Nucla Help Docs
Nucla Help Docs
šŸ”

Set up SSO authentication for your account

If your company is using an identity provider, your IT department can configure a SAML authentication protocol for your Nucla Network and/or Group. This will make logging into your account easier and safer.

Please reach out to support@nucla.com if you have questions about the setup process or are having trouble logging in to Nucla through your company's SSO portal.

Technical Requirements

Nucla integrates with any single sign-on (SSO) identity provider that supports the SAML protocol.

To set up SSO authentication for your account, you must:

  • Be an Administrator of your Network or Group
  • Enable SSO on your Network or Group settings
  • Upload your Federation Metadata File (XML) with the EntityID, Reply URL, and NAMEID information provided by Nucla

Please contact your Customer Success Manager if you have not received this information.

Steps to Configure SSO

  1. Enable SSO from your Nucla Network or Group General Settings page.
    2. image
    šŸ”“
    There is another checkbox labeled Disable Nucla Auth. Check this box if you wish to restrict authentication to Nucla to your active directory domain or intranet.

  2. Upload your Federation metadata XML file. Please share this information with your IT department so they can generate the correct file that you can upload to your Nucla settings.
    3. EntityId: KITEsrm
Reply URL: This unique URL will include your group or network ID.  
NAMEID: must be set to `email` in your directory service configuration.
    image

    After uploading you should see the file name render to show it has completed successfully.

    image
    āš ļø
    SAML certificates have an expiration date (typically 3 years). Once your certificate expires, ensure you re-upload a valid certificate.

  3. For Network SSO, select a default authorization group. This is the group users will be automatically added to if it's their first time using Nucla.
    4. image
    šŸ› 
    User's with an existing account will not be automatically added. They will need to be added manually through the respective on Nucla.
    ā€£
    Group Routing Configuration (Optional - Network SSO Only)

    You can enable group routing from your Identity Provider by including an attribute statement in your SAML assertion with group identifiers. To set this up you will need to configure your IDP system to sent an attribute statement with the claim name AuthorizedUserGroups and then map those values in Nucla.

    image

    The IDP Group Identifiers input is for the identifier that you will be sending in a SAML response. This can be any string value or values. The Network Group input is for the group or groups you would like the user to be provisioned for. You can map as many IDP Group Identifiers to as many Network Groups as you need. You can add additional mappings by clicking the ā€œAdd group mappingā€ button.

    The SAML assertion sent by your IDP should include an AttributeStatement with the attribute name with the value AuthorizedUserGroups. It should have nested AttributeValue elements representing each group.

    <saml2:AttributeStatement>
  <saml2:Attribute Name="AuthorizedUserGroups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
      <saml2:AttributeValue
          xmlns:xs="http://www.w3.org/2001/XMLSchema"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">My Security Group Id
      </saml2:AttributeValue>
      <saml2:AttributeValue
          xmlns:xs="http://www.w3.org/2001/XMLSchema"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Authorization User Group
      </saml2:AttributeValue>
  </saml2:Attribute>
</saml2:AttributeStatement>

    When your users login through SSO, Nucla will provision access for the user for the groups that are sent in this manner.

    šŸ’”
    Nucla will not remove users from groups if a IDP group identifier is no longer sent for the user. Nucla does not revoke group access through SSO. If you wish to remove a user, they will need to be removed from the group through the group users settings panel and you will need to ensure the user is no longer associated with that group within your IDP.

    Example configuration with Okta (Advanced)

    If Okta is your IDP, you will need to edit your applicationā€™s SAML Settings. You will find a setting for Group Attribute Statements

    image

    In the Name field, enter AuthorizedUserGroups and use Oktaā€™s proprietary regex to filter the names of the groups you want added to the SAML response.

    You can test your response by clicking on the Preview the SAML Assertion button below the Group Attribute Statements section and compare it to the sample SAML assertion sent above.

    image

    Example configuration with Azure Active Directory

    In Active Directory you can send your group identifiers after assigning users to groups. You will need to access the Attributes & Claims panel by opening your enterprise application and selecting Single sign-on.

    image

    Add a group claim and customize your source attributes as needed. Make sure you check Customize the name of the group claim and add AuthorizedUserGroups to the Name field.

    image
    šŸ’”
    Note that the above configuration will send the groupā€™s Object Id. This can be viewed from the groups panel.

  1. Success! You have enabled SSO for your Network or Group on Nucla. This can be re-established or disabled at any point from your account settings.
    2. image

Optional - Service Provider Initiated SSO

You can generate a Service Provider Initiated (SPI) SSO link after you have enabled SSO for your group or network. You can click on ā€œEnable Sign In Linkā€ to generate a SPI SSO link.

image

After it is enabled you will see a link that you can provide to your network. Visiting this url will redirect your users to your IDP where they can sign in. After they sign in they will be redirected and logged into Nucla.

image

Clicking the edit button in the right hand corner will allow you to edit the url to your liking. Please note, you can only use alphanumeric characters with underscores or hyphens.

šŸ’”
Group Level SPI SSO links will not be available if network SSO is enabled.