LogoLogo
LearnDocumentationSupportCommunity
Version 6.30
Version 6.30
  • Welcome
  • Nexthink V6
  • Overview
    • Software components
    • Collector
    • Finder
    • Engine
    • Portal
    • Nexthink Library
    • Digital Experience Score
  • Installation and configuration
    • Planning your installation
      • Overview of the installation process
      • Hardware requirements
      • Connectivity requirements
      • Software requirements
      • Reference architectures
    • Installing Portal and Engine Appliances
      • Installing the Appliance
      • Installing the Appliance on Azure
      • Installing the Appliance on AWS
      • Installing the Appliance on OTC
      • Managing Appliance accounts
      • Setting the names of the Portal
      • Setting the names of the Engines
      • Specifying your internal networks and domains
      • Federating your Appliances
      • STIG compliance in Web Console
      • Connecting the Portal to the Engines
      • Configuring session performance storage
      • Configuring device performance storage
      • Setting up a software license
      • Sending email notifications from the Appliance
      • Allocating resources for the Portal
    • Installing the Collector
      • Installing the Collector on Windows
      • Installing the Collector on macOS
      • Installing the Collector for a Proof of Value
      • Assigning Collectors to Engines
      • Assignment of roaming Collectors
      • Collector MSI parameters reference table
      • Nxtcfg - Collector configuration tool
      • Inspecting the connection status of the Collector
      • Querying the status of the TCP connection of the Collector
      • Reporting the URL of HTTP web requests
      • Auditing logon events
      • Viewing user interactions in virtualized and embedded environments
      • Engage notifications on macOS
      • Configuring Collector level anonymization
    • Collector remote connectivity
      • Redirecting and anonymizing Collector traffic
      • Redirecting the Collector TCP channel
      • Support for DirectAccess
      • Windows Collector proxy support
      • Mac Collector proxy support
    • Installing the Event Connector
      • Installing the Event Connector on Linux
    • Installing the Finder
      • Installing the Finder on Windows
      • Enabling Cross-Engine Finder features
      • Expanding the time frame of investigations in the Finder
      • Enabling Finder access to the Library
      • Finder proxy support
    • Updating from V6.x
      • Updating the Appliance
      • Content centralization when updating the Appliance
      • Updating the Collector
      • Viewing Collector deprecated fields
      • Updating the Finder
    • Security and user account management
      • Importing and replacing certificates
      • Hierarchizing your infrastructure
      • Adding users
      • Enabling SAML authentication of users
      • Just-In-Time provisioning of user accounts
      • Enabling Windows authentication of users
      • Multi-factor authentication for local accounts overview
      • Provisioning user accounts from Active Directory
      • Establishing a privacy policy
      • Disabling local accounts for interactive users
      • Setting the complexity and minimum length of passwords for local accounts
      • Protecting local accounts against brute force attacks
      • Preventing password saving in the Finder
      • Controlling session timeouts in the Portal
      • Security settings in the Appliance
      • Setting the Do Not Disturb periods between campaigns
    • Data retrieval and storage
      • Data retention
      • Increasing the maximum number of metrics
      • Establishing a data retention policy in the Engine
      • Storing Engine data in a secondary disk drive
      • Importing data from Microsoft Active Directory
      • Setting the locale in the Portal
      • Changing the Time Zone of the Portal
      • Time Zones and data collection
      • Changing the data collection time of the Portal
      • Nightly task schedules timetable
      • Changing the thresholds of High CPU warnings
      • Automatic restart of unresponsive Engine
    • Maintenance operations
      • Logging in to the CLI
      • Special operation modes for the Engine and the Portal
      • Changing the default ports in the Appliance
      • Centralized Management of Appliances and Engines
      • Monitoring the performance of the Appliance
      • Resizing partitions in Appliance
      • Configuring the system log
      • Examining the logs in the Portal
      • GDPR - Retrieving or anonymizing personal data
      • Finding out unlicensed devices
      • Removing devices
      • Installing third-party software in the Appliance
      • Installing VMware Tools in the Appliance
      • Operational data sent to Nexthink
      • Sending additional data to Support
    • Disaster recovery
      • Planning for disaster recovery
      • Web Console backup and restore
      • Engine backup and restore
      • Portal backup and restore
