Single Sign-On (SSO) allows your users to access Nitro's products by authenticating through your Identity Provider (IdP). Nitro supports SSO with any SAML-2.0 compliant IdP. See “Step-by-step instructionsfor various IdPs” for IDP specific instructions.

Note: Note: This feature is only available to Nitro Productivity Suite Enterprise customers.

Prerequisites:

1. Your account must have a verified domain to set up and enable SSO. Visit this article for instructions on verifying your domain. 
2. You will need the following information from your IdP: 
   - Sign In URL 
   - X.509 Signing Certificate

Set up SAML SSO

1. Once you have verified your domain, select Single Sign-On from the left-and menu in Nitro Admin.

2. Click the Setup SAML SSO button.

3. Enter your IdP's SignInURLand upload the x.509 Signing Certificate from your IdP. The x.509 Signing Certificate should be base 64 encoded and in a .ceror .pemformat.

4. When these have been submitted successfully, you will be provided with the SAMLEntity ID and ACS URL. Add these to your IdP

5. Nitro requires the SAML assertion to contain NameID, email, given_name, family_name and employeeNumber of a user:

• NameID must be set to email address. 
• employeeNumber can be any value that is unique for a user. E.g. for Okta: user.id. Note, if there is no obvious unique ID value, use email address instead. 
• Please note the UI for adding custom attributes will vary depending on the identity provider in use. See example assertions from Okta, Azure AD below. 

Abilitare SSO

After completing the SAML SSO setup, toggle Enable Single Sign-On to Enabled.

Testing SSO

Toggle Enable Single Sign-On to Disabled.

1. Assign your test user permission to the Nitro application in your IdP 
2. Test IdP initiated login from your IdP’s application launch page 
3. Test SP initiated login from an incognito window 
4. Navigate to https://sso.gonitro.com and enter the test users username 

Note: If you lose your active admin session while testing SSO login and are unable to log back in please contact customer support to disable the SSO configuration for you.

Disable SSO

Toggle Enable Single Sign-On to Disabled.

Note: When SSO is disabled, users will need to log in with their Nitro account username and password.

Removing an IdP Configuration

To remove the IdP configuration, click the Remove Configuration button.

Note: Removing an IdP configuration will disable SSO for your account.

Step-by-step instructions for various IdPs:

• Microsoft Azure AD
• Microsoft Active Directory Federated Services (ADFS)

Example Assertion from Okta:

Example Assertion from Azure AD: