If your company is using an identity provider, your IT department can configure a SAML authentication protocol for your Nucla Network and/or Group. This will make logging into your account easier and safer.
Please reach out to support@nucla.com if you have questions about the setup process or are having trouble logging in to Nucla through your company's SSO portal.
Technical Requirements
Nucla integrates with any single sign-on (SSO) identity provider that supports the SAML protocol.
To set up SSO authentication for your account, you must:
- Be an Administrator of your Network or Group
- Enable SSO on your Network or Group settings
- Upload your Federation Metadata File (XML) with the EntityID, Reply URL, and NAMEID information provided by Nucla
Please contact your Customer Success Manager if you have not received this information.
Steps to Configure SSO
- Enable SSO from your Nucla Network or Group General Settings page.
- Upload your Federation metadata XML file. Please share this information with your IT department so they can generate the correct file that you can upload to your Nucla settings.
- For Network SSO, select a default authorization group. This is the group users will be automatically added to if it's their first time using Nucla.
Disable Nucla Auth
. Check this box if you wish to restrict authentication to Nucla to your active directory domain or intranet.EntityId: KITEsrm
Reply URL: This unique URL will include your group or network ID.
NAMEID: must be set to `email` in your directory service configuration.
After uploading you should see the file name render to show it has completed successfully.
You can enable group routing from your Identity Provider by including an attribute statement in your SAML assertion with group identifiers. To set this up you will need to configure your IDP system to sent an attribute statement with the claim name AuthorizedUserGroups
and then map those values in Nucla.
The IDP Group Identifiers input is for the identifier that you will be sending in a SAML response. This can be any string value or values. The Network Group input is for the group or groups you would like the user to be provisioned for. You can map as many IDP Group Identifiers to as many Network Groups as you need. You can add additional mappings by clicking the āAdd group mappingā button.
The SAML assertion sent by your IDP should include an AttributeStatement
with the attribute name
with the value AuthorizedUserGroups
. It should have nested AttributeValue
elements representing each group.
<saml2:AttributeStatement>
<saml2:Attribute Name="AuthorizedUserGroups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">My Security Group Id
</saml2:AttributeValue>
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Authorization User Group
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
When your users login through SSO, Nucla will provision access for the user for the groups that are sent in this manner.
Example configuration with Okta (Advanced)
If Okta is your IDP, you will need to edit your applicationās SAML Settings. You will find a setting for Group Attribute Statements
In the Name field, enter AuthorizedUserGroups
and use Oktaās proprietary regex to filter the names of the groups you want added to the SAML response.
You can test your response by clicking on the Preview the SAML Assertion button below the Group Attribute Statements section and compare it to the sample SAML assertion sent above.
Example configuration with Azure Active Directory
In Active Directory you can send your group identifiers after assigning users to groups. You will need to access the Attributes & Claims panel by opening your enterprise application and selecting Single sign-on.
Add a group claim and customize your source attributes as needed. Make sure you check Customize the name of the group claim and add AuthorizedUserGroups
to the Name field.
- Success! You have enabled SSO for your Network or Group on Nucla. This can be re-established or disabled at any point from your account settings.