      • Rule-based assignment backup and restore
      • License backup and restore
      • PKI backup and restore
    • Branding
      • Branding the Portal
      • Branding of campaigns
  • User manual
    • Getting started
      • Logging in to the Finder
      • Logging in to the Portal
      • Enabling STIG in Webconsole
    • Querying the system
      • Searching the subject of interest
      • Executing an investigation
      • Creating an investigation
      • Editing the options of an investigation
      • Combining logical conditions in investigations
      • Navigating through the results of an investigation
      • Properties of users and devices
    • Visualizing system activity in the Finder
      • Getting a quick overview
      • Graphically observing the activity of users and devices
      • Observing service performance
      • Viewing network connections
      • Viewing web requests
      • Viewing executions
    • Monitoring IT custom metrics
      • Creating a metric
      • Examples of metrics
      • Session performance
      • Device performance
      • Following the evolution of a metric
      • Finding the visuals of a metric
    • Monitoring IT services
      • Analyzing service quality
      • Creating a service
      • Following the evolution of a service
      • Specifying URL paths of web-based services
    • Engaging with the end user
      • Getting feedback from the end users
      • Types of campaigns
      • Creating a campaign
      • Editing a campaign
      • Types of questions
      • Controlling the flow of questions
      • Translating a campaign
      • Triggering a campaign manually
      • Limiting the reception rate of campaigns
      • Scrutinizing the results of a campaign
      • Continuously measuring the satisfaction of employees
    • Rating devices and users with scores
      • Computing scores
      • Creating a score
      • Checking and comparing ratings
      • Computing potential savings
      • Score XML Reference
      • Documenting scores
    • Remotely acting on devices
      • Scenarios for remote actions
      • Creating a remote action
      • Executing remote actions
      • Triggering a remote action manually
      • Writing scripts for remote actions on Windows
      • Writing scripts for remote actions on Mac
      • Example of self-healing scenario
      • Example of self-help scenario
      • Application control and remote actions
    • Organizing objects with categories
      • Classifying objects of the same type
      • Creating categories and keywords
      • Tagging objects manually
      • Tagging objects automatically
      • Importing tags from text files
    • Getting notified by the system
      • Receiving Engage campaigns
      • Receiving email digests
      • Receiving alerts
      • Creating a service-based alert
      • Creating an investigation-based alert
    • Building web-based dashboards
      • Introducing dashboards in the Portal
      • Creating a dashboard
      • Examining metrics in depth
      • Documenting dashboards
      • Assessing license use
      • Computing dashboard data
      • Reusing dashboard content
    • Importing and exporting authored content
      • Methods for reusing authored content
      • Manually sharing Finder content
      • Importing a content pack
      • Conflict resolution
      • Exporting a content pack
  • Library packs
    • Compliance
      • Device Compliance
    • Configuration Manuals
      • Overview (Configuration Manuals)
      • Installing A New Version Of A Library Pack
    • Digital Employee Score (DEX score)
      • DEX Score Installation And Configuration
      • Detailed Library Pack Changelog
    • Device management
      • Reduce logon duration
      • Group Policy Management
      • Hardware Asset Renewal
      • Hardware Asset Renewal Advanced
      • Application Auto-Start Impact
    • Remote Employee Experience
      • Remote Worker Experience
      • Home Networking
      • Change Log And Upgrade Process
      • Remote Worker Vs Office Worker Device Category
      • Remote Worker Insights
      • DEX V2 Upgrade Of Remote Worker
    • Persona Insight
      • Persona Insight - Overview
      • Persona Insight - Library Pack
      • Persona Insight - Score Only Pack
      • Persona Insight - Without Campaign pack
      • Persona Insight - Getting Started and Upgrade Procedure
      • Persona Insight - Configuration Guide
      • Persona Insight - Troubleshooting - Multiple devices on multiple engines
      • Persona Insight - Reference Guide
      • Persona Insight - Example Pack
      • Persona Insight - Device Sizing
        • Persona Insight - Device Sizing Overview
        • Persona Insight - Device Sizing Configuration
      • Persona Insight - Application Sizing
        • Persona Insight - Application Sizing Overview
        • Persona Insight - Application Sizing Configuration
      • Legacy Persona documentation
        • Persona Insight - Library Pack (V.1.0.0.0)
        • Persona Insight - Base Pack
        • Persona Insight - Base Pack Advanced
