Skip to main content
Skip table of contents

Set up Microsoft AD FS as identity provider to Nexus GO Signing

This article describes how to set up access to Nexus GO Signing with Microsoft Active Directory Federation Services (AD FS) as identity provider (IDP).

The configuration is done in two steps: first in Nexus GO Signing and then in Microsoft AD FS.



In Microsoft Active Directory:

  • Active Directory Security Group containing all users being Nexus GO Signing administrators.

In Microsoft AD FS:

In Nexus GO

  • Signing environment created in Nexus GO.

Configure in Nexus GO

Set up Nexus GO Signing to use Microsoft AD FS as identity provider.

Log in to Nexus GO
Set up local IDP
  1. In the Nexus GO administration portal, click Services and Signing
  2. Select your PDF Signing environment.
  3. Click Set up local IDP.
  4. Enter a Display Name (this is shown within the signing- and admin-portal), and upload IDP SAML Metadata that was downloaded from your AD FS server during it's installation, see the Prerequisites. Click Next.
  5. Configure SAML mappings then click Next, our example:



  6. Optional: Configure Role mappings then click Next, our example:

    Role mappings




    PDF Signing Admin

    The role Contributor gives a user access to the admin portal and possibility to create signing requests. To add multiple values use the +.
    If the check-box Everyone from this IDP is a contributor is selected, all users authenticating through the IDP will get access to the the Nexus GO administration portal.

  7. Confirm your configuration and click Submit.
  8. Now back at the overview of your PDF Signing environment, at SAML SP Metadata, click Download. This will be uses in the next step ("Configure in Microsoft AD FS").

Configure in Microsoft AD FS

In Microsoft AD FS, do the configuration to set up Nexus GO Signing as a Relying Party.

Configure Microsoft AD FS
  1. Open AD FS Management.
  2. In the Actions panel, click Add Relying Party Trust.
  3. Select Claims aware and click Start.
  4. Select Import data about the relying party from a file, browse for the SAML SP Metadata from Nexus GO Signing that was downloaded when configuring in Nexus GO (see step 8 in "Set up local IDP"). click Next.
  5. Choose a Display name: Nexus GO Signing, click Next.
  6. Choose an access control policy (for example, Permit everyone), click Next.
  7. Review your settings and click Next and Close.
  8. In AD FS Management, click Relying Party Trusts, select Nexus GO PDF Signing, click Edit Claim Issuance Policy… in the Actions panel.
  9. Click Add Rule…
  10. Use Claim rule template: Send LDAP Attributes as Claims, click Next.
  11. Enter Claim rule name: Nexus GO PDF Signing User Claims, Attribute store: Active Directory and select mapping as the table below, then click Finish.

    LDAP Attribute (Select or type to add more)

    Outgoing Claim Type (Select or type to add more)


    Name ID


    E-Mail Address



  12. Click Add Rule…
  13. Use Claim rule template: Send Group Membership as a Claim, click Next.
  14. Enter Claim rule name: Nexus GO PDF Signing Group Claim, brows for your PDF Signing admin group, Outgoing claim type: Group, Outgoing claim value: PDF Signing Admin, click Finish and OK.
  15. To use the federation, browse to your unique Login URL provided within the Nexus GO portal.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.