Skip to main content

Data Privacy Platform AWS Deployment Guide

Optional - Configure Single Sign-On with SAML

The platform supports two different User Management modes:

  1. Internal (default). The platform manages the users credentials and their groups membership in its local database.

  2. Single Sign-On (SSO). The platform uses a 3rd party Identity Provider via the SAML2.0 protocol.

When using single sign-on, there are two parties, the platform as Service Provider (SP), and a third-party identity service as the Identity Provider (IDP).

Follow the following steps to configure SSO:

  1. Obtain the metadata file from the IDP service and upload it to an S3 bucket which can be read by the platform service. For example, a possible location could be the bucket where is to be uploaded (as specified by the CF parameter CdkInfrastructureZipBucket).

  2. Provide the following settings via CloudFormation parameters:




    Set this parameter to SSO_SAML to enable Single Sign On.


    This parameter should be set to the S3 location where the metadata file was uploaded in step 1.


    This parameter should contain the name of the group which maps on to superuser privilege.


    The name of the saml attribute representing a unique username that can be used by publisher to manage the user. The identity provider will give a saml assertion containing this attribute


    The name of the SAML attribute representing a display name for the user which is used as the user's name in the policy manager UI.


    A list of permissions groups to which the user belongs. These can be mapped on the Teams and Roles in the the platform UI.

    Note: The platform is case insensitive with regards to group names.

  3. Apply the changes to the Stack (see the Modify Stack Parameter section of this guide) and wait for the changes to be applied.

  4. Once the Privitar Policy Manager has started, download the Service Provider metadata file from the following address: https://<DeploymentID>.<HostedZoneName>/saml/metadata. Use this file to configure your IDP service.



The deployment automatically creates an RSA key pair required for signing and verifying SAML messages. This is stored in AWS Secrets Manager under the identifier privitar-sso-saml-default-key-pair-{deployment_id}.

If you wish to rotate the key pair, an administrator can delete the secret and re-run the deployment through the AWS CodePipeline screen by selecting Release Change. The deployment will generate a new RSA key pair. When the deployment is complete, you will need to reconfigure your IDP service with the new Service Provider metadata file. Be prepared for a period of downtime during these operations.