Set up Microsoft AD FS as identity provider to Nexus GO Signing

In Microsoft Active Directory:

• Active Directory Security Group containing all users being Nexus GO Signing administrators.

In Microsoft AD FS:

• Installed AD FS Role service and have a basic configured federation server, described here:

  • Install the AD FS Role service

  • Configure a federation server

• Microsoft AD FS metadata downloaded:

  https://<your AD FS server>/FederationMetadata/2006-07/FederationMetadata.xml

In Nexus GO: 

• Signing environment created in Nexus GO.

• Log in to the Nexus GO administration portal: 
  Go to https://login.go.nexusgroup.com/ and log in with your administrator account.

1. In the Nexus GO administration portal, click Services and Signing. 
2. Select your PDF Signing environment.
3. Click Set up local IDP.
4. Enter a Display Name (this is shown within the signing- and admin-portal), and upload IDP SAML Metadata that was downloaded from your AD FS server during it's installation, see the Prerequisites. Click Next.

5. Configure SAML mappings then click Next, our example:

   email	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
   displayName	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

6. Optional: Configure Role mappings then click Next, our example:

   Role mappings	Attribute	Value
   Contributor	http://schemas.xmlsoap.org/claims/Group	PDF Signing Admin

   

   The role Contributor gives a user access to the admin portal and possibility to create signing requests. To add multiple values use the +.
   If the check-box Everyone from this IDP is a contributor is selected, all users authenticating through the IDP will get access to the the Nexus GO administration portal.

7. Confirm your configuration and click Submit.
8. Now back at the overview of your PDF Signing environment, at SAML SP Metadata, click Download. This will be uses in the next step ("Configure in Microsoft AD FS").

1. Open AD FS Management.
2. In the Actions panel, click Add Relying Party Trust.
3. Select Claims aware and click Start.
4. Select Import data about the relying party from a file, browse for the SAML SP Metadata from Nexus GO Signing that was downloaded when configuring in Nexus GO (see step 8 in "Set up local IDP"). click Next.
5. Choose a Display name: Nexus GO Signing, click Next.
6. Choose an access control policy (for example, Permit everyone), click Next.
7. Review your settings and click Next and Close.
8. In AD FS Management, click Relying Party Trusts, select Nexus GO PDF Signing, click Edit Claim Issuance Policy… in the Actions panel.
9. Click Add Rule…
10. Use Claim rule template: Send LDAP Attributes as Claims, click Next.

11. Enter Claim rule name: Nexus GO PDF Signing User Claims, Attribute store: Active Directory and select mapping as the table below, then click Finish.

    LDAP Attribute (Select or type to add more)	Outgoing Claim Type (Select or type to add more)
    E-Mail-Addresses	Name ID
    E-Mail-Addresses	E-Mail Address
    Display-Name	Name

12. Click Add Rule…
13. Use Claim rule template: Send Group Membership as a Claim, click Next.
14. Enter Claim rule name: Nexus GO PDF Signing Group Claim, brows for your PDF Signing admin group, Outgoing claim type: Group, Outgoing claim value: PDF Signing Admin, click Finish and OK.

15. To use the federation, browse to your unique Login URL provided within the Nexus GO portal.