Configure SAML with Active Directory Federation Services as identity provider
An administrator role is required. For information, see User roles.
Before you begin, read Configure single sign-on using SAML protocol.
Jump to:
-
Configuration steps:
Verify your domain in your Nintex Automation Cloud tenant |
- Sign in to Nintex Automation Cloud using an email address with administrator privileges.
- Click Settings.
- Click User management.
- In the Identity federation section, click Configure.
- Verify your domain using the verification code and adding a DNS record. For more information, see Verify a domain for SAML configuration.
Tip: The initial page in the setup wizard includes a warning message that lists the Nintex Automation Cloud tenants associated with the tenant you're going to configure with SAML. Click View more to see the list of tenants.
Caution: As part of the prerequisites to federation configuration, you must first verify ownership over a domain that you're going to use for SAML configuration. If you have not verified your domain, or if your DNS is still processing the verification, you can continue configuring SAML in Nintex Automation Cloud, but you cannot submit your SAML configuration.
Get the Identity Provider data from Nintex Automation Cloud |
Note: Make sure your domain is verified successfully.
- In the Verify Domain page of the setup wizard Nintex Automation Cloud, click Next.
- In the Configure Identity Provider page, select ADFS as the identity provider.
- Relying party trust identifiers
- Callback Url
- Mapping of LDAP attributes to outgoing claim types
- Keep your Nintex Automation Cloud browser open and go to Active Directory Federation Services.
Additional fields appear for the following:
Note: You will later need to copy and insert these values in specific fields in Active Directory Federation Services.
For detailed information on each field that appears on the setup wizard, see Identity federation setup wizard elements and description.
Add Nintex Automation Cloud to Active Directory Federation Services |
- Sign in to Active Directory Federation Services as an administrator.
- Add Nintex Automation Cloud as an application or service provider for SAML.
- Copy the Relying party trust identifiers and Callback URL values, and the attribute statements from Nintex Automation Cloud, and then paste them in the corresponding fields in Active Directory Federation Services.
- In the Configure URL tab of the Add Relying Trust Wizard, paste the Callback URL value in the Relying party SAML 2.0 SSO service URL field.
- In the Configure Identifiers tab of the Add Relying Trust Wizard, paste the Relying party trust identifiers value from Nintex Automation Cloud.
- In the Configure Claim Rule page of the Add Transform Claim Rule Wizard, use the name and values from the Attribute table in Nintex Automation Cloud.
Caution: Select the values from the drop-down list and do not enter values manually.
- Retrieve the SAML metadata URL or file. Copy the metadata URL, and paste it in the URL field of Nintex Automation Cloud's setup wizard.
Caution: After adding Nintex Automation Cloud as a SAML application to your identity provider, make sure that users exist in the directory of your identity provider. Depending on the identity provider, an empty directory may cause SAML configuration to fail. For information on how to manage user accounts, refer to your identity provider's documentation.
For the SAML configuration steps in Active Directory Federation Services, see the Auth0 documentation.
Complete the SAML configuration |
- Make sure that you have provided the metadata URL or file in Nintex Automation Cloud's setup wizard.
- Make sure that your domain is successfully verified.
Follow these steps to complete the SAML configuration:
- In the Connect page of the setup wizard in Nintex Automation Cloud, click Connect.
- To copy the One-time password URL, click
(Copy) next to the One-time password URL field. - Open a new tab on your web browser, paste the copied URL and press ENTER.
- Enter your email address, and click Submit.
- Enter the one-time password you received, and click Sign in.
Note: The Connect button is enabled only when your domain is successfully verified and you have provided the metadata URL or file.
After connecting, your SAML configurations are checked. If successful, the setup wizard goes to the final page with the following information:
| Information | Description |
|---|---|
| Expiry date of certificate | Date when your certificate expires. |
| Recipient email address of the reminder for certificate expiry |
When your certificate is expiring soon, a reminder email will be sent to the recipient email address. Caution: You must renew the certificate before the expiry date. |
| One-Time Password (OTP) URL |
The One-Time Password (OTP) URL is used for troubleshooting purposes when configuration fails and you are locked out of your tenant. Follow these steps to access your tenant when you cannot sign in due to a failed configuration of SAML: For verification, a one-time password is sent to your email address. The one-time password expires after five minutes. You can access your Nintex Automation Cloud tenant and resume configuring your identity federation. |
- Click Done.
The Identity federation section now lists information about your SAML configuration such as provider, domain, person who completed the configuration, and the date of configuration.
Test your SAML connection |
- Sign in to your Nintex Automation Cloud tenant.
- Click Sign in or press ENTER.
- In Active Directory Federation Services's login page, type your credentials, and then submit.
You are taken to the login page of Active Directory Federation Services.
If the SAML configuration is successful, you are granted access to the Nintex Automation Cloud tenant.
Identity federation setup wizard elements and description
| Page | Section | User interface element |
Description |
||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Identity provider type | Warning message |
A warning message appears, listing the tenants that are associated with your tenant. Enabling single sign-on in your tenant will also enable single sign-on in associated Nintex Automation Cloud tenants. For example, both sales-myorg.workflowcloud.com and hr-myorg.workflowcloud.com will be enabled with single sign-on if you configure SAML in either of them. |
|||||||||||||||||||||||||||||||||||
|
Select single sign-on (SSO) type |
Select the means to enable SSO in your Nintex Automation Cloud tenant.
|
||||||||||||||||||||||||||||||||||||
| Verify Domain (This page displays only when you select SAML for Single sign-on (SSO) type) |
DNS record |
The code to use as a value in your DNS record. For the domain verification steps, see Verify a domain for SAML configuration. Caution: As part of the prerequisites to federation configuration, you must first verify ownership over a domain that you're going to use for SAML configuration. If you have not verified your domain, or if your DNS is still processing the verification, you can continue configuring SAML in Nintex Automation Cloud, but you cannot submit your SAML configuration. |
|||||||||||||||||||||||||||||||||||
|
(Copy) |
Click to copy the code. | ||||||||||||||||||||||||||||||||||||
| Configure Identity Provider (This page displays only when you select SAML for Single sign-on (SSO) type) |
Choose Identity Provider | Identity provider |
Displays the list of identity providers you can use for your tenant's identity federation. |
||||||||||||||||||||||||||||||||||
| Service Provider data |
|
(Appears after you select an identity provider) In the context of our SAML configuration, the service provider is Nintex Automation Cloud. Depending on the identity provider you choose, the SAML terminologies displayed in this section correspond with what your identity provider uses. SAML terminologies used in identity providers
|
|||||||||||||||||||||||||||||||||||
|
Attributes |
Set of identity data about a user. In configuring SAML in Nintex Automation Cloud, only three attributes are requested from the identity provider:
|
||||||||||||||||||||||||||||||||||||
|
(Copy) |
Click to copy the values in the fields. | ||||||||||||||||||||||||||||||||||||
| Connect (This page displays only when you select SAML for Single sign-on (SSO) type) |
URL |
Location of the SAML metadata An XML document that contains information about a SAML deployment.. |
|||||||||||||||||||||||||||||||||||
| Upload metadata | The SAML metadata file. | ||||||||||||||||||||||||||||||||||||
| Complete |
<Date> |
(Only displayed for SAML) Expiry date of the certificate. |
|||||||||||||||||||||||||||||||||||
| <Email address> |
(Only displayed for SAML) Email address to receive reminder when certificate is soon to expire. |
||||||||||||||||||||||||||||||||||||
| One-Time Password (OTP) URL | <URL> |
The One-Time Password (OTP) URL is used for troubleshooting purposes when configuration fails and you are locked out of your tenant. Follow these steps to access your tenant when you cannot sign in due to a failed configuration of SAML:
For verification, a one-time password is sent to your email address. The one-time password expires after five minutes. You can access your Nintex Automation Cloud tenant and resume configuring your identity federation. |
|||||||||||||||||||||||||||||||||||