IdP Example: Salesforce

If Salesforce is your end users' primary login location, it is possible to use a Salesforce org as an identity provider (IdP) for Nintex Apps.

Setting up this SSO scheme requires:

1. Enabling the Salesforce org as an identity provider
2. Creating an identity provider connection in Nintex Apps using the Salesforce org's identity provider metadata
3. Creating a connected app within Salesforce based off the Nintex Apps IdP connection
4. Creating and assigning a permission set for the connected app
5. Adjust identifier values for proper authentication

Because this process involves some back and forth between the two platforms, having two browser windows with both open side-by-side is recommended.

Enable Salesforce as an Identity Provider

In Salesforce

First, you must enable Salesforce as an identity provider.

1. Type Identity Provider in the Salesforce Quick Find box.

2. Click the Identity Provider option.

3. Click Enable Identity Provider.

4. If prompted, select a certificate and click Save.

   Note:  You will need to choose a certificate to enable Salesforce as an identity provider. You may choose any existing certificate, or create a new one if needed. This will not affect future steps.

5. After being redirected to the Identity Provider page, click Download Metadata.

This will download the necessary SAML metadata file to be used within Nintex Apps. It will likely have a name similar to SAMLIdP-00A12000000BBCd .

Create the identity provider connection

In your Nintex Apps site:

1. Navigate to Settings > Single Sign-on.
2. Click Create identity provider or, if some IdP connections already exist, click Create in the Identity Providers section.
3. Give the IdP connection a name, like Salesforce.
4. Confirm the name by clicking Create.

With the IdP connection created, update its identity provider details by importing the downloaded metadata file.

1. In the Identity provider details section, click Add details.
2. Select Upload metadata file.
3. Click Select file and select the downloaded metadata file, or drag and drop the file onto the the Select file button.

To create the Salesforce connected app in the next section, you'll need two values from this newly created IdP connection:

• Entity Id
• Assertion Consumer Service (ACS) URL

Copy these values within the detail screen, or refer back to this screen when needed during the connected app setup.

Create the Salesforce Connected App

In Salesforce

1. Create a new connected app.
2. Fill out the fields as follows:
   • Basic Information
     • Connected App Name: Enter a name that represents your SSO connection, like AppsSAML.
     • API Name: This will be populated automatically based on the connected app's name.
     • Contact Email: Enter the email of the user who will be in charge of maintaining this SAML connection.
   • API (Enable OAuth Settings)
     • Enable OAuth Settings: Checked
     • Callback URL: The callback URL for the Nintex Apps tenant you'll be connecting to, e.g. https://example.nintex.app/auth/oauth/callback.
     • Selected OAuth Scopes:
       • Manage user data via APIS (api)
       • Access the identity URL service (id, profile, email, address, phone)
       • Perform requests at any time (refresh_token, offline_access)
   • Web App Settings
     • Enable SAML: Checked
     • Entity Id: The IdP connection's entity Id
     • ACS URL: The IdP connection's ACS URL
3. Click Save.
4. Click Continue.

Create and Assign the Permission Set

Now that the connected app is created, Salesforce users must be granted access to it—and one additional Apex class—through a custom permission set.

1. Create a new permission set.
2. Fill out the permission set's basic information:
   • Label: Give it name like AppsSAML.
   • API Name: This will be populated automatically based on the label.
   • License: Choose the appropriate license based on your SAML needs. Selecting None allows this permission set to work for the most users.
3. Click Save.

While on the permission set's detail page, assign the connected app for this SSO connection to the permission set:

1. Click Assigned Connected Apps.
2. Click Edit.
3. Add the app you created in previous step.
4. Click Save.

Next, give this permission set access to a specific Apex class used by Nintex Apps.

1. Return to the Permission Set Overview, and click Apex Class Access.
2. Click Edit.
3. Add skuid.RestServices_Model.
   • This will likely be near the bottom of the Available Apex Classes list.
4. Click Save.

Finally, assign this newly created permission set to any users that will be logging in through SAML.

1. Click Manage Assignments.
2. Click Add Assignments.
3. Check any users that will be using Salesforce as an IdP.
4. Click Assign.

Identity mapping

. By default, Nintex Apps will attempt to match the Salesforce username value—since it is the Subject statement—to a user's Federation Id.

If these values do not match for your end users, you can update the federation IDs to match. To do so, navigate to the Settings > Users screen or encourage your users to do so individually through the My Settings screen.

Alternatively, you can set

One alternative is to match the Salesforce user's email against the Nintex Apps user's email.

Add identity mapping

Once SAML metadata is loaded, you must create an identity mapping so Nintex Apps can identify users based on the information sent by Salesforce. Salesforce sends the Salesforce username as its SAML Subject statement, along with several other user attributes, which can be used for identity mapping. For more information, see Salesforce documentation on example SAML assertions

This example assumes the Salesforce user's email maps to the user's email in the Nintex Apps site.

In your Nintex Apps site:

1. In the Identity mapping section, click Add mapping.

2. Configure the mapping:

   [ SAML attribute ] [ email ] matches Nintex Apps user [ Email ]

3. Indicate whether or not the match is Case-sensitive.

4. Click Save.

Make the IdP available as a login option

With all setup options complete, enable the Available as login option toggle and then click Save to display the newly created IdP connection as a login option to your users.

