Set up Azure Active Directory as identity provider to Nexus GO PDF Signing

In Azure Active Directory:

• User accounts, roles and appropriate licenses configured.
• Optional, but used in this example: Unique configured administrator Role claim issued in the SAML token, described here:
  https://docs.microsoft.com/en-us/azure/active-directory/active-directory-enterprise-app-role-management

In Nexus GO: 

• PDF Signing environment created in Nexus GO.

• Go to https://portal.azure.com and log in with your administrator account.

1. Go to Azure Active Directory, click Enterprise applications.
2. Click New application and Non-gallery application.
3. Enter a Name, for example Nexus GO Signing, click Add.
4. In Quick Start, click Single sign-on.
5. In the drop-down list Single Sign-on Mode, choose SAML-based Sign-on.
6. Under bullet number 3. User Attributes, check View and edit all other user attributes.
7. Click Add attribute, Name=emailaddress, Value=user.mail, click OK.
8. Click Add attribute, Name=displayname, Value=user.displayname, click OK.
9. Optional: Click Add attribute, Name=role, Value=user.assignedroles, click OK.
10. Optional: Remove attributes not used in federation (surname, givenname, name etc).
    
11. Scroll down to bullet number 4. SAML Signing Certificate. In column Download, click Metadata XML, and save it for next step ("Configure in Nexus GO").
12. Stay on this web page but open a new tab.

This example uses a custom administrator role, configured for the service, to determine which users/groups that will get admin access in Nexus GO Signing. There are other ways to do this, for example, to use other attributes from Azure Active Directory, such as department or title.

• Log in to the Nexus GO administration portal: 
  Go to https://login.go.nexusgroup.com/ and log in with your administrator account.

1. In the Nexus GO administration portal, click Services and Signing. 
2. Select your PDF Signing environment.
3. Click Set up local IDP
4. Enter a Display Name (this is shown within the signing- and admin-portal), and upload IDP SAML Metadata that was downloaded from the Azure Portal in previous step. Click Next.

5. Configure SAML mappings then click Next, our example:

   email	emailaddress
   displayName	displayname

6. Optional: Configure Role mappings then click Next, our example:

   Role mappings	Attribute	Value
   Contributor	role	signadmin

   

   The role Contributor gives a user access to the admin portal and possibility to create signing requests. To add multiple values, use the +.
   If the check-box Everyone from this IDP is a contributor is selected, all users authenticating through the IDP will get access to the Nexus GO administration portal.

7. Confirm your configuration and click Submit.
8. Now back at the overview of your PDF Signing environment, at SAML SP Metadata, click Download.
9. Copy Logon URL to clipboard.

1. Go back to the Azure Portal tab.
2. Under bullet number 2. Nexus GO PDF Signing Domain and URLs, click Upload metadata file, and select the SAML SP Metadata downloaded from Nexus GO.
3. In Sign on URL, paste Logon URL from clipboard.
4. Click Save.

• Go to https://portal.azure.com and log in with your administrator account.

1. Go to Azure Active Directory, click Enterprise applications.
2. Click Nexus GO PDF Signing.
3. Click Properties.
   1. Upload one of the logotypes (215x215 pixels PNG format, first download and save the wanted logotype).
   2. User assignment required – If yes, assign users and/or groups manually in Users and groups menu.
   3. Visible to end users – If yes, assigned users will see the application on their access panel and Microsoft 365 app launcher.