The configuration is done in two steps: first in Nexus GO PDF Signing and then in Microsoft AD FS.
In Microsoft Active Directory:
- Active Directory Security Group containing all users being Nexus GO PDF Signing administrators.
In Microsoft AD FS:
- Installed AD FS Role service and have a basic configured federation server, described here:
Microsoft AD FS metadata downloaded:
https://<your AD FS server>/FederationMetadata/2006-07/FederationMetadata.xml
In Nexus GO:
- PDF Signing environment created in Nexus GO.
Configure in Nexus GO
Set up Nexus GO PDF Signing to use Microsoft AD FS as identity provider.
- Log in to the Nexus GO administration portal:
Go to https://login.go.nexusgroup.com/ and log in with your administrator account.
- In the Nexus GO administration portal, click Services and Signing.
- Select your PDF Signing environment.
- Click Set up local IDP.
- Enter a Display Name (this is shown within the signing- and admin-portal), and upload IDP SAML Metadata that was downloaded from your AD FS server during it's installation, see the Prerequisites. Click Next.
Configure SAML mappings then click Next, our example:
Optional: Configure Role mappings then click Next, our example:
PDF Signing Admin
The role Contributor gives a user access to the admin portal and possibility to create signing requests. To add multiple values use the +.
If the check-box Everyone from this IDP is a contributor is selected, all users authenticating through the IDP will get access to the the Nexus GO administration portal.
- Confirm your configuration and click Submit.
- Now back at the overview of your PDF Signing environment, at SAML SP Metadata, click Download. This will be uses in the next step ("Configure in Microsoft AD FS").
Configure in Microsoft AD FS
In Microsoft AD FS, do the configuration to set up Nexus GO PDF Signing as a Relying Party.
- Open AD FS Management.
- In the Actions panel, click Add Relying Party Trust.
- Select Claims aware and click Start.
- Select Import data about the relying party from a file, browse for the SAML SP Metadata from Nexus GO PDF Signing that was downloaded when configuring in Nexus GO (see step 8 in "Set up local IDP"). click Next.
- Choose a Display name: Nexus GO PDF Signing, click Next.
- Choose an access control policy (for example, Permit everyone), click Next.
- Review your settings and click Next and Close.
- In AD FS Management, click Relying Party Trusts, select Nexus GO PDF Signing, click Edit Claim Issuance Policy… in the Actions panel.
- Click Add Rule…
- Use Claim rule template: Send LDAP Attributes as Claims, click Next.
Enter Claim rule name: Nexus GO PDF Signing User Claims, Attribute store: Active Directory and select mapping as the table below, then click Finish.
LDAP Attribute (Select or type to add more)
Outgoing Claim Type (Select or type to add more)
- Click Add Rule…
- Use Claim rule template: Send Group Membership as a Claim, click Next.
- Enter Claim rule name: Nexus GO PDF Signing Group Claim, brows for your PDF Signing admin group, Outgoing claim type: Group, Outgoing claim value: PDF Signing Admin, click Finish and OK.
To use the federation, browse to your unique Login URL provided within the Nexus GO portal.