GO Workforce service options
This article gives an overview of the different ways to fetch user data from the customer into the GO Workforce service. There is also information regarding how to federate towards the service with SAML.
User catalogue options
These are the options where user data can be fetched from, and then created in the GO Workforce service.
LDAP
When using LDAP as a user creation/management option, you must install "Nexus Smart ID Agent". The agent is used to contact the services backend in a secure way without the need of VPN.
Prerequisites
Java Runtime 11 (there are multiple OpenJRE vendors which can be used for this purpose, such as Microsoft's own OpenJRE package)
Outbound TCP 443 (TLS/HTTPS) to Internet
Internal server/computer which is able to contact LDAP directory via port 389.
Installation
You will receive the Smart ID Agent (a Java application) from the GO Services delivery team, which contains all configuration you need.
To start the Smart ID Agent, either execute a Windows Batch file or a Shell script.
Runtime
It is important that the Smart ID Agent application is running at all times for the synchronization features to work as expected and for the data to be transferred to our backend accordingly.
Smart ID Agent on Windows
Examples for the Smart ID Agent on Windows:
Example 1.
You can run it as a scheduled task to be executed upon startup using the Task Scheduler in Windows. Information about the Task Scheduler can be found here: https://learn.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler .
Example 2.
You can use opensource software to create a Windows Service and making it execute the Java application on system startup.
Smart ID Agent on Linux
You can create the Smart ID Agent as a service to make sure it starts up every time the server starts.
Either approach, you need to make sure that the application has the correct access to be able to write logs (in the same folder it is executed from) or the startup will fail. With either approach, you can also limit the application by running it as a specific user.
Limitations
Nexus GO Services is responsible for the application being able to be executed (manually test is usually performed by just running the Batch file or Shell script and functionality is verified), we do not setup nor alter any information on customer environments, we simply provide the application which needs to run.
Synchronization
When doing synchronization towards an LDAP, the following logic is applied for life cycle management.
Unique identifier (such as GUID from AD LDAP) is used.
A Organizational Unit (OU) for Active users is used.
An Organizational Unit (OU) for Inactive users is used.
When a user has moved into the Inactive users, it is deactivated in GO Services along with all certificates and credentials connected to it.
If a user is deleted from the Active OU in the LDAP, it is considered an orphan and is no longer life-cycle managed. If this happens by mistake, you must restore the deleted user and move it into the inactive OU.
API
When using API as a user creation/management option, this is REST API based. For more information, see Identity Manager Process REST API.
Manual/CSV
When using manual and/or CSV as an option for user creation, there are no prerequisites. A template for CSV will be provided by the GO Services team.
User federation options
SAML Federation
With SAML (2.0) federation, there is an option to federate the customer Service Provider (SP) with the GO Services Identity Provider (IdP).
Metadata information
Metadata information from the customer can be provided via an XML file or manually.
IdP Metadata will be provided from Nexus in a standard SAML XML file.
Required customer information
When federating with SAML, the following information is required from the customer:
Entity ID
Service Provider URL
Signed authentication requests
Nexus requires signed authentication requests. To achieve that, the customer must set these values in the customer environment to which the federation shall be done:
Sign Assertion: True
Signing Digest Method: SHA256
Digest Method: SHA256