Configure single sign-on with Active Directory Federation Services as identity provider

Administrator role in Active Directory Federation Services required. Promaster A Nintex Promapp system administrator who administers a Nintex Promapp site and has rights to view and edit all areas of a Nintex Promapp site. privilege in Nintex Process Manager required.

You can configure Single Sign-On (SSO) in your Nintex Process Manager site with Active Directory Federation Services (ADFS) to enable users to securely and conveniently sign in to Nintex Process Manager using the same credentials.

Prerequisites

You must have the following prerequisites configured before you start:

  • Install and configure a server that runs ADFS and connects to the Active Directory. For more information, see the AD FS Deployment Guide.
  • Have a Nintex Process Manager site user with Promaster privileges. For more information, see Managing users in Nintex Process Manager.

  • Ensure that all Logon field values in Nintex Process Manager (Admin > Configure > Users) are mapped to the fully qualified account names in your Active Directory. The User Principal Name/NameID claim type will be mapped directly to a Nintex Process Manager user Logon field. If no match is found, the user will receive an unauthorised message from Nintex Process Manager.

Once you have the prerequisites configured, follow the details in the sections below.

Note: This topic uses images from AD FS Management version 10.0.0.0. There might be slight differences in the user interface, terminology used, and steps depending on your version.

Configure SSO in AD FS and Nintex Process Manager

Follow these steps to configure settings in AD FS and Nintex Process Manager for enabling SSO.

Important: 
  • For customers in Australia and New Zealand, https://au.promapp.com/<sitename> is the preferred URL to access your Nintex Process Manager site.
  • If you are using https://go.promapp.com/<sitename> as your main URL, you must add both https://go.promapp.com/<sitename> and https://au.promapp.com/<sitename> in Step 1.10 and Step 1.16c described below.

Administrator role in Active Directory Federation Services required.

  1. Log in to the AD FS server using an Administrator account.

  2. Open the AD FS Management console.
  3. In the left pane, click Relying Party Trusts.
  1. In the Actions pane on the right, click Add Relying Party Trust. The Add Relying Party Trust Wizard displays with the Steps on the left pane.
  1. In the Welcome to the Add Relying Party Trust Wizard page, click Start.
  2. Select Data Source: Select the Enter data about the relying party manually option, and then click Next.

  1. Specify Display Name: Enter a Display name, add Notes for more details if required, and then click Next.

  2. Configure Certificate: Do not select an encryption certificate. Click Next. Nintex Process Manager uses the Token Signing Certificate created for the service.

Caution: Selecting a certificate here will prevent proper communication with Nintex Process Manager.

  1. Configure URL: Do not enable any settings in the Configure URL page. Click Next.

  2. Configure Identifiers: Enter the full URL of your Nintex Process Manager site as the Relying party trust identifier in the following format: https://<au/us/ca/eu>.promapp.com/<site_name>/.

    For example: If your Nintex Process Manager site name is demosso in au region, you must enter: https://au.promapp.com/demosso/.

    Caution:  AD FS is case-sensitive and this identifier must be all lower-case and include the trailing slash (/).

    Important: 
    • For customers in Australia and New Zealand, https://au.promapp.com/<sitename> is the preferred URL to access your Nintex Process Manager site.
    • If you are using https://go.promapp.com/<sitename> as your main URL, you must add bothhttps://go.promapp.com/demosso/ and https://au.promapp.com/demosso/.

  1. Click Add and then click Next.

  2. Choose Access Control Policy: Select Permit everyone. Click Next.

  3. Ready to Add Trust: There is no action required. Click Next.

  4. On the Finish page, clear the Configure claims issuance policy for this application check box. Click Close.

    The Relying Party Trusts pane will display the details you created for Nintex Process Manager.

  5. Right-click on the Relying Party you created for Nintex Process Manager and select Properties.

  6. Click on the Endpoints tab and click Add SAML.

    In the Add an endpoint dialog box:

    1. From the Endpoint type drop-down list, select SAML Assertion Consumer.
    2. From the Binding drop-down list, select POST.
    3. For the Trusted URL field, enter https://<au/us/ca/eu>.promapp.com/<sitename>/saml/authenticate.aspx.

