In Hybrid Access Gateway:

• Installed Hybrid Access Gateway
• User accounts and authentication methods configured. See for example Set up Personal authentication.
• Configured access rule (called for example PDF Signing), that requires strong authentication, containing all methods used for accessing the portals and performing remote signatures.
• For the SAML federation: Signing certificate for the SAML identity provider

In Nexus GO: 

• PDF Signing service added in Nexus GO.

1. Log in to the Hybrid Access Gateway admin interface.

Check the SAML signing certificate:

1. Go to Manage system > Certificates
2. Scroll down to Registered Server Certificates
3. Verify that the certificate to be used is available, for example: idp-cert.

Configure SAML Identity Provider:

1. Go to Manage Resource Access > SAML Federation.
2. Click Add SAML Federation...
3. Enter a Display Name, for example Nexus IDP.
4. Check Acting as Identity Provider.
5. Uncheck Import metadata automatically.
6. Go to the Export tab.
7. Give a unique Entity ID: for example https://nexusville.com/idp.
8. Select the Signing Certificate, for example idp-cert.
9. Click Download Metadata, save the xml-file for future chapter Configure in Nexus GO.

Configure SAML Attribute Group (example):

1. Go to Manage Resource Access > SAML Federation.
2. Click Manage Global SAML Federation Settings...
3. Click Add attribute group...
4. Enter a Display Name, for example Nexus GO PDF Signing.
5. Click Add attribute... and enter the relevant SAML attributes for your identity provider. See the following examples:

   1. Example: SAML attributes for identity provider with user storage, such as Active Directory.

      Friendly Name	Name (OID)	Source	Mandatory / Optional	Format
      mail	mail	User Storage	Mandatory	string
      displayName	displayName	User Storage	Mandatory	string
      memberOf	memberOf	User Storage	Optional	string
      title	title	User Storage	Optional	string

   2. Example: SAML attributes for identity provider with personal identity number, such as national BankID or Freja eID.

      Friendly Name	Name (OID)	Source	Mandatory / Optional	Format
      displayName	displayName	Certificate	Mandatory	string
      userId	userId	Certificate	Mandatory	string

Log in to Nexus GO:

1. Log in to the Nexus GO administration portal: 
   Go to https://login.go.nexusgroup.com/ and log in with your administrator account.

To set up local IDP:

1. Click Services and Signing. 
2. Select your PDF Signing environment.
3. Click Set up local IDP
4. Enter a Display Name (this is shown within the signing- and admin-portal), and upload IDP SAML Metadata that was downloaded from Hybrid Access Gateway in previous step. Click Next.

5. In Map SAML attributes, enter the attributes and then click Next.
   See the following examples:

   1. Example: SAML attributes for identity provider with user storage, such as Active Directory.
      

      Input field	SAML attribute
      Email	mail
      Display name	displayName

   2. Example: SAML attributes for identity provider with personal identity number, such as national BankID or Freja eID. The data source is the certificate.
      
      Set Include user id to On.

      Input field	SAML attribute
      User id	userId
      Display name	displayName

6. In Select contributors, define what users need admin rights, that is to create signing requests in the PDF signing portal. When you are ready, click Next.
   See the following example:

   Select contributors	Attribute	Value
   Contributor	memberOf	CN=PDF Signing Admin,OU=Users,DC=nexusville,DC=com

   Note: the role contributor gives a user access to the admin portal and possibility to create signing requests, multiple values can be added.
   
   If the checkbox Everyone from this IDP is a contributor is selected, all users authenticating through the IDP will get access to admin portal.

7. Confirm your configuration and click Submit.
8. Now back at the overview of your PDF Signing environment, at SAML SP Metadata, click Download.
9. Save Logon URL for future step Optional: Add Nexus GO PDF Signing as portal item in Hybrid Access Gateway.

1. Log in to the Hybrid Access Gateway admin interface.

To add service provider:

1. Go to Manage Resource Access > SAML Federation.
2. Click the Identity Provider created earlier, for example Nexus IDP, see Configure Hybrid Access Gateway as Identity Provider.
3. Go to the Role Identity Provider tab and click Add service provider...
4. Verify that SAML 2.0 is checked.
5. Upload SAML 2.0 metadata, click Choose file and select the SAML SP Metadata downloaded from Nexus GO in the previous chapter. Click Next.
6. Confirm import of unsigned metadata by clicking Yes.
7. Click Finish Wizard.
8. In Role Identity Provider under Registered Service Providers, click the created service provider.
9. Go to the Assertion Settings tab.
10. Under Attribute Statement and Attribute Group, select the group you created in previous step, our example Nexus GO PDF Signing.
11. Go to the Access Rules tab.
12. Select the already created access rule (for example called PDF Signing), to define what authentication methods are allowed: 
    In Available Access Rules: select PDF Signing, and click Add.
13. Click Save.

1. Click Publish to publish the updates.
   The configuration in Hybrid Access Gateway is ready. 

1. Log in to the Hybrid Access Gateway admin interface.

To add Nexus GO PDF Signing as a portal item in the Hybrid Access Gateway application portal:

1. In the Hybrid Access Gateway adminstration interface, go to Browse.
2. Go to access-point/custom-files/wwwroot.

3. Create a file named nexusgopdfsigning.html and add the text below. Change the italic text to fit your configuration:

   Example: login page

   <html>
     <head>
       <script type="text/JavaScript">
         location.href = "<your Logon URL from Nexus GO Administration portal>";
       </script>
     </head>
   <body>
   </body>
   </html>

4. In the Hybrid Access Gateway administration interface, go to Manage Resource Access.
5. Click Web Resources.
6. Select Access Point and click Add Resource Path...
7. Check Enable resource and enter the path, for example nexusgopdfsigning.html.
8. Uncheck Use Parent Authorization.
9. Check Make resource available in the portal.
10. Select Icon and enter Link text, for example Nexus GO PDF Signing.
11. Click Next.
12. Select the already created access rule (for example called PDF Signing), to define what authentication methods are allowed: 
    In Available Access Rules: select PDF Signing, and click Add.
13. Click Save.

1. Click Publish to publish the updates.
   The configuration in Hybrid Access Gateway is ready.