Skip to main content

SSO Integration: SAML

For organizations that want seamless identity and access management, Nexla supports any OpenID Connect and SAML based single sign-on (SSO) client such as Okta, Auth0, OneLogin, ID Anywhere, and Microsoft Active Directory.

In this guide we will look at instructions for setting up account management of your Nexla organization using a custom Google SAML application. Note that even though in this guide we are using Google as an identity provider, the same steps would apply for any SAML 2.0-based identity provider

1. Configure Your SAML Application

The following steps can only be performed by an Account Administrator in the Identity Provider Service (Google):

  1. Login to your Google Admin console. Go to the Apps menu and select Web and Mobile apps. Then in the Add App dropdown click on the Add custom SAML appbutton. This will launch the app creation wizard.

      saml-0.png

  2. App Details: Enter the following information in the App Details page

    1. App Name: Pick any name you wish to assign.

    2. App Icon: Pick any logo or leave the default logo selected.

      saml-1.png

  3. Google Identity Provider Detail - SAML Identity Providers generate metadata that will be needed when configuring your Nexla account. Note the information listed below before moving on to the next page. You can either download the metadata file generated by Google or save these elements separately.

    • SSO URL
    • SSO Entity ID
    • Certificate

      saml-2.png

  4. Service Provider Details - Next, enter information about your Nexla environment that the SAML Identity Provider needs.

    1. ACS URL: Set this to <your-nexla-ui-url>/api/sso. Usually, this will be https://dataops.nexla.io/api/sso.

    2. Entity ID: Set this to <your-nexla-api-url>. You can find this URL when you login to your Nexla account and go to <your-nexla-ui-url>/token. Alternately, send an email to support@nexla.com, or contact your Nexla Account Manager for this setting.

    3. Name ID settings: Select EMAIL as the Name ID format and your user's Primary Email as the Name ID. Nexla uses each user's unique email address as the identifier for mapping the Identity Provider user to a Nexla user account.

      saml-3.png

  5. Attribute Mapping: In this final step, map the Identity Provider's attributes into the SAML response.

    1. Map User's Email (Primary Email in Google) to the attribute name email.

      saml-4.png

The Identity Provider UI is now complete. Next, we will configure Nexla.

2. Configure Nexla

Nexla configuration will be handled by the Nexla support team.

  1. Contact your Nexla Account Manager with the Identity Provider metadata noted in Section 1, step 3:
  • SSO URL
  • SSO Entity ID
  • Certificate

  1. Select a response to the question "Should Nexla auto-create accounts for users when they login through this Identity Provider?"

    Usually, this response should be "Yes", which will mean that Nexla user creation is managed automatically through the Identity Provider.

  2. Once Nexla has been configured for this new SAML integration, your organization members can use the Login with SSO button on the Nexla UI to access their Nexla account after the SAML handshake.