Single Sign-On (SSO) Overview

Single Sign-On (SSO) allows your users to access Nitro's products by authenticating through your Identity Provider (IdP). Nitro supports SSO with any SAML-2.0 compliant IdP.

Note: This feature is only available for Enterprise customers, as well as customers on the PDF Plus, Sign Plus, or higher plans.

1. Your account must have a verified domain to set up and enable SSO. Visit this article for instructions on verifying your domain. 
2. You will need the following information from your IdP: 
   - Sign In URL 
   - X.509 Signing Certificate

• Microsoft Azure AD/Entra
• Microsoft Active Directory Federated Services (ADFS)
• Okta
• Duo

To learn how SSO works on Nitro in general, or to set up SSO with an IdP not listed above, follow the steps below.

1. Login to the Nitro Admin Portal
2. Select Settings in the left navigation pane and navigate to the Single Sign-On tab
3. Click the Edit Configuration button.

   

4. Enter your Sign-In URL and upload your X.509 Signing Certificate. The certificate must be base64 encoded and in .cer or .pem format.

   

5. Once submitted, Nitro will display your SAML Entity ID and ACS URL.
Ensure both ACS URLs are added in your IdP configuration.

If you need help with how to add multiple ACS URLs in your IdP, refer to the relevant guide below:

• How to add 2nd URL on Azure/Entra
• How to add 2nd URL on Okta
• How to add 2nd URL on Duo

6. Nitro requires the SAML assertion to contain NameID, email, given_name and family_name of a user:

• NameID must be set to email address. 
• Please note the UI for adding custom attributes will vary depending on the identity provider in use.
  

After completing the SAML SSO setup:

• Click Edit SSO.
• Click the radio button for Enable SSO
• Click Save to apply your changes.

Before rolling out SSO to all users, test your configuration using the steps below:

1. In the Nitro Admin Portal, enable SSO by clicking Edit SSO, selecting Enable SSO, and clicking Save.
2. In your IdP, assign a test user permission to access the Nitro application.
3. Test IdP-initiated login:
   
   1. Log in to your IdP’s application launch page.
   2. Launch the Nitro application from your IdP’s application launch page.
4. Test SP-initiated login:
   
   1. Open a new incognito/private browser window.
   2. Navigate to https://sso.gonitro.com.
   3. Enter the test user’s email address and follow the login prompts.

Note: If you lose access during testing and cannot log back in, please contact Nitro Support to disable SSO for your account..

If you need to temporarily or permanently turn off Single Sign-On for your organization, follow these steps:

1. Log in to the Nitro Admin Portal, go to Settings > Single Sign-On and click Edit SSO.
2. Click the radio button for Disable SSO
3. Click Save to apply your changes.

Once SSO is disabled, all users will need to log in using their Nitro username and password instead of through the IdP. Disabling SSO does not delete your configuration. You can re-enable SSO at any time as long as the configuration has not been removed.

1. Log in to the Nitro Admin Portal, go to Settings > Single Sign-On.
2. Click Clear Configuration

Removing the IdP configuration will fully disable SSO for your account. All users will need to log in using their Nitro username and password.

You can reconfigure SSO from the beginning at any time by following the steps in How to Set Up SAML SSO in the Nitro Admin Portal.