Amplify offers three types of user authentication mechanisms:
Configuring Password Policy
Amplify allows you to configure password policies that define what type of characters are allowed and how long your users' passwords must be.
If single sign-on is used to authenticate users at your site, you can still allow users to login via Amplify by enabling the setting Allow login via Amplify when SAML is enabled for each user profile.
Use the Authentication tab under the Administration section to dictate password complexity and a minimum length as well as choose how users receive/set their first password.
Single Sign-On (SAML)
Here, you can configure single-sign-on support using the SAML protocol. The Authentication tab can be found under the Administration section in Amplify.
- Create a user if the user does not exist - This controls whether users should be automatically created in Amplify the first time they attempt to log in. Turn this off if you would like to limit who can log into Amplify.
- Update the user's attributes after successful login - This updates the user's name if it changes in the SAML provider.
SAML Provider Settings
Click Edit Provider to view the settings for the SAML provider.
- Status - The status of the SAML provider.
- If Disabled, it is unused.
- If in Test Mode, end-users won't see the SAML sign-in button on the login screen, but the configuration can be tested to ensure all is correct before enabling it completely.
- If Enabled, users will see the SAML sign-in button on the login screen. This is unavailable unless Test Mode has been activated.
- Name - Give your SAML provider a useful name. This will be shown to users on the login screen.
- Provider Information - Many SAML providers give you a metadata file in XML format that contains all of the required settings. If you have this file or a publicly accessible link to it, enter that here, and it will pre-fill the settings. If you want to view these settings or enter them manually, click the Advanced toggle.
- IDP Entity ID - The entity ID of the SAML provider. This is commonly in a URL format.
- Login URL - The URL to which Amplify will redirect users when signing in
- Logout URL - The URL to which Amplify will redirect users when signing out
- SAML Signing Certificate - The certificate used to encrypt communications to the SAML provider. This should be in X509 format.
Amplify requires that attributes for email and name be provided.
- For the "email" attribute, use the attribute name
- For the "name" attribute, use the attribute name:
When in Test Mode, Amplify will listen for sign-in attempts and verify that it receives the correct attributes. This happens automatically, and no page refresh is required.
To begin testing, enter the settings as above and change the status to Test Mode. Click Save. Amplify then begins listening for sign-in requests.
In Amplify, a link is displayed above the attributes table.
Copy this link, then open a different browser or a private browsing window and paste in the URL. This must be a different browser or private tab because the browser you are currently using contains a pre-existing sign-in cookie. If all is configured correctly, this should redirect you to your SAML provider, allowing you to sign in.
If the SAML provider gives the right attributes, the validation table will update to include green check marks next to the attributes given. Note, Amplify will continue to listen for sign-in requests for as long as this page is open in your browser.
It also shows a section called Last Sign-in Attributes which lists all of the attributes your SAML provider is giving Amplify.
This is useful when debugging an invalid response.
When testing is successful, you may now set the status to Enabled. When doing so, a new checkbox will appear at the bottom of the form, called Prevent existing users from logging in locally. If checked, it will ensure that existing users (if there are any) will not be allowed to log in with their Amplify email and password. Instead, they will be required to log in via SAML at all times.
Users will now see the "Log in with ..." button on the login screen.