Configure SAML with Google Suite as identity provider

An administrator role is required. For information, see User roles.

On this page:

Before you begin
Configuration steps:

Identity federation setup wizard elements and description

You can use Security Assertion Markup Language An industry standard for exchanging authentication data between an identity provider and an application or service provider (that's Nintex Automation Cloud) (SAML) 2.0 protocol to enable single sign-on Enables users to access multiple applications using one set of credentials. in your Nintex Automation Cloud tenant with Google Suite.

The objectives of configuring SAML in Nintex Automation Cloud include:

Set up SAML in Nintex Automation Cloud and Google Suite at the same time.
You must refer to Google Suite's documentation for their steps on how to add a SAML application (such as Nintex Automation Cloud).
Make sure to add users in your directory in Google Suite. Typically, a user directory should already exist for your organization.
Identify the SAML-related terminologies used between Nintex Automation Cloud and Google Suite so that you can set the appropriate values in specific fields during configuration. SAML-related terminologies include the following:
- Entity ID: A globally unique identifier of an entity, which in our case is the Nintex Automation Cloud tenant to be configured with SAML.
- ACS URL: A specific URL provided by Nintex Automation Cloud where SAML assertions XML documents that contain the user authorization. from Google Suite are posted.
- Metadata file or Metadata URL: A document that contains information about a SAML deployment.

Before you begin

Before configuring SAML in Nintex Automation Cloud, make sure you have the following:

A domain which you intend to federate with Nintex Automation Cloud. Example: YourDomain.com. Before you can use a domain to associate with your Nintex Automation Cloud tenant, you must first verify ownership of the domain.
An email address with an administrator role in the Nintex Automation Cloud tenant that you're going to configure with SAML. For example, admin@YourDomain.com.
An email address with an administrator role in Google Suite.

Note:

Enabling single sign-on in your tenant will also enable single sign-on in associated Nintex Automation Cloud tenants. For example, both sales-myorg.workflowcloud.com and hr-myorg.workflowcloud.com will be enabled with single sign-on if you configure SAML in either of them.

1. Verify your domain in your Nintex Automation Cloud tenant

Sign in to Nintex Automation Cloud using an email address with an administrator permission.
From the main menu on the upper right, click Settings.
From the left menu, click User Management.

A new page appears showing the configuration fields for identity federation and user management.

In the Identity federation section, click Configure.

The setup wizard appears.

Tip: The initial page of the setup wizard includes a warning message that lists the Nintex Automation Cloud tenants associated with the tenant you're going to configure with SAML. Click View more to see the list of tenants.

Select SAML.
Click Next.

The next page appears where the domain verification code is available.

Verify your domain by using the verification code and adding a DNS record. For complete steps on verifying your domain, see Verify a domain for SAML configuration.

Caution: As part of the prerequisites to Federation configuration, you must first verify ownership over a domain that you're going to use for SAML configuration. If you have not verified your domain or while your DNS is still processing the verification, you can continue configuring SAML in Nintex Automation Cloud but you cannot submit your SAML configuration.

2. Get the Identity Provider data from Nintex Automation Cloud

Note: Make sure your domain is verified successfully.

Go back to Nintex Automation Cloud.
In the Verify Domain page of the setup wizard, click Next.
In the Configure Identity Provider page, select G Suite as the identity provider.

Additional fields appear for the following:

Entity ID
ACS URL
Attribute Mapping

Note: You will later need to copy and insert these values in specific fields in Google Suite.

Keep your Nintex Automation Cloud browser open and go to Google Suite.

For detailed information on each field that appears on the setup wizard, see Identity federation setup wizard elements and description.

3. Add Nintex Automation Cloud to Google Suite

Add Nintex Automation Cloud as an application or service provider for SAML.
Copy the Entity ID and ACS URL values, and the attribute statements from Nintex Automation Cloud, and then paste them in the corresponding fields in Google Suite.

Map the three identity attributes: First name, Last name, and Email.

Retrieve the SAML metadata URL or file. Download the IDP metadata file, and then upload this file to Nintex Automation Cloud's setup wizard.

Caution: After adding Nintex Automation Cloud as a SAML application to your identity provider, make sure that users exist in the directory of your identity provider. Depending on the identity provider, an empty directory may cause SAML configuration to fail. For information on how to manage user accounts, refer to your identity provider's documentation.

For the SAML configuration steps in Google Suite, see the Google Suite documentation.

4. Complete the SAML configuration

Note:

Make sure that you have provided the metadata URL or file in Nintex Automation Cloud's setup wizard.
Make sure that your domain is successfully verified.

Follow these steps to complete the SAML configuration:

Go back to Nintex Automation Cloud.
In the Connect page of the setup wizard, click Connect.

Note: The Connect button is enabled only when your domain is successfully verified AND you have provided the metadata URL or file.

