SAML Auth

SAML support for Nx Cloud is an addon for Nx Enterprise contracts and requires an unlock key. Please get in touch if you are interested.

Azure AD

1. Create a new enterprise app

   

   

2. Choose “Create your own”:

   

3. Give it a name

   

4. Assign your users and/or groups to it:

   

5. Then set-up SSO

   

6. And choose SAML:

   

7. Add these configuration options

   1. Configure the Identifier exactly as nx-private-cloud
   2. For the Reply URL, it should point to your Private Cloud instance URL. Make sure it ends with /auth-callback

   

8. Scroll down and manage claims:

   

9. The first row should be the email claim, click to Edit it:

   

10. Configure it as per below

    1. “Namespace” needs to be blank
    2. “Name:” needs to be “email”
    3. See screenshot below. This is an important step, because Nx Cloud will expect the “email” property on each profile that logs in.

    

    Make sure your application user profile exposes the email address under user.mail. This can be configured in Users and Groups in the Azure portal. Alternatively, you can always configure the email claim to use a different property under the user object.

11. Under SAML Certificates, click the pencil icon to edit

    

    For Signing Option, select Sign SAML response and assertion

    

    Then click Save and close the popover.

12. Download the certificate in Base64:

    

13. Extract the downloaded certificate value as a one-line string:

    1. awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' azure_cert_file.cer
    2. We’ll use this later

14. Copy the Login URL:

    

15. Save the following information to send to your DPE:

    1. SAML_CERT=<your-cert-string-from-above>
    2. SAML_ENTRY_POINT=<your-login-url-from-above>

Okta

1. Create a new Okta App Integration:

   

   

2. Give it a name:

   

3. On the Next page, configure it as below:

   1. The Single Sign On URL needs to point to your Nx Cloud instance URL and ends with /auth-callback
   2. The Audience should be nx-private-cloud

   

4. Under Advanced Settings, make sure both Response and Assertion are set to Signed

   

5. Scroll down to attribute statements and configure them as per below:

   

6. Click “Next”, and select the first option on the next screen.

7. Go to the assignments tab and assign the users that can login to the Nx Cloud WebApp:

   1. Note: This just gives them permission to use the Nx Cloud web app with their own workspace. Users will still need to be invited manually through the web app to your main workspace.

   

8. Then in the Sign-On tab scroll down:

   

9. Scroll down and from the list of certificates, download the one with the “Active” status:

   

10. Extract the downloaded certificate value as a one-line string:

    1. awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' okta.cert
    2. We'll use this later

11. Then view the ldP metadata:

    

12. Then find the row similar to the below, and copy the highlighted URL (see screenshot as well):

    1. <md:SingleSignOnService
         Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
         Location="https://trial-xxxxx.okta.com/app/trial-xxxxx_nxcloudtest_1/xxxxxxxxx/sso/saml"
       />

    

Connect Your Nx Cloud Installation to Your SAML Set Up

Contact your developer productivity engineer to connect your Nx Cloud instance to the SAML configuration.