Configure single sign-on with Azure Active Directory

Global Administrator role in Azure Active Directory is required.

You can configure identity federation in your Nintex Workflow Cloud tenant using Azure Active Directory, which has single sign-on Enables users to access multiple applications using one set of credentials. by default.

With single sign-on enabled, users can securely and conveniently sign in to Nintex Workflow Cloud with their Azure Active Directory accounts.

Note:

Enabling single sign-on in your tenancy will also enable single sign-on in any other Nintex Workflow Cloud tenancies associated with the federated email domain. For example, both sales.workflowcloud.com and hr.workflowcloud.com will be enabled with single sign-on if you federate using Azure Active Directory.
If you want to configure single sign-on using SAML protocol, see Configure single sign-on using SAML protocol.

Prerequisites for Azure Active Directory identity federation

To connect Azure Active Directory and Nintex Workflow Cloud, Azure Active Directory requires that a global administrator provides consent on behalf of the organization to connect their system to Nintex.
The Nintex Workflow Cloud user email address and the Azure Active Directory global administrator email address must be the same in order to provide continuity between both systems.

Note: For users to receive emails from Nintex Workflow Cloud, a valid email address must be provided. If the email attribute of a user account is not set, the UPN attribute of the user account must have a value, which must be a valid email address.

Configure Azure Active Directory identity federation

The following steps establish a connection between the specified Nintex Workflow Cloud domain and an Azure Active Directory domain. If the Azure Active Directory has more than one email domain, you can add additional domains from the Domain management page.

In Nintex Workflow Cloud:

Access the User management page:
1. Click Settings.
2. Click User management.
Under Identity federation, click Configure.

The setup wizard appears.

Select Azure Active Directory as the identity provider.
Click Next.

To start the consent flow between the Nintex Identity Management Service Nintex service which facilities single-sign on capabilities across the Nintex platform, meaning users have one username and password to access multiple Nintex products. and Azure Active Directory click Initiate connection.
You are prompted to log into your Azure Active Directory. You are redirected to an Azure Active Directory screen and prompted to give consent for the Nintex Authentication Platform to:

Read directory data
Sign in and read user profiles

Click Accept.

If the connection request is successful, users of Nintex Workflow Cloud tenancies associated with the federated email domain can use their Azure Active Directory credentials to sign-in and authenticate. You can now invite additional users in the Azure Active Directory into the tenancy from the User management page.

Identity federation setup wizard elements and description

Page

Section

User interface element

Description

Identity provider type

Warning message

A warning message appears, listing the tenants that are associated with your tenant.

Note:

Enabling single sign-on in your tenant will also enable single sign-on in associated Nintex Workflow Cloud tenants. For example, both sales-myorg.workflowcloud.com and hr-myorg.workflowcloud.com will be enabled with single sign-on if you configure SAML in either of them.

Select single sign-on (SSO) type

Select the means to enable SSO in your Nintex Workflow Cloud tenant.

Azure Active Directory: Enable users to single sign-on using their Azure Active Directory accounts. If you select Azure Active Directory, you are immediately taken to the final page as you don't have to configure the connection. For more information, see Configure single sign-on with Azure Active Directory.
SAML: Enable SSO using SAML protocol in your preferred identity provider. For more information, see Configure single sign-on using SAML protocol.

Verify Domain
(This page displays only when you select SAML for Single sign-on (SSO) type)

DNS record

The code to use as a value in your DNS record. For the domain verification steps, see Verify a domain for SAML configuration.

Caution: As part of the prerequisites to Federation configuration, you must first verify ownership over a domain that you're going to use for SAML configuration. If you have not verified your domain or while your DNS is still processing the verification, you can continue configuring SAML in Nintex Workflow Cloud but you cannot submit your SAML configuration.

(Copy)

Click to copy the code.

Configure Identity Provider
(This page displays only when you select SAML for Single sign-on (SSO) type)

Choose Identity Provider

Identity provider

Displays the list of identity providers you can use for your tenant's identity federation.

Service Provider data

(Appears after you select an identity provider)

In the context of our SAML configuration, the service provider is Nintex Workflow Cloud. Depending on the identity provider you choose, the SAML terminologies displayed in this section correspond with what your identity provider uses.

SAML terminologies used in identity providers

Generic term	Terminologies used in identity providers
Generic term	Okta	PingOne	OneLogin	Google Suite	Active Directory Federation Services	Azure Active Directory
Entity ID A globally unique identifier of an entity, which in our case is the Nintex Workflow Cloud tenant to be configured with SAML.	Audience URI (SP Entity ID)	Entity ID	Audience	Entity ID	Relying party trust identifier	Identifier (Entity ID)
ACS URL or Assertion Consumer Service URL A specific URL where SAML assertions are sent to the application (such as Nintex Workflow Cloud) from the identity provider.	Single sign on URL	ACS URLS	ACS (Consumer) URL	ACS URL	Relying party SAML 2.0 SSO service URL	Reply URL (Assertion Consumer Service URL)
Metadata An XML document that contains information about a SAML deployment. URL	A link is provided to retrieve the URL.	IDP Metadata URL A downloadable metadata file is also available.	Issuer URL	A downloadable metadata file is provided.	Federation Service identifier	App Federation Metadata Url

Attributes

Set of identity data about a user. In configuring SAML in Nintex Workflow Cloud, only three attributes are requested from the identity provider:

First name
Last name
Email

(Copy)

Click to copy the values in the fields.

Connect
(This page displays only when you select SAML for Single sign-on (SSO) type)

URL

Location of the SAML metadata An XML document that contains information about a SAML deployment..

Upload metadata

The SAML metadata file.

Complete

<Date>

(Only displayed for SAML)

Expiry date of the certificate.

(Only displayed for SAML)

Email address to receive reminder when certificate is soon to expire.

One-Time Password (OTP) URL

<URL>

The One-Time Password (OTP) URL is used for troubleshooting purposes when configuration fails and you are locked out of your tenant.

Follow these steps to access your tenant when you cannot sign in due to a failed configuration of SAML:

To copy the One-time password URL, click (Copy) next to the One-time password URL field.
Open a new tab on your web browser, paste the copied URL and press ENTER.

The Sign in page of Nintex Workflow Cloud appears.

Enter your email address, and click Submit.

For verification, a one-time password is sent to your email address.

Note: The one-time password expires after five minutes.

Enter the one-time password you received, and click Sign in.

You can access your Nintex Workflow Cloud tenant and resume configuring your identity federation.