click Single sign-on and the pen symbol next to attributes and claims. In the claim, assign attribute user.assignedroles to 84codes.roles
    • Under app roles, create an app role per role/tag and assign them the correspondent value. Azure SAML Setup
    • Initiate a SAML sign-on. Tags and roles should now be assigned as requested.

      • Google Workspace - SAML login on CloudAMQP

      Set up SAML on Google Workspace.

      1. Using a Super Administrator account, Navigate to Apps > Web and Mobile Apps.

      2. Select 'Add new App' - Add Custom SAML app. Google SAML App

      3. Give your new app a name and press 'Continue'. Download IdP metadata

      4. On the next screen, download IdP metadata. Once downloaded, upload this file to your CloudAMQP portal. In CloudAMQP, Navigate to Team Settings > Team > SAML Configuration and upload the IdP metadata file. Upload IdP metadata

      5. On the next screen in your Google Workspace setup, paste the SAML Consumer URL/ACS (Consumer) URL from your CloudAMQP console to the ACS URL field. For EntityID, paste the SAML Audience URL/Audience URI/SP Entity ID/SAML Metadata value. Select EMAIL as Name ID, and leave the rest as-is. configuration links
      6. Press Finish. Now assign the app to a user and they will be able to sign in. The first login will have to be performed from the Google Workspace app dashboard (9 points menu).
      7. If you wish to provision roles or tags to the users, you can create a custom attribute and bind it to 84codes.roles. Pass the Entity ID followed by role, eg. xxxx-xxxx-xxxx-xxxx-xxxx/monitor. You can find your Entity ID on the CloudAMQP SAML Configuration page. attribute mapping

        8. If you need assistance or have any questions you can get in touch with support through support@cloudamqp.com