Configure SAML with Azure Active Directory as identity provider

  An administrator role is required. For information, see User roles.

On this page:

You can use Security Assertion Markup Language An industry standard for exchanging authentication data between an identity provider and an application or service provider (that's Nintex Automation Cloud) (SAML) 2.0 protocol to enable single sign-on Enables users to access multiple applications using one set of credentials. in your Nintex Automation Cloud tenant with Azure Active Directory.

The objectives of configuring SAML in Nintex Automation Cloud include:

  • Set up SAML in Nintex Automation Cloud and Azure Active Directory at the same time.
  • You must refer to Azure Active Directory's documentation for their steps on how to add a SAML application (such as Nintex Automation Cloud).
  • Make sure to add users in your directory in Azure Active Directory. Typically, a user directory should already exist for your organization.
  • Identify the SAML-related terminologies used between Nintex Automation Cloud and Azure Active Directory so that you can set the appropriate values in specific fields during configuration. SAML-related terminologies include the following:
    • Entity ID: A globally unique identifier of an entity, which in our case is the Nintex Automation Cloud tenant to be configured with SAML.

Before you begin

Before configuring SAML in Nintex Automation Cloud, make sure you have the following:

  • A domain which you intend to federate with Nintex Automation Cloud. Example: YourDomain.com. Before you can use a domain to associate with your Nintex Automation Cloud tenant, you must first verify ownership of the domain.
  • An email address with an administrator role in the Nintex Automation Cloud tenant that you're going to configure with SAML. For example, admin@YourDomain.com.
  • An email address with an administrator role in Azure Active Directory.
Note: 

Enabling single sign-on in your tenant will also enable single sign-on in associated Nintex Automation Cloud tenants. For example, both sales-myorg.workflowcloud.com and hr-myorg.workflowcloud.com will be enabled with single sign-on if you configure SAML in either of them.

1. Verify your domain in your Nintex Automation Cloud tenant
  1. Sign in to Nintex Automation Cloud using an email address with an administrator permission.
  2. From the main menu on the upper right, click Settings.
  3. From the left menu, click User Management.

    4. A new page appears showing the configuration fields for identity federation and user management.

  4. In the Identity federation section, click Configure.

    5. The setup wizard appears.

    Tip: The initial page of the setup wizard includes a warning message that lists the Nintex Automation Cloud tenants associated with the tenant you're going to configure with SAML. Click View more to see the list of tenants.

  5. Select SAML.

  6. Click Next.

    7. The Verify Domain page appears where the domain verification code is displayed.

    Verify Domain page

  7. Verify your domain by using the verification code and adding a DNS record. For complete steps on verifying your domain, see Verify a domain for SAML configuration.

    8. Caution: As part of the prerequisites to Federation configuration, you must first verify ownership over a domain that you're going to use for SAML configuration. If you have not verified your domain or while your DNS is still processing the verification, you can continue configuring SAML in Nintex Automation Cloud but you cannot submit your SAML configuration.

2. Get the Identity Provider data from Nintex Automation Cloud

Note: Make sure your domain is verified successfully.

  1. Go back to Nintex Automation Cloud.
  2. In the Verify Domain page of the setup wizard, click Next.
  3. In the Configure Identity Provider page, select Other as the identity provider.

    4. Additional fields appear for the following:

    • Entity ID
    • ACS URL
    • Attribute Statement
      • Configure Identity Provider page of the Nintex Workflow Cloud Setup Wizard

    Note: You will later need to copy and insert these values in specific fields in Azure Active Directory.

  4. Keep your Nintex Automation Cloud browser open and go to Azure Active Directory.

For detailed information on each field that appears on the setup wizard, see Identity federation setup wizard elements and description.

3. Create a Nintex Automation Cloud application in Azure Active Directory

Note: Prepare the Service Provider data (Entity ID and ACS URL) and Attribute Statement values (First Name, Last Name, and Email), which you noted in the previous step. You will need to copy the data and paste them into specific fields in Azure Active Directory.

  1. Sign in to the Azure portal as an administrator and navigate to the Azure Active Directory service.

    The Azure Active Directory Overview page appears.

  2. Create a new enterprise application.

    1. On the left navigation, navigate to the Manage section, and then click Enterprise applications.

    2. On the top of the screen, click New applicationCreate your own application.

    3. In the Create your own application dialog box, type the name of the application.

    4. From the list of reasons for creating the application, select Integrate any other application you don't find in the gallery.

    5. Click Create.

  3. Configure the application settings.

    1. On the left navigation, navigate to the Manage section, and then click Properties.

    2. Switch the User assignment required toggle to No.

      Note: 

      • We recommend clicking No so that any user in Azure Active Directory is able to authenticate as participants in Nintex Automation Cloud.

      • If you click Yes, the Azure Active Directory Admin needs to assign users to the SAML application before users can access Nintex Automation Cloud.

    3. Switch the Visible to users toggle to No.

    4. Click Save.

  4. Open the Set up Single Sign-on with SAML page to configure the single sign-on settings.

    1. On the left navigation, navigate to the Manage section, and then click Single sign-on.

    2. Click SAML.

      The Set up Single Sign-on with SAML page appears.

      Set up Single Sign-on with SAML page

  5. Enter the Service Provider data from Nintex Automation Cloud.

    1. In the Basic SAML Configuration section, click Edit.

      The Basic SAML Configuration page appears.

    2. In the Identifier (Entity ID) field, paste the Entity ID that you copied from Nintex Automation Cloud.

    3. In the Reply URL (Assertion Consumer Service URL) field, paste the ACS URL that you copied from Nintex Automation Cloud.

    4. Click Save.

    5. Click Close.

  6. Map the Surname and Givenname identity attributes.

    1. In the User Attributes & Claims section, click Edit.

      The User Attributes & Claims page appears.

    2. Add or edit a claim for Surname and Givenname.

      The Manage claim page appears.

    3. In the Name field, paste the attribute values that you copied from Nintex Automation Cloud.

      • For Surname, paste the Last Name attribute.

      • For Given name, paste the First Name attribute.

    4. For Source, select Attribute.

    5. In the Source attribute field, select one of the following:

      • For Surname, select user.surname.

      • For Given name, select user.givenname.

    6. Save the changes.

  7. Map the Emailaddress identity attribute by performing one of the following configurations:

    If your Nintex Automation Cloud tenant will have guest user accounts, follow the steps for Guest user-enabled configuration. Otherwise, follow the steps for normal configuration.

    • Normal configuration

      1. In the User Attributes & Claims section, click Edit.

        The User Attributes & Claims page appears.

      2. Add or edit a claim for Emailaddress.

        The Manage claim page appears.

      3. In the Emailaddress field, paste the Email attribute that you copied from Nintex Automation Cloud.

      4. Set the Source to Attribute.

      5. In the Source attribute field, select user.mail.

        6. Note: 

        • For each user account, the source attribute value, which is mapped from Azure Active Directory must contain a valid and real email address.

        • Alternatively, you can also use a User Principal Name (UPN) as long as it contains a real email address. To use a UPN, select user.principalname. The UPN and email address do not need to be the same.

      6. Save the changes.

    • Guest user-enabled configuration

      Important: 

      • Users with guest accounts can sign in to Nintex Automation Cloud only if Auto-acceleration is turned on. For more information, see User management.

      • One-time password (OTP) is not supported for guest users.

      • Guest users cannot be promoted to a global administrator role.

      1. In the User Attributes & Claims section, click Edit.

        The User Attributes & Claims page appears.

      2. Add or edit a claim for Emailaddress.

        The Manage claim page appears.

      3. In the Name field, paste the Email attribute that you copied from Nintex Automation Cloud.

      4. Set the Source to Transformation.

      5. In the Transformation field, click Edit.

        The Manage transformation panel appears.

      6. In the Transformation field, select IfNotEmpty().

      7. In the Parameter 1 (Input) field, select user.mail.

      8. In the Parameter 2 (Output) field, select user.mail.

      9. Select Specify output if no match.

      10. In the Parameter 3 (Output if no match) field, select user.principalname.

      11. Save the changes.

    Caution: After adding Nintex Automation Cloud as a SAML application to Azure Active Directory, make sure that users exist in Azure Active Directory. Depending on the identity provider, an empty directory may cause SAML configuration to fail. For information on how to manage user accounts, refer to Azure Active Directory's help documentation.

  8. In the Signing Certificate section, copy the SAML Metadata URL or download the file, depending on what you want to use in the Nintex Automation Cloud setup wizard.

    • In the App Federation Metadata Url field, click the Copy icon.

    • In the Federation Metadata XML field, click Download.

      In the next step, you will need to copy the URL or attach the file in specific fields in Nintex Automation Cloud.

    For more information on the SAML configuration steps in Azure Active Directory, see Configure SAML-based single sign-on.

4. Copy the SAML metadata from Azure Active Directory to Nintex Automation Cloud

Prepare the App Federation Metadata Url or Federation Metadata XML, which you copied or downloaded in the previous step.

Follow these steps to complete the SAML configuration:

  1. Go back to Nintex Automation Cloud.
  2. In the Verify Domain page of the setup wizard, click Next.
  3. In the Connect page, do one of the following:
    • In the URL field, paste the App Federation Metadata Url that you copied from Azure Active Directory.
    • Click Choose a file, and then attach the Federation Metadata XML file that you downloaded from Azure Active Directory.
      • Connect page of Nintex Workflow Cloud Setup wizard
  4. Click Connect.

    5. Note: The Connect button is enabled only when your domain is successfully verified AND you have provided the metadata URL or file.

    After connecting, your SAML configurations are checked. If successful, the setup wizard goes to the final page with the following information:

    Information Description
    Expiry date of certificate Date when your certificate expires.
    Recipient email address of the reminder for certificate expiry

    Email address to which a reminder email is sent when the certificate is close to expiring.

    Caution: You must renew the certificate before the expiry date.
    One-Time Password (OTP) URL

    The One-Time Password (OTP) URL is used for troubleshooting purposes when configuration fails and you are locked out of your tenant.

    Follow these steps to access your tenant when you cannot sign in due to a failed configuration of SAML:

    1. To copy the One-time password URL, click (Copy) next to the One-time password URL field.
    2. Open a new tab on your web browser, paste the copied URL and press ENTER.

      3. The Sign in page of Nintex Automation Cloud appears.

    3. Enter your email address, and click Submit.

      4. For verification, a one-time password is sent to your email address. The one-time password expires after five minutes.

    4. Enter the one-time password you received, and click Sign in.

      5. You can access your Nintex Automation Cloud tenant and resume configuring your identity federation.
  5. Click Done.

    6. The Identity federation section now lists information about your SAML configuration such as provider, domain, person who completed the configuration, and the date of configuration.

5. Test your SAML connection

  1. Sign in to your Nintex Automation Cloud tenant.
  2. Click Sign in or press ENTER.

    3. You are taken to the login page of Azure Active Directory.

  3. In Azure Active Directory's login page, type your credentials, and then submit.

    4. If the SAML configuration is successful, you are granted access to the Nintex Automation Cloud tenant.

Page Section User interface element

Description
Identity provider type   Warning message

A warning message appears, listing the tenants that are associated with your tenant.

Enabling single sign-on in your tenant will also enable single sign-on in associated Nintex Automation Cloud tenants. For example, both sales-myorg.workflowcloud.com and hr-myorg.workflowcloud.com will be enabled with single sign-on if you configure SAML in either of them.
   

Select single sign-on (SSO) type

Select the means to enable SSO in your Nintex Automation Cloud tenant.
Verify Domain
(This page displays only when you select SAML for Single sign-on (SSO) type)		   DNS record

The code to use as a value in your DNS record. For the domain verification steps, see Verify a domain for SAML configuration.

Caution: As part of the prerequisites to Federation configuration, you must first verify ownership over a domain that you're going to use for SAML configuration. If you have not verified your domain or while your DNS is still processing the verification, you can continue configuring SAML in Nintex Automation Cloud but you cannot submit your SAML configuration.
    (Copy) Click to copy the code.
Configure Identity Provider
(This page displays only when you select SAML for Single sign-on (SSO) type)		 Choose Identity Provider Identity provider

Displays the list of identity providers you can use for your tenant's identity federation.

  Service Provider data

 

(Appears after you select an identity provider)

In the context of our SAML configuration, the service provider is Nintex Automation Cloud. Depending on the identity provider you choose, the SAML terminologies displayed in this section correspond with what your identity provider uses.

  Generic term Terminologies used in identity providers
Okta PingOne OneLogin Google Suite Active Directory Federation Services

Azure Active Directory

 
Entity ID A globally unique identifier of an entity, which in our case is the Nintex Automation Cloud tenant to be configured with SAML. Audience URI (SP Entity ID) Entity ID Audience Entity ID Relying party trust identifier Identifier (Entity ID)
ACS URL or Assertion Consumer Service URL Single sign on URL ACS URLS ACS (Consumer) URL ACS URL Relying party SAML 2.0 SSO service URL Reply URL (Assertion Consumer Service URL)
Metadata An XML document that contains information about a SAML deployment. URL A link is provided to retrieve the URL.

IDP Metadata URL

A downloadable metadata file is also available.

Issuer URL A downloadable metadata file is provided. Federation Service identifier App Federation Metadata Url
   

Attributes

Set of identity data about a user. In configuring SAML in Nintex Automation Cloud, only three attributes are requested from the identity provider:

  • First name
  • Last name
  • Email
    (Copy) Click to copy the values in the fields.
Connect
(This page displays only when you select SAML for Single sign-on (SSO) type)		   URL

Location of the SAML metadata An XML document that contains information about a SAML deployment..
    Upload metadata The SAML metadata file.
Complete  

<Date>

(Only displayed for SAML)

Expiry date of the certificate.
    <Email address>

(Only displayed for SAML)

Email address to receive reminder when certificate is soon to expire.
  One-Time Password (OTP) URL <URL>

The One-Time Password (OTP) URL is used for troubleshooting purposes when configuration fails and you are locked out of your tenant.

Follow these steps to access your tenant when you cannot sign in due to a failed configuration of SAML:

  1. To copy the One-time password URL, click (Copy) next to the One-time password URL field.
  2. Open a new tab on your web browser, paste the copied URL and press ENTER.

    3. The Sign in page of Nintex Automation Cloud appears.

  3. Enter your email address, and click Submit.

    4. For verification, a one-time password is sent to your email address. The one-time password expires after five minutes.

  4. Enter the one-time password you received, and click Sign in.

    5. You can access your Nintex Automation Cloud tenant and resume configuring your identity federation.