        • Persona Insight - Customization Guide (V1.0.0.0)
        • Persona Insight - Configuration Guide (V1.0.0.0)
        • Persona Insight - Reference Guide (V1.0.0.0)
    • GSuite
      • GSuite: Health
      • GSuite: Services
      • GSuite: Sentiment
      • GSuite: Advanced Health
    • Support
      • Support: Level 1
    • Shadow IT
      • Shadow IT
    • Malware Protection
      • Malware Protection
    • Office 365 Health
      • Office 365 Health: Overview
      • Office 365 Health: Services
    • Office 365 OneDrive
      • OneDrive Summary
      • OneDrive Operations
      • OneDrive Advanced Health
      • OneDrive Migration
      • OneDrive Sentiment
      • OneDrive Management
      • OneDrive Advanced Operations
    • Office 365 Teams
      • Teams Overall Configuration
      • Teams - Migration
      • Teams - Health
      • Teams - Advanced Health
      • Teams - Adoption
    • Microsoft 365 Apps
      • Microsoft 365 Apps - Operate
    • Employee Self Service
      • Overview
      • Configuration
      • Usage
    • Onboarding Experience Management
      • OEM - Overview
      • OEM - Configuration
    • Office 365 Outlook
      • Outlook Troubleshooting
    • Virtualization
      • Virtualization: Operate
      • Virtualization: AVD - Advanced
      • Virtualization: Citrix Advanced
      • Virtualization: Project
      • Virtualization: Troubleshooting
        • Virtualization: Troubleshooting: Configuration
    • Windows
      • Win10: Configuration
      • Win10: Migration
      • Win10: Feature Update
      • Win10: Quality Update
      • Windows Defender Management
      • Administrators Management
    • Windows 11
      • Windows 11 - Readiness
      • Windows 11 - Migration Pilot
      • Windows 11 - Migration
      • Windows 11 - Operate
    • Webex
      • Webex Operate
    • Zoom
      • Zoom Operate
    • Remote Actions
      • Get Performance Monitor Data
      • Skype For Business
      • Restart Device
      • Upload Logs to S3 using PreSigned URLs
    • Software Asset Optimization
    • Collaboration Optimization
      • Collaboration Optimization - Solution Overview
      • Collaboration Optimization - Configuration
      • Collaboration Optimization - Usage / Troubleshooting
    • Systems Management
      • Manage Configuration Drift
      • MS ConfigMgr - Client Health
        • MS ConfigMgr - Client Health - Summary
        • MS ConfigMgr - Client Health - Configuration Guide
      • Intune
        • Intune - Health
          • Intune - Health - Summary
          • Intune - Health - Configuration Guide
    • Return to the office
      • Return to the office - Planning
      • Return to the office - Readiness
    • Green IT
      • Green IT - Overview
      • Green IT - Configuration Guide
    • Hybrid Working
      • Hybrid Working Experience
      • Hybrid Working Experience - Installation and upgrade procedure
  • Integrations
    • Nexthink ServiceNow Service Graph Connector
      • Overview
        • Roles and Permissions
        • Modules
      • Installation and Configuration Guide
        • Pre-requisites
          • Configure Identification Rules
          • Import and setup the CMDB categories in Finder
        • Setup
          • Configure the connection
          • Configure import properties
          • Configure additional engines
          • Set up scheduled import jobs
      • Data transformation and mapping by default
      • How to customize the behaviour of the Connector
      • FAQ
        • Why ServiceNow Service Graph Connector?
        • What about Nexthink CMDB Connector?
        • Why is the name the primary key for the devices?
      • Troubleshooting
        • IRE identification issues
          • [No Choice found in the sys_choice table for the target table](integrations/nexthink-servicenow-service-graph-connector/troubleshooting/ire-identification-issues/ no-choice-found-in-the-sys_choice-table-for-the-target-table.md)
          • Identification rules not created
          • Discovery_source choice not created
        • Timeout Errors
          • ECCResponseTimeoutException
          • HTTP 0 error
        • MID server issues
          • java.lang.NullPointerException
          • MID Server memory issues
          • Not trusted certificates in Quebec release
        • Configure credentials issues
          • [Not allowing update of property authentication_choice](integrations/nexthink-servicenow-service-graph-connector/troubleshooting/configure-credentials-issues/ not-allowing-update-of-property-authentication_choice.md)
          • Invalid username/password combo (HTTP 401/403)
        • Configure Engines Issues
          • [The client secret supplied for a confidential client is invalid](integrations/nexthink-servicenow-service-graph-connector/troubleshooting/configure-engines-issues/ the-client-secret-supplied-for-a-confidential-client-is-invalid.md)
        • No Cis imported and no errors found in the log
    • Nexthink ServiceNow Incident Management Connector (IMC)
      • Installation and configuration guide (IMC)
      • Troubleshooting Guide (IMC)
      • Domain separation installation (IMC)
    • Nexthink ServiceNow CMDB Connectors
      • Installation and Configuration Guide
      • Troubleshooting Guide
      • Field transformation and normalisation examples
    • Nexthink Event Connector
      • High level overview
      • Installation and Configuration Guide
      • Troubleshooting guide
      • RPM installation
      • Splunk specific documentation
        • Upgrading from Splunk Connector to Event Connector
        • Splunk add-on installation and usage
    • Nexthink Chatbot SDK
      • Introduction and concepts
      • Installation, configuration and update guide
        • Installation and configuration
        • Update to newer version
        • Uninstallation
        • Authentication
        • Topics configuration
        • Remote action configuration
        • Advanced configuration
        • Additional resources and references
      • Dimensioning guide
      • Troubleshooting
      • Technical solution description
      • Downloads and release notes
  • Glossary and references
    • Search and information display
      • Search in Finder
      • Keyboard shortcuts for column display selection
      • Campaign display compatibility
      • Real-time and consolidated service data
      • Service errors and warnings
      • Errors and warnings for devices and executions
      • Types of widgets
      • Widget compute state in charts
      • Errors in the execution of remote actions
      • Top results of Cross-Engine investigations
      • Engine data history
    • Tooltips in the user and device views
      • Alerts tooltips
      • Warnings tooltips
      • Errors tooltips
      • Activity tooltips
      • Services tooltips
    • Database information and organization
      • Maximum supported values
      • Local and shared content
      • Device Identification
      • Local IP address of devices
      • Timestamping of events
      • Boot and logon duration
      • Application startup duration
      • Application not responding events
      • Memory and CPU usage
      • Status of TCP connections
      • Status of UDP connections
      • Network and port scan conditions
      • Binary paths
      • Maximum number of Binaries
      • Package Executable Mapping
      • Metro apps
      • Investigation with packages
      • Portal aggregation and grouping
      • Focus time metric
    • Security
      • Access rights and permissions
      • Active Directory authentication
      • Canonical domain names for Windows authentication
      • System alerts
      • Audit trail
      • Appliance hardening
      • STIG hardening
      • FIPS 140-2 compliance
      • Security bulletins
        • Is Nexthink affected by Okta breach
        • Is Nexthink affected by SolarWinds breach
        • Nexthink and Log4j - Security bulletin
        • CVE-2022-22965 - Security Vulnerability Spring4shell - Spring Framework
        • Version 6.22.2.10: Security Vulnerability Maintenance Release
        • The Collector V6.27.X Release – Security Bulletin
    • References
      • Components of the Collector
      • Server support
      • Compatibility mode
    • Glossary
      • Activity
      • Alert
      • Application
      • Binary
      • Campaign
      • Category
      • Connection
      • Dashboard
      • Destination
      • Device
      • Domain
      • Entity
      • Event
      • Executable
      • Execution
      • Focus time
      • Hierarchy
      • Installation
      • Investigation
      • Keyword
      • Metric
      • Module
      • Object
      • Package
      • Platform
      • Port
      • Printer
      • Score
      • Service
      • Session
      • System boot
      • User
      • User logon
      • Web request
      • Widget
  • API and integrations
    • Integrating with Nexthink
      • Event Connector
      • Getting data through the NXQL API
      • Bidirectional integration with the Finder
      • Count metrics API
      • Software metering API
      • Services API
      • List Engines API
      • GetSID API
      • Triggering campaigns via their API
      • Triggering remote actions via their API
      • Audit trail API
      • Integrating investigation-based alerts
      • Downloads
    • NXQL API
      • Introducing the NXQL API
      • NXQL Tutorial
      • NXQL language definition
      • NXQL Data Model
    • Integrations
      • Excel integration with NXQL
      • Power BI
      • Azure Data Lake Storage Gen2
      • Splunk Event Connector
    • ServiceNow
      • CMDB Connector
      • Incident Management Connector
      • Event Management
On this page
  • Overview
  • Prerequisites
  • Procedure to enable SAML
  • Enabling SAML authentication in the Portal
  • Enabling SAML strict mode
  • Configuring Microsoft AD FS as an identity provider
  • Configuring Azure AD as an identity provider
  • Configuring a generic SAML identity provider
  • Configuring the Portal as a SAML service provider
  • Alternate UPN suffixes in SAML authentication

Was this helpful?

  1. Installation and configuration
  2. Security and user account management

Enabling SAML authentication of users

Last updated 9 months ago

Was this helpful?

© Nexthink

  • Privacy policy
  • Responsible Disclosure Policy

Overview

Many organizations adopt Identity and Access Management (IAM) solutions to facilitate their employees access to business applications through a single corporate login. This technique is known as Single Sign-On (SSO) access control. SSO improves the overall security of the organization by reducing the number of passwords that employees have to remember and type in.

The Security Assertion Markup Language (SAML) is a standard for exchanging authentication and authorization information securely between parties, namely the service provider (an application that needs to authenticate users) and the identity provider (a system that issues assertions about user identity). SAML is widely used in organizations to implement SSO.

By leveraging SAML, let Nexthink users comfortably log in to both the Portal and the Finder (the service providers) through your existing corporate SSO solution (the identity provider).

To call the integration APIs, create dedicated Nexthink local accounts instead. Make sure that you of local accounts.

The operations described in this article should only be performed by a Nexthink Engineer or a Nexthink Certified Partner.

If you need help or assistance, please contact your Nexthink Certified Partner.

Prerequisites

To enable SAML-based authentication of Nexthink users, you need:

  • An IAM corporate solution that supports SAML to provide single sign-on. In this document, find the instructions to configure either Microsoft Active Directory Federation Services (AD FS) or Microsoft Azure Active Directory (Azure AD). Other systems may require a similar configuration.

    • As a SAML identity provider, the IAM solution must support the HTTP Redirect Binding for the Portal to be able to initiate SSO.

  • A proper for Portal (not an IP address) that matches .

  • Nexthink users whose authentication is externally managed; that is, whose username includes a @ character (e.g. jwick@acme.com). These accounts are automatically created if you .

  • The HTTP protocol is disabled in Portal, as combining HTTP with HTTPS may cause redirection issues in some web browsers. From the Web Console of the primary Appliance, on the Portal tab, untick the option Enable HTTP under the General > Parameters section.

Procedure to enable SAML

To enable SAML authentication for Nexthink:

  1. Enable SAML in the configuration file of the Portal and change the default options if needed.

  2. Configure Microsoft AD FS, Azure AD, or any other IAM solution, as a SAML identity provider.

    1. Add the Portal as relying party (in SAML parlance, a service provider is a special case of a relying party that, in addition to receive and accept info from other parties, consumes SAML assertions to provide a service).

    2. Specify how to issue SAML claims for the Portal to consume.

      • In the examples shown below, the UPN of the users is mapped to the Name ID in SAML to simplify the transition from Active Directory to SAML. Other configurations are possible depending on the format in which you saved the names of the users in the Portal, as long as the names include an @ character. For instance, you can use email addresses that do not necessarily match the UPN as Name IDs.

  3. Configure the Portal as a SAML service provider and link it to your identity provider.

Enabling SAML authentication in the Portal

Edit the configuration file of the Portal to enable SAML as an authentication method:

  1. Log in to the CLI of the appliance that hosts the Portal.

  2. Optional: If the Portal has no configuration file yet, that is, if portal.conf does not exist in folder /var/nexthink/portal/conf, create it by copying the defaults from the sample configuration file: sudo -u nxportal cp /var/nexthink/portal/conf/portal.conf.sample \ /var/nexthink/portal/conf/portal.conf

  3. Edit the configuration file of the Portal: sudo vi /var/nexthink/portal/conf/portal.conf

  4. Add a configuration line to it:

    1. Press Shift + G to go to the last line of the file.

    2. Press o to add a new line.

    3. Type in the following line: globalconfig.saml.enabled = true

    4. Press Esc and type in the following colon command to save changes and exit :wq

  5. Restart the Portal:

sudo systemctl restart nxportal

To troubleshoot SAML authentication, try changing the following advanced options in the configuration file of the Portal in the same way as shown above for the option to enable SAML. Read the error logs of the Portal in /var/nexthink/portal/log/*.err to find out possible causes.

Option

Default value

globalconfig.saml.strict

false

globalconfig.saml.validate‑current‑url

false

globalconfig.saml.want‑assertions‑encrypted

true

globalconfig.saml.want‑assertions‑signed

true

globalconfig.saml.signature‑algorithm

"http://www.w3.org/2000/09/xmldsig#rsa‑sha256"

globalconfig.saml.want-messages-signed

true

Enabling SAML strict mode

When enabling strict mode for improved security, set the value of validate‑current‑url depending on your identity provider. The following combinations have been tested:

Identity provider (IdP)

validate‑current‑url

Azure AD

true

Microsoft AD FS

true

OneLogin

false

In some cases setting the value of globalconfig.saml.want-messages-signed to false allows proper SAML authentication. That parameter will instruct the Portal not to require a signed returned message from the IdP.

Configuring Microsoft AD FS as an identity provider

As a reference, this example configuration of AD FS shows how to use the UPN of users in the email format as the SAML Name Identifier for the Portal.

To configure Microsoft AD FS as a SAML identity provider for the Portal:

  1. Log in to the Windows Server machine that runs AD FS as administrator.

  2. Open AD FS management console.

  3. Under Actions, select Add Relying Party Trust.... The wizard to add a trusted relying party (in this case, the Nexthink Portal as service provider) shows up.

    1. On the Welcome step, choose a Claims aware relying party.

    2. Click Start.

    3. On the Select Data Source step, select the option Import data about the relying party from a file.

      1. Open a web browser on the following address to download the metadata file from the Portal (replace by the external DNS name of your Portal): https:///saml/metadata

      2. Save the file portal-sp-metadata.xml, as proposed by the web browser.

      3. Close the web browser to return to the wizard dialog.

    4. Click Browse... to specify the location of the file with the Portal metadata. A file dialog shows up.

    5. Select the file just downloaded from the Portal and click Open. The file dialog closes.

    6. Click Next >.

    7. On the Specify Display Name step, type in a suitable name for the relying party (e.g. Nexthink Portal).

    8. Optional: Type in any additional information about the relying party under Notes.

    9. Click Next > repeatedly to skip the rest of the steps in the wizard until you reach the Finish step.

    10. Click Finish to complete the addition of the Portal as a trusted relying party. The wizard closes.

  4. In the left-hand side tree, click Relying Party Trusts to get the list of trusted relying parties.

  5. Right-click the trusted relying party entry that represents the Nexthink Portal just added.

  6. From the context menu, select the entry to edit the policy for issuing claims:

    • In Windows Server 2016, select Edit Claim Issuance Policy....

    • In Windows Server 2012, select Edit Claim Rules....

  7. In the Issuance Transform Rules tab, click Add rule... to map the UPN of the user to the Name ID, which the Portal matches against the username field for authenticating. The wizard to add a new transform rule for claim issuance shows up.

    1. On the Choose Rule Type step, select Send LDAP Attributes as Claims under Claim rule template.

    2. Click Next >.

    3. On the Configure Claim Rule step, provide the following information:

      • Under Claim rule name, type in a suitable name for the rule (e.g. Map UPN to Name ID).

      • Under Attribute store, select Active Directory.

      • Under Mapping of LDAP attributes to outgoing claim types, select User-Principal-Name as LDAP Attribute and Name ID as Outgoing Claim Type.

    4. Click Finish

  8. Back to the Issuance Transform Rules tab, click again Add rule... to add a new rule to send the UPN as Name ID in the email format. The wizard to add a new transform rule shows up once more.

    1. On the Choose Rule Type step, select Transform an Incoming Claim under Claim rule template.

    2. Click Next >.

    3. On the Configure Claim Rule step, provide the following information:

      • Under Claim rule name, type in a suitable name for the rule (e.g. UPN as Name ID in email format).

      • As Incoming claim type, select UPN.

      • As Outgoing claim type, select Name ID.

      • As Outgoing name ID format, select Email.

      • Leave checked the option Pass through all claim values.

    4. Click Finish.

    5. Click OK to close the dialog to edit the claim rules.

  9. Right-click again the trusted relying party entry that represents the Nexthink Portal.

  10. Select Properties from the menu. The dialog to watch and modify the properties of the relying party shows up.

    1. Under the Advanced tab, select SHA-256 as the Secure hash algorithm.

    2. Click OK to close the properties dialog.

Configuring Azure AD as an identity provider

To configure Azure AD as a SAML identity provider for the Portal:

  1. Click Azure Active Directory on the left-hand side panel.

  2. Under Manage, select Enterprise applications.

  3. Click the New application button preceded by a plus sign at the top of the window.

  4. Under Add an application, choose the Non-gallery application tile.

  5. On the panel Add your own application that appears to the right, type in the name of the application (for instance, Nexthink Portal) inside the Name field.

  6. Click the Add button at the bottom of the panel.

  7. On the left sidebar of the Enterprise application that you have just created, under Manage, select Single sign-on .

  8. In the page Select a single-sign on method, choose the SAML tile. The page Set up Single Sign-On with SAML shows up.

  9. Open a new tab in the web browser.

    1. Type in the following address to download the metadata file from the Portal (replace by the external DNS name of your Portal): https:///saml/metadata

    2. Save the file portal-sp-metadata.xml, as proposed by the web browser.

    3. Close the tab to return to the page Set up Single Sign-On with SAML.

  10. Click the button Upload metadata file at the top left corner of the page.

  11. Select the metadata file portal-sp-metadata.xml that you have just downloaded from the Portal.

  12. Click the pencil icon at the top right corner of the second tile to edit the User Attributes & Claims. The page to edit the claims appears.

    1. Ensure that the Name identifier value (that is, the Name ID returned by Azure AD) is the user principal name (UPN) in the email format:

      • user.userprincipalname [nameid-format:emailAddress]

    2. Close the User Attributes & Claims page.

  13. On the third tile of the page SAML Signing Certificate, click the Download link associated with the last entry: Federation Metadata XML. You will use this file later to link the Portal to Azure AD as its SAML identity provider.

  14. Click the pencil icon to the right of the same third tile to edit the SAML Signing Certificate:

    1. Verify that SAML assertions are signed using SHA-256 as a signing algorithm. On the page that shows up, you should read:

      • Signing option Sign SAML assertion

      • Signing algorithm SHA-256

    2. Close the SAML Signing Certificate page.

  15. Back to the left sidebar of the Enterprise application that represents the Portal, under Manage, select Users and groups.

  16. Click the button Add user to add users or groups that can log in to the Portal via SAML authentication.

Configuring a generic SAML identity provider

Although it is not possible to detail the configuration instructions for every SAML identity provider available in the market, the procedure to configure a compliant provider should not differ significantly from the two reference examples shown above.

When manually configuring a generic SAML identity provider, keep the following information at hand (replace by the external DNS name of your Portal):

Metadata

https:///saml/metadata

Entity ID

https:///saml

Assertion Consumer Service (ACS)

https:///saml/withauth

ACS Binding

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

NameID format

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Nexthink (SP) request binding

HTTP-Redirect (not present in the metadata)

Configuring the Portal as a SAML service provider

Because the Finder relies on the Portal for authentication, configuring the Portal as a SAML service provider enables users to log in to both the Finder and the Portal through SSO.

To configure the Portal as a service provider:

  1. Log in to the CLI of the appliance that hosts the Portal.

  2. Get the metadata XML file of the identity provider:

    • When using AD FS as identity provider, type in the following command by replacing by the address of your AD FS server: wget \ https:///FederationMetadata/2007‑06/FederationMetadata.xml

      1. Copy the file to the Portal appliance with your favorite SCP tool.

  3. Save the file as idp_entity_descriptor.xml in the configuration folder of the Portal. Assuming that the original name of the file is FederationMetadata.xml, type in: sudo mv FederationMetadata.xml \ /var/nexthink/portal/conf/idp_entity_descriptor.xml

  4. Change the owner of the file: sudo chown nxportal:nexthink \ /var/nexthink/portal/conf/idp_entity_descriptor.xml

  5. Restart the Portal: sudo systemctl restart nxportal

Alternate UPN suffixes in SAML authentication

When a user logs in via SAML authentication with the reference configuration for AD FS or Azure AD shown above, the UPN of the user is mapped to the Name ID returned by the identity provider. If the user logs in with an alternate UPN suffix, the identity provider returns the UPN with the fully qualified domain name as a suffix.

For example, let us consider an organization that manages the following fully qualified domains:

  • us.acme.com

  • de.acme.com

The fully qualified name of the domains is used to define the UPN of the users:

  • jwick@us.acme.com

  • mkahn@de.acme.com

To simplify user access though, administrators may define an alternate UPN suffix acme.com, so that users do not have to memorize lengthy subdomain names and levels. With this alternate UPN suffix, the resulting account names look like this:

  • jwick@acme.com

  • mkahn@acme.com

Therefore, for SAML authentication to work properly, the Portal must store usernames in the UPN format with the fully qualified domain name as a suffix. Users provisioned from Active Directory are normally stored with the correct UPN.


RELATED TASKS

RELATED REFERENCE

Log in to Azure from your web browser .

When using Azure AD as an identity provider, retrieve the Federation Metadata XML file that you downloaded while .

After configuring the Portal as a SAML service provider, the selected users should be able to log in to both the and the using the corporate login method.

Even if users log in with their alternate UPN suffix through SAML, the identity provider returns the UPN with the fully qualified domain name to the Portal instead. For instance, if user John Wick logs in to the Portal (or to the Finder) with the username jwick@acme.com, SAML authentication will issue a Name ID claim for user jwick@us.acme.com, which the Portal will then match against its stored usernames. Because the identity provider already carries out this transformation, the Portal does not try to map alternate UPN suffixes to fully qualified UPN suffixes when using SAML authentication, contrary to what it does in the case of .

https://portal.azure.com
configuring Azure AD as an identity provider
Finder
Portal
Logging in to the Portal
Logging in to the Finder
Setting the names of the Portal
Sending email notifications from the Appliance
Just-In-Time provisioning of user accounts with SAML
Provisioning user accounts from Active Directory
Active Directory authentication
set a minimum complexity for the password
external DNS name
provision users just-in-time with SAML
authentication through Active Directory
the address of the Portal for email digests