Additional Configuration Options

Access Salesforce as a connection

Configuring Salesforce as an IDP for Nintex Apps does not automatically allow for the use of Salesforce as connection within that Nintex Apps site.

Some additional steps are necessary to use Salesforce data within an app page, but the connected app configured above allows for a quicker setup.

In Nintex Apps

Create an authentication provider

1. Navigate to Connections > Authentication Providers.
2. Click Create.
3. Enter the following settings:
   • Name: A human-readable name, like AppsSAML.
   • Authentication: OAuth 2.0/Open ID.
   • Provider Type: Salesforce.
   • Grant Type: SAML 2.0 Bearer Assertion.
   • Token Endpoint URL: Set <My Domain> to match your org's My Domain.
   • Client Id: The consumer key from the Salesforce connected app.
   • Client Secret: The consumer secret from the Salesforce connected app.
4. Click Save.

Create connection

To set the authentication provider, you'll need to create the connection and then update it.

1. Navigate to Connections.
2. Click Create.
3. Fill out the first information:
   • Connector: Salesforce.
   • Name: A name representative of the connection, like SalesforceSAMLOrg.
4. Fill out the My Domain field.
5. Enter placeholder values for Client Id and Client secret
6. Click Create.
7. In the newly created connection detail screen, click the Authentication tab.
8. Select the authentication provider you just created.
9. Click Save.

You may now use this connection to access Salesforce data within an app page.

Use a Request Signing Certificate

Request signing certificates offer an extra layer of security, ensuring that every request must match a certificate only available to the Salesforce org and the Nintex Apps site it is attempting to authenticate to.

While this process is optional, it is recommended.

In Nintex Apps

1. Navigate to Settings > Certificates.
2. Click Create.
3. Fill out the certificate details:
   • Certificate Name: Enter an easily recognizable name.
   • Key Size: Set to either 2048 or 4096 bits. A larger key will be more secure, but will take longer for to parse.
   • Type: Self Signed
4. Click Create.
5. Click the newly created certificate.
6. Click Download certificate.

Next, update the identity provider connection to use this self-signed certificate:

1. Navigate to Settings > Single Sign-on.
2. Click the IdP connection to update its details.
3. Click the Certificates tab.
4. Select the newly created certificate in the Request Signing Certificate dropdown.
5. Click Save.

In Salesforce

1. Return to the Apps page and click Edit beside the connected app from above.
2. Update the following settings:
   • Web App Settings
     • Verify Request Signatures: Checked.
     • Upload a certificate: Upload the self-signed certificate you just downloaded from Nintex Apps.
3. Click Save.

User provisioning

User provisioning through a standard Salesforce connected app is currently not possible, as the necessary attributes for provisioning are not included in the SAML assertion.

Troubleshooting

Salesforce Error: Invalid HTTP method

There may be an issue with the Identity Provider Login URL on the Nintex Apps IdP connection.

1. Navigate to Settings > Single Sign-on.
2. Click the identity provider connection (or click More Options > Configure ).
3. Ensure the Identity Provider Login URL ends with HttpRedirect and not HttpPost.

Salesforce Error: Unable to resolve request into a Service Provider

The Entity Id value of the Salesforce connected app may not match the Nintex Apps site. Ensure these two values match exactly:

• The Web App Settings > Entity Id field on the Salesforce connected App
• The Audience URI / Service Provider Entity ID / Metadata URL of the identity provider connection in Nintex Apps.

SAML Login error: User not found

Salesforce is sending an identifier—by default, the user's username—to Nintex Apps that doesn't match any existing Nintex Apps user records, and user provisioning is not enabled.

The identifier sent by Salesforce must match the value chosen within the IdP connection's SAML Identity contains Nintex Apps User's setting. This is the Federation Id field by default.

For more information, see the Adjust Identifier Values section.

Seeing the Nintex Apps login screen after clicking Login with SAML

• The ACS URL may not be configured correctly. Ensure these two values match exactly:
  • The Web App Settings > ACS URL field on the Salesforce connected App
  • The Assertion Consumer Service (ACS) URL of the identity provider connection in Nintex Apps.
• There could be an issue with the request signing certificates used by Salesforce and Nintex Apps. Repeat the steps in the Use a Request Signing Certificate section.
• The identity provider certificate within Salesforce could be expired.
  • Create a new self-signed certificate within Salesforce.
  • Select that certificate within Salesforce's Identity Provider page.
  • Click Download Metadata and recreate the identity provider connection following the instructions above.

Seeing an Internal Server Error after clicking Login with SAML

• Verify that the necessary permission set is both created and assigned to all necessary end users.
• Ensure that the identifier value matches the value of the Nintex Apps user record field.
• The connected app's IP restrictions could be causing issues. Consider relaxing its IP restriction policies in Salesforce.
  1. Navigate to the Connected Apps page and click Manage.
  2. Edit Policies.
  3. Permitted Users: Admin approved users are pre-authorized.
  4. IP Relaxation: Relax IP restrictions.
  5. Click Save.