Configure single sign-on using SAML protocol

  An administrator role is required. For information, see User roles.

Single sign-on Enables users to access multiple applications using one set of credentials. (SSO) using Security Assertion Markup Language An industry standard for exchanging authentication data between an identity provider and an application or service provider (that's Nintex Workflow) (SAML) 2.0 protocol requires that the identity provider An identity provider (IdP) stores and authenticates the identities of users to log in to system, files, or applications. and the application or service provider (that's Nintex Workflow) exchange authentication data with each other.

With SSO enabled, users can securely and conveniently sign in to Nintex Workflow using the same credentials used in other applications such as Outlook or Office 365. Users are no longer required to create separate credentials to access Nintex Workflow.

To learn more about SAML and what it can provide for your Nintex Workflow tenant, see Frequently asked questions: Single sign-on with SAML.

High-level objectives of SAML configuration

You can use Security Assertion Markup Language An industry standard for exchanging authentication data between an identity provider and an application or service provider (that's Nintex Workflow) (SAML) 2.0 protocol to enable single sign-on Enables users to access multiple applications using one set of credentials. in your Nintex Workflow tenant with the identity provider.

When configuring SAML in Nintex Workflow, you must:

  • Set up SAML in Nintex Workflow and the identity provider at the same time.
  • Refer to the identity provider's documentation for their instructions on how to add a SAML application (such as Nintex Workflow).
  • Add users in your directory in the identity provider. Typically, a user directory should already exist for your organization.
  • Identify the SAML-related terminologies used between Nintex Workflow and the identity provider so that you can set the appropriate values in specific fields during configuration. SAML-related terminologies include:
    • Entity ID: A globally unique identifier of an entity, which in our case is the Nintex Workflow tenant to be configured with SAML.

Before you begin SAML configuration

Before configuring SAML in Nintex Workflow, make sure you have:

  • A domain that you intend to federate with Nintex Workflow. For example, YourDomain.com. Before you can use a domain to associate with your Nintex Workflow tenant, you must first verify ownership of the domain. To verify a domain, see Verify a domain for SAML configuration.
  • An email address with an administrator role in the Nintex Workflow tenant that you're going to configure with SAML. For example, admin@YourDomain.com.
  • An email address with an administrator role in the identity provider.
Note: 

Enabling single sign-on in your tenant will also enable single sign-on in associated Nintex Workflow tenants. For example, both sales-myorg.workflowcloud.com and hr-myorg.workflowcloud.com will be enabled with single sign-on if you configure SAML in either of them.

Troubleshooting

When a guest account is automatically created, such as when sharing a SharePoint list with an external user, you may encounter issues when the guest tries to access Nintex Workflow. A Forbidden error message such as the one shown below may be displayed:

Forbidden access

This may occur because the guest user account created may be missing essential profile information, such as the First Name and Last Name.

Resolution

  1. Open Entra ID Admin Center and sign in with the appropriate admin credentials.

  2. In the left-hand menu, select Manage and then select Users.

  3. Search for the guest user account that was automatically created and open the profile.

  4. Ensure that both the First Name and Last Name fields are populated.

  5. If changes are made, click Save to apply the changes.

Steps to set up SAML in Nintex Workflow with your preferred identity provider