After connecting, your SAML configurations are checked. If successful, the setup wizard goes to the final page with the following information:

Information	Description
Expiry date of certificate	Date when your certificate expires.
Recipient email address of the reminder for certificate expiry	When your certificate is expiring soon, a reminder email will be sent to the recipient email address. Caution: You must renew the certificate before the expiry date.
One-Time Password (OTP) URL	The One-Time Password (OTP) URL is used for troubleshooting purposes when configuration fails and you are locked out of your tenant. Follow these steps to access your tenant when you cannot sign in due to a failed configuration of SAML: To copy the One-time password URL, click (Copy) next to the One-time password URL field. Open a new tab on your web browser, paste the copied URL and press ENTER. The Sign in page of Nintex Automation Cloud appears. Enter your email address, and click Submit. For verification, a one-time password is sent to your email address. The one-time password expires after five minutes. Enter the one-time password you received, and click Sign in. You can access your Nintex Automation Cloud tenant and resume configuring your identity federation.

Information

Description

Expiry date of certificate

Date when your certificate expires.

Recipient email address of the reminder for certificate expiry

When your certificate is expiring soon, a reminder email will be sent to the recipient email address.

Caution: You must renew the certificate before the expiry date.

One-Time Password (OTP) URL

The One-Time Password (OTP) URL is used for troubleshooting purposes when configuration fails and you are locked out of your tenant.

Follow these steps to access your tenant when you cannot sign in due to a failed configuration of SAML:

To copy the One-time password URL, click (Copy) next to the One-time password URL field.
Open a new tab on your web browser, paste the copied URL and press ENTER.

The Sign in page of Nintex Automation Cloud appears.

Enter your email address, and click Submit.

For verification, a one-time password is sent to your email address. The one-time password expires after five minutes.

Enter the one-time password you received, and click Sign in.

You can access your Nintex Automation Cloud tenant and resume configuring your identity federation.

Click Done.

The Identity federation section now lists information about your SAML configuration such as provider, domain, person who completed the configuration, and the date of configuration.

5. Test your SAML connection

Sign in to your Nintex Automation Cloud tenant.
Click Sign in or press ENTER.

You are taken to the login page of Google Suite.

In Google Suite's login page, type your credentials, and then submit.

If the SAML configuration is successful, you are granted access to the Nintex Automation Cloud tenant.

Identity federation setup wizard elements and description

Page

Section

User interface element

Description

Identity provider type

Warning message

A warning message appears, listing the tenants that are associated with your tenant.

Select single sign-on (SSO) type

Select the means to enable SSO in your Nintex Automation Cloud tenant.

Azure Active Directory: Enable users to single sign-on using their Azure Active Directory accounts. If you select Azure Active Directory, you are immediately taken to the final page as you don't have to configure the connection. For more information, see Configure single sign-on with Azure Active Directory.
SAML: Enable SSO using SAML protocol in your preferred identity provider. For more information, see Configure single sign-on using SAML protocol.

Verify Domain
(This page displays only when you select SAML for Single sign-on (SSO) type)

DNS record

The code to use as a value in your DNS record. For the domain verification steps, see Verify a domain for SAML configuration.

(Copy)

Click to copy the code.

Configure Identity Provider
(This page displays only when you select SAML for Single sign-on (SSO) type)

Choose Identity Provider

Identity provider

Displays the list of identity providers you can use for your tenant's identity federation.

Service Provider data

(Appears after you select an identity provider)

In the context of our SAML configuration, the service provider is Nintex Automation Cloud. Depending on the identity provider you choose, the SAML terminologies displayed in this section correspond with what your identity provider uses.

SAML terminologies used in identity providers

Generic term	Terminologies used in identity providers
Generic term	Okta	PingOne	OneLogin	Google Suite	Active Directory Federation Services	Azure Active Directory
Entity ID A globally unique identifier of an entity, which in our case is the Nintex Automation Cloud tenant to be configured with SAML.	Audience URI (SP Entity ID)	Entity ID	Audience	Entity ID	Relying party trust identifier	Identifier (Entity ID)
ACS URL or Assertion Consumer Service URL	Single sign on URL	ACS URLS	ACS (Consumer) URL	ACS URL	Relying party SAML 2.0 SSO service URL	Reply URL (Assertion Consumer Service URL)
Metadata An XML document that contains information about a SAML deployment. URL	A link is provided to retrieve the URL.	IDP Metadata URL A downloadable metadata file is also available.	Issuer URL	A downloadable metadata file is provided.	Federation Service identifier	App Federation Metadata Url

Attributes

Set of identity data about a user. In configuring SAML in Nintex Automation Cloud, only three attributes are requested from the identity provider:

First name
Last name
Email

(Copy)

Click to copy the values in the fields.

Connect
(This page displays only when you select SAML for Single sign-on (SSO) type)

URL

Location of the SAML metadata An XML document that contains information about a SAML deployment..

Upload metadata

The SAML metadata file.

Complete

<Date>

(Only displayed for SAML)

Expiry date of the certificate.