      4. For example: If your Nintex Process Manager site name is demosso in us region, you must enter: https://us.promapp.com/demosso/saml/authenticate.aspx.

      Caution:  AD FS is case-sensitive and this URL must be all lower-case.

      Important: 
      • For customers in Australia and New Zealand, https://au.promapp.com/<sitename> is the preferred URL to access your Nintex Process Manager site.
      • If you are using https://go.promapp.com/<sitename> as your main URL, you must add both https://go.promapp.com/demosso/saml/authenticate.aspx and https://au.promapp.com/demosso/saml/authenticate.aspx.
    1. Click OK.
  7. Click OK. The Relying Party Trusts configuration for Nintex Process Manager is completed. Next, follow the steps to configure AD FS Relying Party Claim Rules.

Administrator role in Active Directory Federation Services required.

  1. Log onto the AD FS server using an Administrator account.

  2. Open the AD FS Management console.

  3. Right-click on the Nintex Process Manager Relying Party and select Edit Claim Issuance Policy.

  4. In the Issuance Transform Rules tab, click Add Rule. The Add Transform Claim Rule Wizard displays.

  5. On the Choose Rule Type page, select Send LDAP Attributes as Claims. Click Next.

  1. On the Configure Claim Rule page, type the name of the claim rule in the Claim rule name field. For example: "Get LDAP Attributes".

    1. From the Attribute Store drop-down list, select Active Directory.

    2. In the Mapping of LDAP attributes to outgoing claim types table, select the following values from the drop-down list:

      LDAP Attribute Outgoing Claim Type
      User-Principal-Name Name ID
      E-Mail-Addresses E-mail Address
      Given-Name Given Name
      Surname Surname

      Caution: Select the values from the drop-down list and DO NOT enter values manually.

  2. Click Finish and then click Apply or OK. Next, follow the steps to export the token signing certificate.

Administrator role in Active Directory Federation Services required.

  1. Log onto the AD FS server using an Administrator account.

  2. Open the AD FS Management Console.
  3. In the left pane, expand Service.

  4. In the Actions pane on the right, click Edit Federation Service Properties.

  5. In the Federation Service Properties dialog box, confirm that the General settings match your DNS entries and certificate names. Click OK.

  6. In the left pane, click Service > Endpoints.

  7. Take note of the Token Issuance endpoint with the type SAML 2.0/WS-Federation (typically /adfs/ls/). This endpoint URL will be used as the SSO Login Url by Nintex Process Manager for Service Provider initiated login. The fully qualified URL that you store in Nintex Process Manager should look similar to the following: https://adfs.demosso.com/adfs/ls/.

    Caution:  The slash (/) at the end MUST be included.

  8. In the left pane, click Service > Certificates.

  9. Under Token signing, click the primary token certificate as indicated in the Primary column.

  10. In the right pane, click View Certificate. This displays the properties of the certificate.

    1. Click the Details tab.

    2. Click Copy to File. The Certificate Export Wizard displays.

    3. On the Welcome to the Certificate Export Wizard page, click Next.

    4. On the Export Private Key page, click No, do not export the private key, and then click Next.

    5. On the Export File Format page, select Base-64 encoded X.509 (.CER), and then click Next. This certificate is required to configure the Nintex Process Manager SSO settings. Open this file using Notepad and copy all text between “---Begin Certificate---“ and “----End Certificate---“ .

    6. On the File to Export page, type the name and location of the file that you want to export, and then click Next. For example: enter C:\ADFS.cer.

    7. On the Completing the Certificate Export Wizard page, click Finish.

    8. Click OK.

  11. Click OK. Next, configure the SSO settings in your Nintex Process Manager site.

Promaster A Nintex Promapp system administrator who administers a Nintex Promapp site and has rights to view and edit all areas of a Nintex Promapp site. privilege is required.

