If your company is using an identity provider, your IT department can configure a SAML authentication protocol for your Nucla Network and/or Group. This will make logging into your account easier and safer.
Please reach out to email@example.com if you have questions about the setup process or are having trouble logging in to Nucla through your company's SSO portal.
Nucla integrates with any single sign-on (SSO) identity provider that supports the SAML protocol.
To set up SSO authentication for your account, you must:
- Be an Administrator of your Network or Group
- Enable SSO on your Network or Group settings
- Upload your Federation Metadata File (XML) with the EntityID, Reply URL, and NAMEID information provided by Nucla
Please contact your Customer Success Manager if you have not received this information.
Steps to Configure SSO
- Enable SSO from your Nucla Network or Group General Settings page.
- Upload your Federation metadata XML file. Please share this information with your IT department so they can generate the correct file that you can upload to your Nucla settings.
- For Network SSO, select a default authorization group. This is the group users will be automatically added to if it's their first time using Nucla.
Disable Nucla Auth. Check this box if you wish to restrict authentication to Nucla to your active directory domain or intranet.
EntityId: KITEsrm Reply URL: This unique URL will include your group or network ID. NAMEID: must be set to `email` in your directory service configuration.
After uploading you should see the file name render to show it has completed successfully.
You can enable group routing from your Identity Provider by including an attribute statement in your SAML assertion with group identifiers. To set this up you will need to configure your IDP system to sent an attribute statement with the claim name
AuthorizedUserGroups and then map those values in Nucla.
The IDP Group Identifiers input is for the identifier that you will be sending in a SAML response. This can be any string value or values. The Network Group input is for the group or groups you would like the user to be provisioned for. You can map as many IDP Group Identifiers to as many Network Groups as you need. You can add additional mappings by clicking the “Add group mapping” button.
The SAML assertion sent by your IDP should include an
AttributeStatement with the attribute
name with the value
AuthorizedUserGroups. It should have nested
AttributeValue elements representing each group.
<saml2:AttributeStatement> <saml2:Attribute Name="AuthorizedUserGroups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">My Security Group Id </saml2:AttributeValue> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Authorization User Group </saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement>
When your users login through SSO, Nucla will provision access for the user for the groups that are sent in this manner.
Example configuration with Okta (Advanced)
If Okta is your IDP, you will need to edit your application’s SAML Settings. You will find a setting for Group Attribute Statements
In the Name field, enter
AuthorizedUserGroups and use Okta’s proprietary regex to filter the names of the groups you want added to the SAML response.
You can test your response by clicking on the Preview the SAML Assertion button below the Group Attribute Statements section and compare it to the sample SAML assertion sent above.
Example configuration with Azure Active Directory
In Active Directory you can send your group identifiers after assigning users to groups. You will need to access the Attributes & Claims panel by opening your enterprise application and selecting Single sign-on.
Add a group claim and customize your source attributes as needed. Make sure you check Customize the name of the group claim and add
AuthorizedUserGroups to the Name field.
- Success! You have enabled SSO for your Network or Group on Nucla. This can be re-established or disabled at any point from your account settings.
Optional - Service Provider Initiated SSO
You can generate a Service Provider Initiated (SPI) SSO link after you have enabled SSO for your group or network. You can click on “Enable Sign In Link” to generate a SPI SSO link.
After it is enabled you will see a link that you can provide to your network. Visiting this url will redirect your users to your IDP where they can sign in. After they sign in they will be redirected and logged into Nucla.
Clicking the edit button in the right hand corner will allow you to edit the url to your liking. Please note, you can only use alphanumeric characters with underscores or hyphens.