Configure SAML with OneLogin as identity provider

  An administrator role is required. For information about user roles, see User roles .

On this page:

You can use Security Assertion Markup Language An industry standard for exchanging authentication data between an identity provider and an application or service provider (that's Nintex Workflow Cloud) (SAML) 2.0 protocol to enable single sign-on Enables users to access multiple applications using one set of credentials. in your Nintex Workflow Cloud tenant with OneLogin.

The objectives of configuring SAML in Nintex Workflow Cloud include:

  • Set up SAML in Nintex Workflow Cloud and OneLogin at the same time.
  • You must refer to OneLogin's documentation for their steps on how to add a SAML application (such as Nintex Workflow Cloud).
  • Make sure to add users in your directory in OneLogin. Typically, a user directory should already exist for your organization.
  • Identify the SAML-related terminologies used between Nintex Workflow Cloud and OneLogin so that you can set the appropriate values in specific fields during configuration. SAML-related terminologies include the following:
    • Audience: A globally unique identifier of an entity, which in our case is the Nintex Workflow Cloud tenant to be configured with SAML.

Before you begin

Before configuring SAML in Nintex Workflow Cloud, make sure you have the following:

  • A domain which you intend to federate with Nintex Workflow Cloud. Example: YourDomain.com. Before you can use a domain to associate with your Nintex Workflow Cloud tenant, you must first verify ownership of the domain. To verify a domain, see Verify a domain for SAML configuration.
  • An email address with an administrator role in the Nintex Workflow Cloud tenant that you're going to configure with SAML. For example, admin@YourDomain.com.
  • An email address with an administrator role in OneLogin.
Note: 

Enabling single sign-on in your tenant will also enable single sign-on in associated Nintex Workflow Cloud tenants. For example, both sales-myorg.workflowcloud.com and hr-myorg.workflowcloud.com will be enabled with single sign-on if you configure SAML in either of them.

1

Verify your domain in your Nintex Workflow Cloud tenant

  1. Sign in to Nintex Workflow Cloud using an email address with an administrator permission.
  2. From the main menu on the upper right, click Settings.
  3. From the left menu, click User Management.
  4. A new page appears showing the configuration fields for identity federation and user management.

  5. In the Identity federation section, click Configure.
  6. The setup wizard appears.

    Verify Domain page

    Tip: The initial page of the setup wizard includes a warning message that lists the Nintex Workflow Cloud tenants associated with the tenant you're going to configure with SAML. Click View more to see the list of tenants.

  7. Select SAML.
  8. Click Next.
  9. The next page appears where the domain verification code is available.

  10. Verify your domain by using the verification code and adding a DNS record. For complete steps on verifying your domain, see Verify a domain for SAML configuration.
  11. Caution: As part of the prerequisites to Federation configuration, you must first verify ownership over a domain that you're going to use for SAML configuration. If you have not verified your domain or while your DNS is still processing the verification, you can continue configuring SAML in Nintex Workflow Cloud but you cannot submit your SAML configuration.

2

Get the Identity Provider data from Nintex Workflow Cloud

Note: Make sure your domain is verified successfully.

  1. Go back to Nintex Workflow Cloud.
  2. In the Verify Domain page of the setup wizard, click Next.
  3. In the Configure Identity Provider page, select OneLogin as the identity provider.
  4. Additional fields appear for the following:

    • Audience
    • ACS (Consumer) URL
    • SAML Test Connector Field

    Note: You will later need to copy and insert these values in specific fields in OneLogin.

  5. Keep your Nintex Workflow Cloud browser open and go to OneLogin.

3

Add Nintex Workflow Cloud to OneLogin

Sign in to OneLogin as an administrator and do the following:

  1. Add Nintex Workflow Cloud as an application or service provider for SAML.
  2. Copy the Audience and ACS (Consumer) URL values, and the attribute statements from Nintex Workflow Cloud, and then paste them in the corresponding fields in OneLogin.
  3. Nintex Workflow Cloud SAML configuration with OneLogin
  4. Map three identity attributes: First name, Last name, and Email.
  5. Nintex Workflow Cloud SAML configuration with OneLogin
  6. Retrieve the SAML metadata URL or file from OneLogin. Copy the metadata URL, and paste it in the URL field of Nintex Workflow Cloud's setup wizard.

Caution: After adding Nintex Workflow Cloud as a SAML application to your identity provider, make sure that users exist in the directory of your identity provider. Depending on the identity provider, an empty directory may cause SAML configuration to fail. For information on how to manage user accounts, refer to your identity provider's documentation.

4

Complete the SAML configuration

Note: 
  • Make sure that you have provided the metadata URL or file in Nintex Workflow Cloud's setup wizard.
  • Make sure that your domain is successfully verified.

Follow these steps to complete the SAML configuration:

  1. Go back to Nintex Workflow Cloud.
  2. In the Connect page of the setup wizard, click Connect.
  3. Note: The Connect button is enabled only when your domain is successfully verified AND you have provided the metadata URL or file.

    After connecting, your SAML configurations are checked. If successful, the setup wizard goes to the final page with the following information:

    Information Description
    Expiry date of certificate Date when your certificate expires.
    Recipient email address of the reminder for certificate expiry

    When your certificate is expiring soon, a reminder email will be sent to the recipient email address.

    Caution: You must renew the certificate before the expiry date.

    One-Time Password (OTP) URL

    The One-Time Password (OTP) URL is used for troubleshooting purposes when configuration fails and you are locked out of your tenant.

    Follow these steps to access your tenant when you cannot sign in due to a failed configuration of SAML:

    1. To copy the One-time password URL, click (Copy) next to the One-time password URL field.
    2. Open a new tab on your web browser, paste the copied URL and press ENTER.
    3. The Sign in page of Nintex Workflow Cloud appears.

    4. Enter your email address, and click Submit.
    5. For verification, a one-time password is sent to your email address.

      Note: The one-time password expires after five minutes.

    6. Enter the one-time password you received, and click Sign in.
    7. You can access your Nintex Workflow Cloud tenant and resume configuring your identity federation.

  1. Click Done.

    The Identity federation section now lists information about your SAML configuration such as provider, domain, person who completed the configuration, and the date of configuration.

5

Test your SAML connection

  1. Sign in to your Nintex Workflow Cloud tenant.
  2. Click Sign in or press ENTER.
  3. You are taken to the login page of OneLogin.

  4. In OneLogin's login page, type your credentials, and then submit.
  5. If the SAML configuration is successful, you are granted access to the Nintex Workflow Cloud tenant.