Follow these steps to configure the SSO settings in your Nintex Process Manager site:

  1. Sign in to your Nintex Process Manager site.
  2. Go to Admin > Configure > Security.
  3. In the SSO - Single Sign-on Mode field, click edit and select Optional from the drop-down list. Setting it as Optional allows you to test both the Identity Provider login and Nintex Process Manager login independently to ensure both are working. Once set to Required it is much more difficult to troubleshoot problems if login does not work as expected.
  4. In the SSO - Login Url field, click edit. Paste the Login URL you noted in Step 7 of Step 3: Export the token signing certificate.
  1. In the SSO - x.509 Certificate field, click edit. Paste the Certificate (Base64) details you copied in Step 10e of Step 3: Export the token signing certificate.

  1. Enabling the Sync user details with SSO provider setting will allow users in your Entra ID to login to the configured Nintex Process Manager for the first time and a “User” will be automatically created in Nintex Process Manager if the record does not exist.

    • If Sync user details with SSO provider is disabled, the Promaster must create the user in Nintex Process Manager.

    • The Logon field for the User record in Nintex Process Manager must match the User Principal Name in the Entra ID.

    • Update Nintex Process Manager user names in bulk (if required) by exporting the user details, changing them in the .csv file and importing again. For more information, see import users.

Once you have configured the SSO settings for your Nintex Process Manager site, ensure you test the connection.
  1. Open your preferred browser and browse to the URL for your AD FS server (this is the URL in Admin > Configure > Security > SSO - login URL, for example: https://fs.acme.com/adfs/ls/idpinitiatedsignon.aspx. This opens a generic page with a drop-down list of all Relying Party Trusts configured.

  2. Select the Nintex Process Manager relying party as the application you wish to log into and click on Continue to Sign In.

  3. Enter your Active Directory username and password when prompted. Click OK and you will be redirected to your Nintex Process Manager site and logged in.

Tip: Alternatively, you can create a direct link so users do not need to select from a drop-down list. This URL is your SSO - login URL + ' ?logintoRP={Promapp Site}'.
For example: https://fs.acme.com/adfs/ls/idpinitiatedsignon.aspx?logintoRP=https://<au/us/ca/eu>.promapp.com/acme.

AD FS SSO FAQs

The identifiers specified for the relying party trust must exactly match the issuer token provide by Nintex Process Manager in the SAML Request. This issuer token is your Nintex Process Manager site URL and may contain a trailing slash (/). AD FS allows you to specify multiple identifiers for a Relying Party Trust. We recommend adding both variations of your site URL.

Events logged by AD FS 2.0 are available in the application event log and viewable in event viewer under Applications and Services Logs\AD FS 2.0\Admin.

Trace logs can also be viewed in the event viewer under Applications and Services Logs\AD FS 2.0 Tracing\Debug. By default this log may not be enabled. To enable this log, follow the steps described below:

Note: This requires a service restart for the trace's changes to take effect.

  1. To enable Verbose logging, run the following from the command line before the trace log is enabled: wevtutil.exe sl “AD FS 2.0 Tracing/Debug” /l:5
  2. In the event viewer right click Applications and Services Logs and select View and Show Analytic and Debug Logs option. After this is done, the AD FS 2.0 Tracing node is displayed.
  3. Right click the Debug node and select the Enable Log option.
  4. We recommend restarting the AD FS 2.0 Windows Service at this point.

When Nintex Process Manager redirects users to AD FS for login, it sends a SAMLRequest parameter in the HTTP-Redirect. This parameter contains a compressed and 64 bit encoded SAML Authentication Request message. The message contains details of the service provider which is requesting authentication. AD FS will ensure that the details provided matches one of the configured Relying Party Trusts before continuing. If the details do not match, authentication will fail. It is sometimes helpful to decode this message to see if there is any mismatched information. To decode the request, use Fiddler or the Browser developer tools to access the HTTP Redirect parameters and decode the SAMLRequest parameter using the online SAML Developer Tools.

Troubleshooting

For more information and troubleshooting for SSO using AD FS, see: