> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nx1cloud.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Connect to a SAML identity provider

> Link user identities to a SAML IdP to enable authentication in NexusOne.

After creating user identities in a Security Assertion Markup Language (SAML) identity provider supported
by NexusOne, you must connect NexusOne to the SAML provider.

Connecting to an identity provider ensures that the user identities you created can authenticate
with NexusOne.

## Connect to a SAML identity provider

Perform these steps to connect to a SAML identity provider.

1. Log in to NexusOne.

2. On the top navigation bar, hover your mouse over **Govern** and then select **Identity Provider**.

3. Click the plus `+` icon in the top right corner of the page to choose a provider.

4. Select a provider.

5. Configure the provider with the following details:

   1. In the **Display Name** field, enter a provider display name. It's shown in NexusOne's UI.

   2. In the **Alias** field, enter a unique name. It must be in lowercase and contain hyphens.

   3. Use the toggle button to **Enable** or **Disable** the provider.

   4. Create an OIDC app in the provider's portal that represents NexusOne.

   5. Copy NexusOne's redirect URI shown in the **Redirect URI / Callback** URL field and paste it into the
      provider's Allowed **Redirect URIs / Callback** list.

   6. In the SSO service URL field, enter an SSO service URL.

   7. Optional: In the **Single Logout URL** field, enter the provider's SAML Single Logout (SLO) endpoint URL.
      Use this if you want logging out of NexusOne to also sign the user out of the provider.

   8. From the **NameID Policy Format** list, select a policy format.

      NameID is the user ID your SAML provider sends to NexusOne. NameID Policy Format specifies the type of ID value
      the provider includes in a SAML response, and it can be one of the following:

      * `Email Address`: User's email address.
      * `PERSISTENT`: Stable and unique ID for a user across logins.
      * `TRANSIENT`: Short-lived identifier that can change between sessions.
      * `UNSPECIFIED`: Provider chooses what to send.

   9. In the **IdP Signing Certificate (PEM)** field, paste a PEM certificate from a provider's SAML application settings.

      This is the public X.509 certificate NexusOne uses to verify SAML messages signed by a provider.

   10. From the **Sync Mode** list, select a sync mode.

       The sync mode determines how NexusOne syncs the user identities from the provider. The sync mode can be one of the following:

       * `FORCE`: NexusOne forces the sync mode.
       * `IMPORT`: NexusOne imports the user identities from the provider.
       * `INHERIT`: NexusOne inherits the user identities from the provider.
       * `LEGACY`: NexusOne uses a legacy sync mode.

   11. Select **Sign AuthnRequests**. When enabled, NexusOne signs SAML authentication requests sent to the provider.
       Enable this if your provider requires signed AuthnRequests.

   12. Select **Use POST binding for AuthnRequests**. Enable this if your provider requires POST binding or if you run into URL
       length limits with an HTTP Redirect binding.

       With POST binding, NexusOne generates the SAML AuthnRequest, and your browser sends it to the provider as an HTML form POST,
       instead of putting it in the URL, like an HTTP Redirect binding.

   13. Click **Next**.

6. Configure attribute mapping between the identity provider and user accounts.

   1. In the **SAML Attribute** field, enter a user profile claim name.

   2. In the **User Attribute** field, enter a NexusOne user attribute to map the claim to.

   3. From the **Sync** list, select a sync option for the attribute mapping. The sync mode can be one of the following:

      * `FORCE`: NexusOne forces the sync mode.
      * `IMPORT`: NexusOne imports the user identities from the provider.
      * `INHERIT`: NexusOne inherits the user identities from the provider.

   4. In the **Group Mapping** section, click **Enter Group Mapping** and enter a user profile claim name and
      NexusOne user attribute.

7. Click **Next**.

8. Review your configuration and then click **Create Identity Provider**.

## Additional resources

* For an overview of the Govern feature, refer to [Govern Overview](/documentation/govern/overview).
* To learn more about SAML, refer to
  [Security Assertion Markup Language (SAML) V2.0 Technical Overview](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html).
