This article describes how to set up access to Nexus GO Signing with Smart ID Digital Access component as identity provider (IDP).
The configuration is done in three steps: first preparation in Digital Access, then in Nexus GO Signing and then configuration is completed in Digital Access.
Prerequisites
Prerequisites
In Digital Access:
- Deploy Digital Access component
- User accounts and authentication methods configured. See for example Set up Smart ID authentication.
- Configured access rule (called for example PDF Signing), that requires strong authentication, containing all methods used for accessing the portals and performing remote signatures.
- For the SAML federation: Signing certificate for the SAML identity provider
In Nexus GO:
- Signing service added in Nexus GO.
In Digital Access, do the configuration to set up an Identity Provider.
Go to Digital Access Admin
- Log in to Digital Access Admin..
Check SAML signing certificate
Check the SAML signing certificate:
- Go to Manage system > Certificates
- Scroll down to Registered Server Certificates
- Verify that the certificate to be used is available, for example:
idp-cert
.
Configure SAML Identity Provider
Configure SAML Identity Provider:
- Go to Manage Resource Access > SAML Federation.
- Click Add SAML Federation...
- Enter a Display Name, for example
Nexus IDP
. - Check Acting as Identity Provider.
- Uncheck Import metadata automatically.
- Go to the Export tab.
- Give a unique Entity ID: for example
https://nexusville.com/idp
. - Select the Signing Certificate, for example
idp-cert
. - Click Download Metadata, save the xml-file for future chapter Configure in Nexus GO.
Configure SAML Attribute Group
Configure SAML Attribute Group (example):
- Go to Manage Resource Access > SAML Federation.
- Click Manage Global SAML Federation Settings...
- Click Add attribute group...
- Enter a Display Name, for example Nexus GO PDF Signing.
- Click Add attribute... and enter the relevant SAML attributes for your identity provider. See the following examples:
Example: SAML attributes for identity provider with user storage, such as Active Directory.
Friendly Name | Name (OID) | Source | Mandatory / Optional | Format |
---|
mail | mail | User Storage | Mandatory | string |
displayName | displayName | User Storage | Mandatory | string |
memberOf | memberOf | User Storage | Optional | string |
title | title | User Storage | Optional | string |
Example: SAML attributes for identity provider with personal identity number, such as national BankID or Freja eID.
Friendly Name | Name (OID) | Source | Mandatory / Optional | Format |
---|
displayName | displayName | Certificate | Mandatory | string |
userId | userId | Certificate | Mandatory | string |
Set up Nexus GO Signing to use Digital Access as identity provider.
Log in to Nexus GO
Log in to Nexus GO:
- Log in to the Nexus GO administration portal:
Go to https://login.go.nexusgroup.com/ and log in with your administrator account.
Set up local IDP
To set up local IDP:
- Click Services and Signing.
- Select your PDF Signing environment.
- Click Set up local IDP
- Enter a Display Name (this is shown within the signing- and admin-portal), and upload IDP SAML Metadata that was downloaded from Digital Access in previous step. Click Next.
In Map SAML attributes, enter the attributes and then click Next.
See the following examples:
Example: SAML attributes for identity provider with user storage, such as Active Directory.
Input field | SAML attribute |
---|
Email | mail |
Display name | displayName |
Example: SAML attributes for identity provider with personal identity number, such as national BankID or Freja eID. The data source is the certificate.
Set Include user id to On.
Input field | SAML attribute |
---|
User id | userId |
Display name | displayName |
In Select contributors, define what users need admin rights, that is to create signing requests in the Nexus GO Signing portal. When you are ready, click Next.
See the following example:
Select contributors | Attribute | Value |
Contributor | memberOf | CN=PDF Signing Admin,OU=Users,DC=nexusville,DC=com |
Note: the role contributor gives a user access to the admin portal and possibility to create signing requests, multiple values can be added.
If the checkbox Everyone from this IDP is a contributor is selected, all users authenticating through the IDP will get access to admin portal.
- Confirm your configuration and click Submit.
- Now back at the overview of your PDF Signing environment, at SAML SP Metadata, click Download.
- Save Logon URL for future step Optional: Add Nexus GO Signing as portal item in Digital Access.
Add Nexus GO Signing as Service Provider in Digital Access
In Digital Access, do the configuration to add Nexus GO Signing as service provider.
Go to Digital Access Admin
- Log in to Digital Access Admin.
Add service provider
To add service provider:
- Go to Manage Resource Access > SAML Federation.
- Click the Identity Provider created earlier, for example
Nexus IDP
, see Configure Digital Access as Identity Provider. - Go to the Role Identity Provider tab and click Add service provider...
- Verify that SAML 2.0 is checked.
- Upload SAML 2.0 metadata, click Choose file and select the SAML SP Metadata downloaded from Nexus GO in the previous chapter. Click Next.
- Confirm import of unsigned metadata by clicking Yes.
- Click Finish Wizard.
- In Role Identity Provider under Registered Service Providers, click the created service provider.
- Go to the Assertion Settings tab.
- Under Attribute Statement and Attribute Group, select the group you created in previous step, our example Nexus GO PDF Signing.
- Go to the Access Rules tab.
- Select the already created access rule (for example called PDF Signing), to define what authentication methods are allowed:
In Available Access Rules: select PDF Signing, and click Add. - Click Save.
Publish updates
- Click Publish to publish the updates.
The configuration in Digital Access is ready.
Optional: Add Nexus GO Signing as a portal item in Digital Access
Optionally, you can add Nexus GO Signing in the Digital Access application portal, to let the users access Nexus GO Signing without having to log in again. The portal item shall be protected with the same access rule as selected for the service provider. For more information, see the Prerequisites.
Go to Digital Access Admin
- Log in to Digital Access Admin.
Add portal item
To add Nexus GO Signing as a portal item in the Digital Access application portal:
- In Digital Access Admin, go to Browse.
- Go to access-point/custom-files/wwwroot.
Create a file named nexusgopdfsigning.html and add the text below. Change the italic text to fit your configuration:
Example: login page
<html>
<head>
<script type="text/JavaScript">
location.href = "<your Logon URL from Nexus GO Administration portal>";
</script>
</head>
<body>
</body>
</html>
- In Digital Access Admin, go to Manage Resource Access.
- Click Web Resources.
- Select Access Point and click Add Resource Path...
- Check Enable resource and enter the path, for example nexusgopdfsigning.html.
- Uncheck Use Parent Authorization.
- Check Make resource available in the portal.
- Select Icon and enter Link text, for example Nexus GO PDF Signing.
- Click Next.
- Select the already created access rule (for example called PDF Signing), to define what authentication methods are allowed:
In Available Access Rules: select PDF Signing, and click Add. - Click Save.
Publish updates
- Click Publish to publish the updates.
The configuration in Digital Access is ready.