Nexonia supports Single Sign-On (SSO) using SAML 2.0 with an option for Active Directory Federation Services (ADFS) flavor. Clients can use Okta, One Login, or any other configuration that supports SAML 2.0.
Administrators can enable the SSO feature in Nexonia. The ability to use SSO login access to Nexonia is granted to users as defined by the user's role. The role permissions allow you to choose if users can login to Nexonia via Regular Logins only, SSO Logins only, or both. SSO Logins are supported on Nexonia's web and mobile applications.
Link: Configuration Guide to Roles and User Permissions
To configure SSO:
A Nexonia administrator can enter your IDP public certificate in Nexonia. To begin, log in to Nexonia on the web and navigate to Setup > Company > Features. Click the Edit button (near the bottom) to access the Features list.
Scroll through the Features to find the Single Sign-On setting. Switch Use Single Sign-On (SSO) to "Yes" will enabled the SSO settings:
SSO Administrator Emails: email address where error messages should be sent to.
SSO Protocol: typically left as SAML 2.0
SAML IdP URL: Your unique landing (redirect) page URL goes into this field
Nexonia Idp URL Endpoint: https://system.nexonia.com/assistant/saml.do?orgCode=XXXX
Your orgCode (XXXX) is unique to your organization. If you don't know what it is, contact help@nexonia.com for assistance.
SAML Flavor: choose "Standard" or "Active Directory Federation Services".
SAML Certificate: enter your SAML certificate here.
For your SAML requests, the SAML NameID should be the user’s e-mail address (the same one they use to log-on to Nexonia now).
Once you've configured these settings, scroll to the bottom of the Features list and click the Apply button.
Enabling SSO Login Access for Users
SSO login access is granted to the users as defined by the user's role. To enable:
- In Nexonia, navigate to Setup > Users > Roles.
- Edit the role you want to update. The SSO settings are under the General tab.
-
For each user role, in the SSO field you can select
- regular logins only,
- SSO logins only, or
- both regular logins and SSO logins.
- Once you make your selection, click the Apply button. Now, any users linked to that role will have the SSO settings applied to them.
Typical SSO Requests:
Typical request that would come from us:
<samlp:AuthnRequest xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' ID='n-5c3ba6bf-4e27-4543-bd98-9faf37e87d1b' Version='2.0' IssueInstant='2012-03-21T02:16:50Z' AssertionConsumerServiceURL='https://system.nexonia.com/assistant/saml.do?orgCode=xxxx'>
<saml:Issuer>Nexonia</saml:Issuer>
<samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'/>
</samlp:AuthnRequest>
Typical SAML login that we would receive:
<xml version='1.0' encoding='UTF-8' standalone='no' ?><samlp:Response xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol' ID='ridAEA317A338EC8F6DF88481C9306822681FCC1DC7' IssueInstant='2012-03-22T16:39:28Z' Version='2.0' xmlns='urn:oasis:names:tc:SAML:2.0:protocol' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
<ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/>
<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>
<ds:Reference URI='#ridAEA317...some ref....C9306822681FCC1DC7'>
<ds:Transforms>
<ds:Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/>
<ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/>
</ds:Transforms>
<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
<ds:DigestValue>cNme7C...the digest....hq9m/3vabWY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>tDCBO9TZgeH... the signature...T0==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDJjCCAlyBDcSINU2/c9292vY1DcVbgJ4og9YwFmdUqqvu3+T
.. the certificate....Nyx7hIFG5rNgWsipbjJ4fKwYFOxZ3c4njmYw4douEjrpUWz9Rkhw1Gth
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value='urn:oasis:names:tc:SAML:2.0:status:Success'/>
</samlp:Status>
<saml:Issuer>YourIDP</saml:Issuer>
<saml:Assertion ID='aid524F354FBF279D412B11F2688FE7843FB3354B15' IssueInstant='2012-03-22T16:39:28Z' Version='2.0'>
<saml:Issuer>YourIDP</saml:Issuer>
<saml:Subject>
<saml:NameID Format='urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' NameQualifier='https://some.url' SPNameQualifier='Nexonia'>
user@domain.com
</saml:NameID>
<saml:SubjectConfirmation Method='urn:oasis:names:tc:SAML:2.0:cm:bearer'>
<saml:SubjectConfirmationData NotOnOrAfter='2012-03-22T16:44:28Z' Recipient='https://system.nexonia.com/assistant/saml.do?orgCode=xxxx'/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore='2012-03-22T16:35:28Z' NotOnOrAfter='2012-03-22T16:44:28Z'>
<saml:AudienceRestriction>
<saml:Audience>Nexonia</saml:Audience>
</saml:AudienceRestriction>
<saml:OneTimeUse/>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant='2012-03-22T16:35:28Z' SessionIndex='sid59EB7FCD47B8F339DB92C55E629469CDF68B9A16'>
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
Comments
0 comments
Article is closed for comments.