This article describes how to set up access to Nexus GO Signing with Nexus Hybrid Access Gateway as identity provider (IDP).

The configuration is done in three steps: first preparation in Hybrid Access Gateway, then in Nexus GO PDF Signing and then configuration is completed in Hybrid Access Gateway. 


Prerequisites

In Hybrid Access Gateway:

  • Installed Hybrid Access Gateway
  • User accounts and authentication methods configured. See for example Set up Personal authentication.
  • Configured access rule (called for example PDF Signing), that requires strong authentication, containing all methods used for accessing the portals and performing remote signatures.
  • For the SAML federation: Signing certificate for the SAML identity provider

In Nexus GO: 

  • PDF Signing service added in Nexus GO.

Configure Hybrid Access Gateway as identity provider

In Hybrid Access Gateway, do the configuration to set up an Identity Provider.

  1. Log in to the Hybrid Access Gateway admin interface.


Check the SAML signing certificate:

  1. Go to Manage system > Certificates
  2. Scroll down to Registered Server Certificates
  3. Verify that the certificate to be used is available, for example: idp-cert.


Configure SAML Identity Provider:

  1. Go to Manage Resource Access > SAML Federation.
  2. Click Add SAML Federation...
  3. Enter a Display Name, for example Nexus IDP.
  4. Check Acting as Identity Provider.
  5. Uncheck Import metadata automatically.
  6. Go to the Export tab.
  7. Give a unique Entity ID: for example https://nexusville.com/idp.
  8. Select the Signing Certificate, for example idp-cert.
  9. Click Download Metadata, save the xml-file for future chapter Configure in Nexus GO.


Configure SAML Attribute Group (example):

  1. Go to Manage Resource Access > SAML Federation.
  2. Click Manage Global SAML Federation Settings...
  3. Click Add attribute group...
  4. Enter a Display Name, for example Nexus GO PDF Signing.
  5. Click Add attribute... and enter the relevant SAML attributes for your identity provider. See the following examples:
    1. Example: SAML attributes for identity provider with user storage, such as Active Directory.

      Friendly Name

      Name (OID)

      Source

      Mandatory / Optional

      Format

      mail

      mail

      User Storage

      Mandatory

      string

      displayName

      displayName

      User Storage

      Mandatory

      string

      memberOf

      memberOf

      User Storage

      Optional

      string

      titletitleUser StorageOptionalstring


    2. Example: SAML attributes for identity provider with personal identity number, such as national BankID or Freja eID.

      Friendly Name

      Name (OID)

      Source

      Mandatory / Optional

      Format

      displayName

      displayName

      Certificate

      Mandatory

      string

      userIduserIdCertificateMandatorystring


Configure in Nexus GO

Set up Nexus GO PDF Signing to use Hybrid Access Gateway as identity provider.

Log in to Nexus GO:

  1. Log in to the Nexus GO administration portal: 
    Go to https://login.go.nexusgroup.com/ and log in with your administrator account.


To set up local IDP:

  1. Click Services and Signing
  2. Select your PDF Signing environment.
  3. Click Set up local IDP
  4. Enter a Display Name (this is shown within the signing- and admin-portal), and upload IDP SAML Metadata that was downloaded from Hybrid Access Gateway in previous step. Click Next.
  5. In Map SAML attributes, enter the attributes and then click Next.
    See the following examples:

    1. Example: SAML attributes for identity provider with user storage, such as Active Directory.

      Input fieldSAML attribute

      Email

      mail

      Display name

      displayName


    2. Example: SAML attributes for identity provider with personal identity number, such as national BankID or Freja eID. The data source is the certificate.

      Set Include user id to On.

      Input fieldSAML attribute
      User iduserId

      Display name

      displayName


  6. In Select contributors, define what users need admin rights, that is to create signing requests in the PDF signing portal. When you are ready, click Next.
    See the following example:

    Select contributors

    Attribute

    Value

    Contributor

    memberOf

    CN=PDF Signing Admin,OU=Users,DC=nexusville,DC=com

    Note: the role contributor gives a user access to the admin portal and possibility to create signing requests, multiple values can be added.

    If the checkbox Everyone from this IDP is a contributor is selected, all users authenticating through the IDP will get access to admin portal.

  7. Confirm your configuration and click Submit.
  8. Now back at the overview of your PDF Signing environment, at SAML SP Metadata, click Download.
  9. Save Logon URL for future step Optional: Add Nexus GO PDF Signing as portal item in Hybrid Access Gateway.

Add Nexus GO PDF Signing as Service Provider in Hybrid Access Gateway

In Hybrid Access Gateway, do the configuration to add Nexus GO PDF Signing as service provider.

  1. Log in to the Hybrid Access Gateway admin interface.


To add service provider:

  1. Go to Manage Resource Access > SAML Federation.
  2. Click the Identity Provider created earlier, for example Nexus IDP, see Configure Hybrid Access Gateway as Identity Provider.
  3. Go to the Role Identity Provider tab and click Add service provider...
  4. Verify that SAML 2.0 is checked.
  5. Upload SAML 2.0 metadata, click Choose file and select the SAML SP Metadata downloaded from Nexus GO in the previous chapter. Click Next.
  6. Confirm import of unsigned metadata by clicking Yes.
  7. Click Finish Wizard.
  8. In Role Identity Provider under Registered Service Providers, click the created service provider.
  9. Go to the Assertion Settings tab.
  10. Under Attribute Statement and Attribute Group, select the group you created in previous step, our example Nexus GO PDF Signing.
  11. Go to the Access Rules tab.
  12. Select the already created access rule (for example called PDF Signing), to define what authentication methods are allowed: 
    In Available Access Rules: select PDF Signing, and click Add.
  13. Click Save.


  1. Click Publish to publish the updates.
    The configuration in Hybrid Access Gateway is ready. 

Optional: Add Nexus GO PDF Signing as a portal item in Hybrid Access Gateway

Optionally, you can add Nexus GO PDF Signing in the Hybrid Access Gateway application portal, to let the users access Nexus GO PDF Signing without having to log in again. The portal item shall be protected with the same access rule as selected for the service provider. For more information, see the Prerequisites.

  1. Log in to the Hybrid Access Gateway admin interface.


To add Nexus GO PDF Signing as a portal item in the Hybrid Access Gateway application portal:

  1. In the Hybrid Access Gateway adminstration interface, go to Browse.
  2. Go to access-point/custom-files/wwwroot.
  3. Create a file named nexusgopdfsigning.html and add the text below. Change the italic text to fit your configuration:

    <html>
      <head>
        <script type="text/JavaScript">
          location.href = "<your Logon URL from Nexus GO Administration portal>";
        </script>
      </head>
    <body>
    </body>
    </html>


  4. In the Hybrid Access Gateway administration interface, go to Manage Resource Access.
  5. Click Web Resources.
  6. Select Access Point and click Add Resource Path...
  7. Check Enable resource and enter the path, for example nexusgopdfsigning.html.
  8. Uncheck Use Parent Authorization.
  9. Check Make resource available in the portal.
  10. Select Icon and enter Link text, for example Nexus GO PDF Signing.
  11. Click Next.
  12. Select the already created access rule (for example called PDF Signing), to define what authentication methods are allowed: 
    In Available Access Rules: select PDF Signing, and click Add.
  13. Click Save.


  1. Click Publish to publish the updates.
    The configuration in Hybrid Access Gateway is ready.