This article describes how to connect an external identity provider (IdP) to Nexus GO Signing.
To use an external identity provider, the connection must be configured both in the identity provider and in Nexus GO. For example, some user attributes must have the same names in both services, and metadata from each service must be uploaded in the other.
Mapping of attributes from the identity provider
Nexus GO uses attributes in the SAML response and add them to the PDF signature.
commonName is mandatory and is used to display the name of the signer in the PDF document.
The SAML response must contain either
userId. Both of them can be included but at least one of them is mandatory. They are used to check the identity of the signer to verify that the signer has permission to view the signing request and the documents. It is configurable which attributes from the IdP that map
userId in the SAML response.
The IdP can also provide the optional attribute
title, which will be displayed in the visual signature in the PDF (for example
Instructions for specific identity providers
For more information on how to set up specific identity providers in Nexus GO, see here:
- Set up Digital Access as identity provider to Nexus GO Signing
- Set up Azure Active Directory as identity provider to Nexus GO PDF Signing
- Set up Forgerock as identity provider to Nexus GO PDF Signing
- Set up Microsoft AD FS as identity provider to Nexus GO Signing
- Set up PhenixID Authentication Services as identity provider to Nexus GO Signing
- Log in to Nexus GO.
- Click Services > Signing.
- Select the signing service you want to add an identity provider to, and click Set up SAML IDP.
- In Upload metadata:
- Enter a Display name, which is the name of the Signing method that will be shown in the signing portal.
- Upload the xml file containing the Identity Provider metadata, for example idp.xml.
- Click Next.
- In Map SAML attributes:
Check the configured SAML attribute names in the identity provider for the following attributes:
commonName, and enter them in the corresponding fields.
The attribute names in Nexus GO must match those that are configured in the identity provider for the connection to work.
- If you use an identity provider with userId as identifier instead of email, for example a personal identity number (personnummer in Swedish):
- Set Include userId to On.
- In userId, enter the corresponding SAML attribute name.
- Click Next.
- In Select contributors, define which users that are allowed to upload documents and send out requests in the signing portal:
Either check Everyone from this Identity Provider is a contributor, or enter an attribute and values to define specific users to be contributors.
To let all members of the user groups
ITbe contributors, use these values:
attribute = memberOf, value = admin, value = IT
If there is no group already in the user directory to define the contributors, you can create such a group.
- Click Next.
- In Confirmation, verify the details and click Submit.
The configured Identity Provider can now be used in the signing portal.