Account Management: SAML Integration

Important Nexla Help Center Update:

Nexla's Zendesk Help Center pages are being deprecated and will soon no longer be available.

Nexla Documentation is now the home for Nexla's User Guides, with improved formatting and categories that are easier to navigate, providing a better overall user experience.

Please update any bookmarks to the new Nexla Documentation site (docs.nexla.com/user-guides).

_______________________________________________

For organizations that want seamless identity and access management, Nexla supports any OpenID Connect and SAML based single sign-on (SSO) client such as Okta, Auth0, OneLogin, ID Anywhere, and Microsoft Active Directory.

In this guide we will look at instructions for setting up account management of your Nexla organization using a custom Google SAML application. Note that even though in this guide we are using Google as an identity provider, the same steps would apply for any SAML 2.0 based identity provider

Step 1: Configuring Your SAML Application

The following steps can only be done by an Account Administrator to the Identity Provider Service (Google):

1. Login to your Google Admin console. Go to the Apps menu and select Web and Mobile apps. Then in the Add App dropdown click on the Add custom SAML appbutton. This will launch the app creation wizard.
   
   
   
   
   
2. App Details: Enter the following information in this page
   • App Name: Pick any name you wish to assign
   • App Icon: Pick any logo or leave it to default.
   
   
   
   
   
   
3. Google Identity Provider Detail  - SAML Identity Providers generate metadata that will be needed when configuring your Nexla account. Note down these down before moving on to the next page. You can either download the metadata file generated by Google, or save these elements separately.
   • SSO URL
   • SSO Entity ID
   • Certificate
   
   
   
   
   
   
4. Service Provider Details  - Next we will enter information about your Nexla environment that the SAML Identity Provider needs.
   • ACS URL: Set this to <your-nexla-ui-url>/api/sso. Usually this will be https://dataops.nexla.io/api/sso
   • Entity ID: Set this to <your-nexla-api-url>. You can find this URL when you login to your Nexla account and go to <your-nexla-ui-url>/token. Alternately, send an email to support@nexla.com or contact your Nexla Account Manager for this setting.
   • Name ID settings: Select EMAIL as the Name ID format and your user's Primary Email as the Name ID. Nexla uses user's unique email address as the identifier for mapping the Identity Provider user to a Nexla user account.
   
   
   
   
   
   
5. Attribute Mapping: In this final step we will map the Identity Provider's attributes into the SAML response
   • Map User's Email (Primary Email in Google) to the attribute name email
   
   
   
   
   
   

That's all we need to do on the Identity Provider UI. Next we will configure Nexla.

Step 2: Configuring Nexla

This step will be handled by the Nexla support team. Contact your Nexla Account Manager with the Identity Provider metadata  you noted down in the previous step:

1. SSO URL
2. SSO Entity ID
3. Certificate
4. Should Nexla auto-create accounts for users when they login through this Identity Provider? Usually you want to leave this as Yes  so that Nexla user creation is managed automatically through the Identity Provider.

Once Nexla has been configured for this new SAML integration, your organization members can use the Login with SSO  button on the Nexla UI to access their Nexla account after the SAML handshake.