Frequently asked questions: Single Sign-on with SAML protocol
Nintex Workflow Configuration supports single sign-on (SSO) experience using Security Assertion Markup Language (SAML) 2.0 protocol. Read this guide to find out about this new capability and what it can provide for your tenant.
On this page, you'll find:
-
How does single sign-on using SAML work for Nintex Workflow?
-
What are the three main entities involved in single sign-on?
-
What are the benefits of configuring SAML in Nintex Workflow?
-
Do I need to bulk onboard users when single sign-on is configured?
-
What do I need to configure SAML for Nintex Workflow using my preferred identity provider?
-
Security-related questions about SAML configuration in Nintex Workflow
What is SAML?
Security Assertion Markup Language (SAML) is an open standard for exchanging identity authentication data between an identity provider An identity provider (IdP) stores and authenticates the identities of users to log in to system, files, or applications. and an application or service provider such as Nintex Workflow.
What is single sign-on?
Single sign-on (SSO) is an identity authentication system that allows users to access multiple applications by using one set of credentials.
How does single sign-on using SAML work for Nintex Workflow?
Nintex Workflow uses SAML to support single sign-on. With SSO enabled, users can securely and conveniently sign in to Nintex Workflow using the same set of credentials used in other applications such as Outlook or Office 365. Users are no longer required to create separate credentials to access Nintex Workflow.
What are the three main entities involved in single sign-on?
- Application or service provider: The application or service provider we want to enable with single sign-on. In this case, our application or service provider is Nintex Workflow.
- Identity Provider (IdP): An identity provider authenticates and manages the identities of users. Nintex Workflow supports any identity provider that supports SAML including:
- Google Suite
- Okta
- OneLogin
- PingOne
- Active Directory Federation Services
- Azure Active Directory (can also be configured with SAML to enable SSO)
Note: For the steps to configure SAML in Nintex Workflow with identity providers listed above, see How do I configure SAML in my Nintex Workflow tenant?.
- A user: A person whose credentials are authenticated in the identity provider. The account credentials include an email address with a domain used in both the application and identity provider. For example, user@nintex.com.
What are the benefits of configuring SAML in Nintex Workflow?
After you successfully set up single sign-on in Nintex Workflow with your preferred identity provider using SAML, the following benefits apply:
- User experience: Users no longer need to create a separate username and password to access Nintex Workflow. This saves time and the need to remember an additional set of login credentials.
- Increased security: Administrators manage user accounts in the identity provider. Users' credentials continue to be authenticated by the identity provider and not Nintex Workflow. Any password policies that are established for your organization such as password length or password change every month, are also in effect for Nintex Workflow.
-
Auto-onboarding: Users within the domain will be automatically onboarded when they access Nintex Workflow, allowing just-in-time provisioning of users. Auto-onboarding is subject to rate limiting and should not be used for bulk onboarding.
Do I need to bulk onboard users when single sign-on is configured?
When users access a form, task, workflow, or My Nintex, they are automatically onboarded. This eliminates the need for a bulk onboarding process when federating Nintex Workflow with your Identity Provider. For more information on enabling authenticated task assignments, see Enable Assignee authentication.
What do I need to configure SAML for Nintex Workflow using my preferred identity provider?
Before configuring SAML in Nintex Workflow, make sure you have:
- A domain that you intend to federate with Nintex Workflow. For example, YourDomain.com. Before you can use a domain to associate with your Nintex Workflow tenant, you must first verify ownership of the domain.
- An email address with an administrator role in the Nintex Workflow tenant that you're going to configure with SAML. For example, admin@YourDomain.com.
- An email address with an administrator role in the identity provider.
Enabling single sign-on in your tenant will also enable single sign-on in associated Nintex Workflow tenants. For example, both sales-myorg.workflowcloud.com and hr-myorg.workflowcloud.com will be enabled with single sign-on if you configure SAML in either of them.
How do I configure SAML in my Nintex Workflow tenant?
To configure identity federation for Nintex Workflow using SAML protocol, see the guide listed below that is relevant to the Identity provider you use:
- Configure SAML with Okta as identity provider
- Configure SAML with OneLogin as identity provider
- Configure SAML with PingOne as identity provider
- Configure SAML with Google Suite as identity provider
- Configure SAML with Active Directory Federation Services as identity provider
- Configure SAML with Azure Active Directory as identity provider
- Configure SAML with other identity providers (a generic guide) (a guide to be used for identity providers not listed above)
Which identity claims does Nintex Workflow require from the identity provider?
The following attributes are requested from the identity provider:
- First name
- Last name
Security-related questions about SAML configuration in Nintex Workflow
Aside from SAML, what other federation protocols does Nintex Workflow support?
Currently, Nintex Workflow supports the following:
- Service provider-initiated SAML
- OpenID Connect An authentication protocol based on the OAuth 2.0 family of specifications. (OIDC) via Active Directory
Are there specific conditions required to access Nintex Workflow?
Nintex is a software as service that doesn’t need any special access conditions. Only username and password are required to sign in.
Does Nintex Workflow have its own ID store?
Nintex Workflow does not store passwords. We have user mapping tables to the identity.
Will Nintex Workflow transform identity data such as an e-mail address?
No transformation required.
Can Nintex Workflow prevent access to unauthorized users?
Once users are authenticated with the identity provider, users are authorized based on their roles in NWC. For more information on roles, see User roles.
Can Nintex Workflow sign SAML requests?
No. Signing SAML requests is not currently supported.
Does Nintex Workflow have a token encryption certificate?
We do not support token encryption certificates.
Which type of certificates does Nintex Workflow use? What is the lifetime of each certificate?
Nintex Workflow only uses the certificates provided from the identity providers. The lifetime of each certificate is dependent on the providers.
Is there a process in place to replace certificates before those certificates expire?
Yes. An administrator can replace certificates in the User Management page of Nintex Workflow.
Does Nintex Workflow support and configure two token signing certificates for the trusted federation system?
No.
Does Nintex Workflow support Single Log Out (SLO)?
SLO is not supported. We only support SP-initiated SSO.
What is the authorization model for Nintex Workflow?
Roles are managed in Nintex Workflow. For more information on user roles, see User roles.
Does Nintex Workflow need any authorization data from the identity provider?
No. Nintex Workflow only requires email, firstname and lastname.