Single Sign-On (SSO) allows your users to access Nitro's products by authenticating through your Identity Provider (IdP). Nitro supports SSO with any SAML 2.0-compliant IdP.
Note: This feature is only available to customers on a Nitro Productivity Suite Enterprise plan.
Set Up an ADFS SAML Connection
Create a custom SAML connection to Microsoft's Active Directory Federation Services (ADFS) to get more flexibility when configuring your mappings.
To create the custom connection, you will need to:
1. Configure ADFS.
2. Create a SAML connection where Nitro acts as the service provider.
3. Edit the Relying Party Trust in ADFS.
4. Enable and test your integration.
The following sections will guide you through this process.
ADD A RELYING PARTY TRUST
See Create a relying party trust for complete details.
1. Launch your instance of ADFS and start the Add Relying Party Trust wizard.
2. On the Welcome page, choose Claims aware and click Start.
3. On the Select Data Source page, select Enter data about the relying party manually and click Next.
4. On the Specify Display Name page, provide a descriptive name for your relying party and a brief description under Notes. If you are unsure of the connection name at this time, you can always edit the connection name later. Click Next.
5. On the Configure Certificate page, click Next. (We will come back to configure the certificate later.)
6. On the Configure URL page, check the box for Enable support for the SAML 2.0 WebSSO protocol. The wizard then asks for a Relying party SAML 2.0 SSO service URL. For the time being, provide a placeholder URL; we will return to this step later. Click Next.
7. On the Configure Identifiers page, indicate that the Relying party trust identifier is whatever value you used as the display name when you started using the wizard. Click Next.
8. On the Choose Access Control Policy page, select Permit everyone and click Next.
9. Review the settings you provided on the Ready to Add Trust page and click Next to save your information. If you were successful, you'll see a message indicating that on the Finish page.
10. Make sure that the Configure claims issuance policy for this application checkbox is selected, and click Close.
EDIT THE CLAIM ISSUANCE POLICY
After you close the Add Relying Party Trust wizard, the Edit Claim Issuance Policy window appears.
1. Click Add Rule to launch the wizard.
2. Select Send LDAP Attributes as Claims for your Claim rule template, and click Next.
3. Provide a value for the Claim rule name, such as "LDAP Attributes" (it can be anything you want).
4. Choose Active Directory as your Attribute Store.
5. Map your LDAP attributes to the following outgoing claim types:
LDAP Attribute | Outgoing Claim
E-Mail-Addresses | E-Mail Address
Display-Name | Name
User-Principal-Name | Name ID
Given-Name | Given Name
Surname | Surname
sAMAccountName | http://schemas.microsoft.com/identity/claims/employeeNumber
6. All of the claims listed above, should be added and employeeNumber can be set to unique ID representing a user.
7. You can add additional claim mappings if necessary. See Connect Your Application to Microsoft ADFS for details.
8. Click Finish.
9. In the Edit Claim Issuance Policy window, click Apply. You can now exit out of this window.
EXPORT THE SIGNING CERTIFICATE
Finally, you'll need to export the signing certificate from the ADFS console to upload it to Nitro.
1. Using the left-hand navigation pane, go to ADFS > Service > Certificates. Select the Token-signing certificate, and right-click to select View Certificate.
2. On the Details tab, click Copy to File. This launches the Certificate Export Wizard. Click Next.
3. Choose Base-64 encoded X.509 (.CER) as the format you'd like to use. Click Next.
4. Provide the location where you want the certificate exported. Click Next.
5. Verify that the settings for your certificate are correct and click Finish.
Configure Single Sign-On in Nitro
1. In the Nitro Admin portal, on the Enterprise Settings page, find the Single Sign-On section. Select Setup SAML SSO.
2. Paste the Sign In URL from the preceding step into the Sign-In URL field.
3. The sign in and sign out URLs are usually in the form of https://your.adfs.server/adfs/ls
4. Upload the Certificate (Base64) from the earlier step in the X509 Signing Certificate field.
5. Select Submit.
6. Select Enable Single Sign-On.
Edit the Relying Party Trust
1. In the ADFS console, go to ADFS > Relying Party Trusts using the left-hand navigation pane. Select the Relying Party Trust you created earlier and click Properties (located on the right-hand navigation pane).
2. Select the Identifiers tab, and populate the Relying Party Identifier with the Entity ID value from the previous screen. Be sure to click Add to add the identifier to your list.
3. Select the Endpoints tab, and select the placeholder URL you provided earlier. Click Edit.
4. Populate the Trusted URL with the ACS URL value from Nitro.
5. Click OK. Finally, click Apply and exit the Properties window.
Enable and test your integration
Before you test your integration, make sure that you've completed the following steps:
- Create a user on the IdP that you can use to test your new connection.
- Enable Single Sign-On in Nitro.
To test your connection
1. Navigate to Connections > Enterprise > ADFS.
2. Click the ADFS row (or the hamburger icon to the right) to bring up a list of your ADFS connections.
3. Select the one you want to test and click the play button to test the connection.