Frequently asked questions: Single Sign-on with SAML protocol

Nintex Workflow Configuration supports single sign-on (SSO) experience using Security Assertion Markup Language (SAML) 2.0 protocol. Read this guide to find out about this new capability and what it can provide for your tenant.

What is SAML?

Security Assertion Markup Language (SAML) is an open standard for exchanging identity authentication data between an identity provider An identity provider (IdP) stores and authenticates the identities of users to log in to system, files, or applications. and an application or service provider such as Nintex Automation Cloud.

What is single sign-on?

Single sign-on (SSO) is an identity authentication system that allows users to access multiple applications by using one set of credentials.

How does single sign-on using SAML work for Nintex Automation Cloud?

Nintex Automation Cloud uses SAML to support single sign-on. With SSO enabled, users can securely and conveniently sign in to Nintex Automation Cloud using the same set of credentials used in other applications such as Outlook or Office 365. Users are no longer required to create separate credentials to access Nintex Automation Cloud.

What are the three main entities involved in single sign-on?

  • Application or service provider: The application or service provider we want to enable with single sign-on. In this case, our application or service provider is Nintex Automation Cloud.
  • Identity Provider (IdP): An identity provider authenticates and manages the identities of users. Nintex Automation Cloud supports any identity provider that supports SAML including:
    • Google Suite
    • Okta
    • OneLogin
    • PingOne
    • Active Directory Federation Services
    • Azure Active Directory (can also be configured with SAML to enable SSO)

    Note: For the steps to configure SAML in Nintex Automation Cloud with identity providers listed above, see How do I configure SAML in my Nintex Automation Cloud tenant?.

  • A user: A person whose credentials are authenticated in the identity provider. The account credentials include an email address with a domain used in both the application and identity provider. For example, user@nintex.com.

What are the benefits of configuring SAML in Nintex Automation Cloud?

After you successfully set up single sign-on in Nintex Automation Cloud with your preferred identity provider using SAML, the following benefits apply:

  • User experience: Users no longer need to create a separate username and password to access Nintex Automation Cloud. This saves time and the need to remember an additional set of login credentials.
  • Increased security: Administrators manage user accounts in the identity provider. Users' credentials continue to be authenticated by the identity provider and not Nintex Automation Cloud. Any password policies that are established for your organization such as password length or password change every month, are also in effect for Nintex Automation Cloud.
  • Auto-onboarding: Users within the domain will be automatically onboarded when they access Nintex Automation Cloud, allowing just-in-time provisioning of users. Auto-onboarding is subject to rate limiting and should not be used for bulk onboarding.

Do I need to bulk onboard users when single sign-on is configured?

When users access a form, task, workflow, or My Nintex, they are automatically onboarded. This eliminates the need for a bulk onboarding process when federating Nintex Automation Cloud with your Identity Provider. For more information on enabling authenticated task assignments, see Enable Assignee authentication.

What do I need to configure SAML for Nintex Automation Cloud using my preferred identity provider?

Before configuring SAML in Nintex Automation Cloud, make sure you have:

  • A domain that you intend to federate with Nintex Automation Cloud. For example, YourDomain.com. Before you can use a domain to associate with your Nintex Automation Cloud tenant, you must first verify ownership of the domain. To verify a domain, see Verify a domain for SAML configuration.
  • An email address with an administrator role in the Nintex Automation Cloud tenant that you're going to configure with SAML. For example, admin@YourDomain.com.
  • An email address with an administrator role in the identity provider.
Note: 

Enabling single sign-on in your tenant will also enable single sign-on in associated Nintex Automation Cloud tenants. For example, both sales-myorg.workflowcloud.com and hr-myorg.workflowcloud.com will be enabled with single sign-on if you configure SAML in either of them.

How do I configure SAML in my Nintex Automation Cloud tenant?

Which identity claims does Nintex Automation Cloud require from the identity provider?

The following attributes are requested from the identity provider:

  • First name
  • Last name
  • Email

Security-related questions about SAML configuration in Nintex Automation Cloud

Aside from SAML, what other federation protocols does Nintex Automation Cloud support?

Currently, Nintex Automation Cloud supports the following:

Are there specific conditions required to access Nintex Automation Cloud?

Nintex is a software as service that doesn’t need any special access conditions. Only username and password are required to sign in.

Does Nintex Automation Cloud have its own ID store?

Nintex Automation Cloud does not store passwords. We have user mapping tables to the identity.

Will Nintex Automation Cloud transform identity data such as an e-mail address?

No transformation required.

Can Nintex Automation Cloud prevent access to unauthorized users?

Once users are authenticated with the identity provider, users are authorized based on their roles in NWC. For more information on roles, see User roles.

Can Nintex Automation Cloud sign SAML requests?

No. Signing SAML requests is not currently supported.

Does Nintex Automation Cloud have a token encryption certificate?

We do not support token encryption certificates.

Which type of certificates does Nintex Automation Cloud use? What is the lifetime of each certificate?

Nintex Automation Cloud only uses the certificates provided from the identity providers. The lifetime of each certificate is dependent on the providers.

Is there a process in place to replace certificates before those certificates expire?

Yes. An administrator can replace certificates in the User Management page of Nintex Automation Cloud.

Does Nintex Automation Cloud support and configure two token signing certificates for the trusted federation system?

No.

Does Nintex Automation Cloud support Single Log Out (SLO)?

SLO is not supported. We only support SP-initiated SSO.

What is the authorization model for Nintex Automation Cloud?

Roles are managed in Nintex Automation Cloud. For more information on user roles, see User roles.

Does Nintex Automation Cloud need any authorization data from the identity provider?

No. Nintex Automation Cloud only requires email, firstname and lastname.