- Created by Karolin Hemmingsson, last modified on May 07, 2019
This article describes how to set up access to Nexus GO Signing with Nexus Hybrid Access Gateway as identity provider (IDP).
The configuration is done in three steps: first preparation in Hybrid Access Gateway, then in Nexus GO PDF Signing and then configuration is completed in Hybrid Access Gateway.
Prerequisites
In Hybrid Access Gateway:
- Installed Hybrid Access Gateway
- User accounts and authentication methods configured. See for example Set up Personal authentication.
- Configured access rule (called for example PDF Signing), that requires strong authentication, containing all methods used for accessing the portals and performing remote signatures.
- For the SAML federation: Signing certificate for the SAML identity provider
In Nexus GO:
- PDF Signing service added in Nexus GO.
Configure Hybrid Access Gateway as identity provider
In Hybrid Access Gateway, do the configuration to set up an Identity Provider.
- Log in to the Hybrid Access Gateway admin interface.
Check the SAML signing certificate:
- Go to Manage system > Certificates
- Scroll down to Registered Server Certificates
- Verify that the certificate to be used is available, for example:
idp-cert.
Configure SAML Identity Provider:
- Go to Manage Resource Access > SAML Federation.
- Click Add SAML Federation...
- Enter a Display Name, for example
Nexus IDP. - Check Acting as Identity Provider.
- Uncheck Import metadata automatically.
- Go to the Export tab.
- Give a unique Entity ID: for example
https://nexusville.com/idp. - Select the Signing Certificate, for example
idp-cert. - Click Download Metadata, save the xml-file for future chapter Configure in Nexus GO.
Configure SAML Attribute Group (example):
- Go to Manage Resource Access > SAML Federation.
- Click Manage Global SAML Federation Settings...
- Click Add attribute group...
- Enter a Display Name, for example Nexus GO PDF Signing.
- Click Add attribute... and enter the relevant SAML attributes for your identity provider. See the following examples:
Example: SAML attributes for identity provider with user storage, such as Active Directory.
Friendly Name
Name (OID)
Source
Mandatory / Optional Format
mail
mail
User Storage
Mandatory string
displayName
displayName
User Storage
Mandatory string
memberOf
memberOf
User Storage
Optional string
title title User Storage Optional string Example: SAML attributes for identity provider with personal identity number, such as national BankID or Freja eID.
Friendly Name
Name (OID)
Source
Mandatory / Optional Format
displayName
displayName
Certificate
Mandatory string
userId userId Certificate Mandatory string
Configure in Nexus GO
Set up Nexus GO PDF Signing to use Hybrid Access Gateway as identity provider.
Log in to Nexus GO:
- Log in to the Nexus GO administration portal:
Go to https://login.go.nexusgroup.com/ and log in with your administrator account.
To set up local IDP:
- Click Services and Signing.
- Select your PDF Signing environment.
- Click Set up local IDP
- Enter a Display Name (this is shown within the signing- and admin-portal), and upload IDP SAML Metadata that was downloaded from Hybrid Access Gateway in previous step. Click Next.
In Map SAML attributes, enter the attributes and then click Next.
See the following examples:Example: SAML attributes for identity provider with user storage, such as Active Directory.
Input field SAML attribute Email
mail
Display name
displayName
Example: SAML attributes for identity provider with personal identity number, such as national BankID or Freja eID. The data source is the certificate.
Set Include user id to On.Input field SAML attribute User id userId Display name
displayName
In Select contributors, define what users need admin rights, that is to create signing requests in the PDF signing portal. When you are ready, click Next.
See the following example:Select contributors
Attribute
Value
Contributor
memberOf
CN=PDF Signing Admin,OU=Users,DC=nexusville,DC=com
Note: the role contributor gives a user access to the admin portal and possibility to create signing requests, multiple values can be added.
If the checkbox Everyone from this IDP is a contributor is selected, all users authenticating through the IDP will get access to admin portal.- Confirm your configuration and click Submit.
- Now back at the overview of your PDF Signing environment, at SAML SP Metadata, click Download.
- Save Logon URL for future step Optional: Add Nexus GO PDF Signing as portal item in Hybrid Access Gateway.
Add Nexus GO PDF Signing as Service Provider in Hybrid Access Gateway
In Hybrid Access Gateway, do the configuration to add Nexus GO PDF Signing as service provider.
- Log in to the Hybrid Access Gateway admin interface.
To add service provider:
- Go to Manage Resource Access > SAML Federation.
- Click the Identity Provider created earlier, for example
Nexus IDP, see Configure Hybrid Access Gateway as Identity Provider. - Go to the Role Identity Provider tab and click Add service provider...
- Verify that SAML 2.0 is checked.
- Upload SAML 2.0 metadata, click Choose file and select the SAML SP Metadata downloaded from Nexus GO in the previous chapter. Click Next.
- Confirm import of unsigned metadata by clicking Yes.
- Click Finish Wizard.
- In Role Identity Provider under Registered Service Providers, click the created service provider.
- Go to the Assertion Settings tab.
- Under Attribute Statement and Attribute Group, select the group you created in previous step, our example Nexus GO PDF Signing.
- Go to the Access Rules tab.
- Select the already created access rule (for example called PDF Signing), to define what authentication methods are allowed:
In Available Access Rules: select PDF Signing, and click Add. - Click Save.
- Click Publish to publish the updates.
The configuration in Hybrid Access Gateway is ready.
Optional: Add Nexus GO PDF Signing as a portal item in Hybrid Access Gateway
Optionally, you can add Nexus GO PDF Signing in the Hybrid Access Gateway application portal, to let the users access Nexus GO PDF Signing without having to log in again. The portal item shall be protected with the same access rule as selected for the service provider. For more information, see the Prerequisites.
- Log in to the Hybrid Access Gateway admin interface.
To add Nexus GO PDF Signing as a portal item in the Hybrid Access Gateway application portal:
- In the Hybrid Access Gateway adminstration interface, go to Browse.
- Go to access-point/custom-files/wwwroot.
Create a file named nexusgopdfsigning.html and add the text below. Change the italic text to fit your configuration:
Example: login page<html>
<head>
<script type="text/JavaScript">
location.href = "<your Logon URL from Nexus GO Administration portal>";
</script>
</head>
<body>
</body>
</html>- In the Hybrid Access Gateway administration interface, go to Manage Resource Access.
- Click Web Resources.
- Select Access Point and click Add Resource Path...
- Check Enable resource and enter the path, for example nexusgopdfsigning.html.
- Uncheck Use Parent Authorization.
- Check Make resource available in the portal.
- Select Icon and enter Link text, for example Nexus GO PDF Signing.
- Click Next.
- Select the already created access rule (for example called PDF Signing), to define what authentication methods are allowed:
In Available Access Rules: select PDF Signing, and click Add. - Click Save.
- Click Publish to publish the updates.
The configuration in Hybrid Access Gateway is ready.