Skip to main content
After creating user identities in a Security Assertion Markup Language (SAML) identity provider supported by NexusOne, you must connect NexusOne to the SAML provider. Connecting to an identity provider ensures that the user identities you created can authenticate with NexusOne.

Connect to a SAML identity provider

Perform these steps to connect to a SAML identity provider.
  1. Log in to NexusOne.
  2. On the top navigation bar, hover your mouse over Govern and then select Identity Provider.
  3. Click the plus + icon in the top right corner of the page to choose a provider.
  4. Select a provider.
  5. Configure the provider with the following details:
    1. In the Display Name field, enter a provider display name. It’s shown in NexusOne’s UI.
    2. In the Alias field, enter a unique name. It must be in lowercase and contain hyphens.
    3. Use the toggle button to Enable or Disable the provider.
    4. Create an OIDC app in the provider’s portal that represents NexusOne.
    5. Copy NexusOne’s redirect URI shown in the Redirect URI / Callback URL field and paste it into the provider’s Allowed Redirect URIs / Callback list.
    6. In the SSO service URL field, enter an SSO service URL.
    7. Optional: In the Single Logout URL field, enter the provider’s SAML Single Logout (SLO) endpoint URL. Use this if you want logging out of NexusOne to also sign the user out of the provider.
    8. From the NameID Policy Format list, select a policy format. NameID is the user ID your SAML provider sends to NexusOne. NameID Policy Format specifies the type of ID value the provider includes in a SAML response, and it can be one of the following:
      • Email Address: User’s email address.
      • PERSISTENT: Stable and unique ID for a user across logins.
      • TRANSIENT: Short-lived identifier that can change between sessions.
      • UNSPECIFIED: Provider chooses what to send.
    9. In the IdP Signing Certificate (PEM) field, paste a PEM certificate from a provider’s SAML application settings. This is the public X.509 certificate NexusOne uses to verify SAML messages signed by a provider.
    10. From the Sync Mode list, select a sync mode. The sync mode determines how NexusOne syncs the user identities from the provider. The sync mode can be one of the following:
      • FORCE: NexusOne forces the sync mode.
      • IMPORT: NexusOne imports the user identities from the provider.
      • INHERIT: NexusOne inherits the user identities from the provider.
      • LEGACY: NexusOne uses a legacy sync mode.
    11. Select Sign AuthnRequests. When enabled, NexusOne signs SAML authentication requests sent to the provider. Enable this if your provider requires signed AuthnRequests.
    12. Select Use POST binding for AuthnRequests. Enable this if your provider requires POST binding or if you run into URL length limits with an HTTP Redirect binding. With POST binding, NexusOne generates the SAML AuthnRequest, and your browser sends it to the provider as an HTML form POST, instead of putting it in the URL, like an HTTP Redirect binding.
    13. Click Next.
  6. Configure attribute mapping between the identity provider and user accounts.
    1. In the SAML Attribute field, enter a user profile claim name.
    2. In the User Attribute field, enter a NexusOne user attribute to map the claim to.
    3. From the Sync list, select a sync option for the attribute mapping. The sync mode can be one of the following:
      • FORCE: NexusOne forces the sync mode.
      • IMPORT: NexusOne imports the user identities from the provider.
      • INHERIT: NexusOne inherits the user identities from the provider.
    4. In the Group Mapping section, click Enter Group Mapping and enter a user profile claim name and NexusOne user attribute.
  7. Click Next.
  8. Review your configuration and then click Create Identity Provider.

Additional resources