LogoLogo
LearnDocumentationSupportCommunity
Version 6.30
Version 6.30
  • Welcome
  • Nexthink V6
  • Overview
    • Software components
    • Collector
    • Finder
    • Engine
    • Portal
    • Nexthink Library
    • Digital Experience Score
  • Installation and configuration
    • Planning your installation
      • Overview of the installation process
      • Hardware requirements
      • Connectivity requirements
      • Software requirements
      • Reference architectures
    • Installing Portal and Engine Appliances
      • Installing the Appliance
      • Installing the Appliance on Azure
      • Installing the Appliance on AWS
      • Installing the Appliance on OTC
      • Managing Appliance accounts
      • Setting the names of the Portal
      • Setting the names of the Engines
      • Specifying your internal networks and domains
      • Federating your Appliances
      • STIG compliance in Web Console
      • Connecting the Portal to the Engines
      • Configuring session performance storage
      • Configuring device performance storage
      • Setting up a software license
      • Sending email notifications from the Appliance
      • Allocating resources for the Portal
    • Installing the Collector
      • Installing the Collector on Windows
      • Installing the Collector on macOS
      • Installing the Collector for a Proof of Value
      • Assigning Collectors to Engines
      • Assignment of roaming Collectors
      • Collector MSI parameters reference table
      • Nxtcfg - Collector configuration tool
      • Inspecting the connection status of the Collector
      • Querying the status of the TCP connection of the Collector
      • Reporting the URL of HTTP web requests
      • Auditing logon events
      • Viewing user interactions in virtualized and embedded environments
      • Engage notifications on macOS
      • Configuring Collector level anonymization
    • Collector remote connectivity
      • Redirecting and anonymizing Collector traffic
      • Redirecting the Collector TCP channel
      • Support for DirectAccess
      • Windows Collector proxy support
      • Mac Collector proxy support
    • Installing the Event Connector
      • Installing the Event Connector on Linux
    • Installing the Finder
      • Installing the Finder on Windows
      • Enabling Cross-Engine Finder features
      • Expanding the time frame of investigations in the Finder
      • Enabling Finder access to the Library
      • Finder proxy support
    • Updating from V6.x
      • Updating the Appliance
      • Content centralization when updating the Appliance
      • Updating the Collector
      • Viewing Collector deprecated fields
      • Updating the Finder
    • Security and user account management
      • Importing and replacing certificates
      • Hierarchizing your infrastructure
      • Adding users
      • Enabling SAML authentication of users
      • Just-In-Time provisioning of user accounts
      • Enabling Windows authentication of users
      • Multi-factor authentication for local accounts overview
      • Provisioning user accounts from Active Directory
      • Establishing a privacy policy
      • Disabling local accounts for interactive users
      • Setting the complexity and minimum length of passwords for local accounts
      • Protecting local accounts against brute force attacks
      • Preventing password saving in the Finder
      • Controlling session timeouts in the Portal
      • Security settings in the Appliance
      • Setting the Do Not Disturb periods between campaigns
    • Data retrieval and storage
      • Data retention
      • Increasing the maximum number of metrics
      • Establishing a data retention policy in the Engine
      • Storing Engine data in a secondary disk drive
      • Importing data from Microsoft Active Directory
      • Setting the locale in the Portal
      • Changing the Time Zone of the Portal
      • Time Zones and data collection
      • Changing the data collection time of the Portal
      • Nightly task schedules timetable
      • Changing the thresholds of High CPU warnings
      • Automatic restart of unresponsive Engine
    • Maintenance operations
      • Logging in to the CLI
      • Special operation modes for the Engine and the Portal
      • Changing the default ports in the Appliance
      • Centralized Management of Appliances and Engines
      • Monitoring the performance of the Appliance
      • Resizing partitions in Appliance
      • Configuring the system log
      • Examining the logs in the Portal
      • GDPR - Retrieving or anonymizing personal data
      • Finding out unlicensed devices
      • Removing devices
      • Installing third-party software in the Appliance
      • Installing VMware Tools in the Appliance
      • Operational data sent to Nexthink
      • Sending additional data to Support
    • Disaster recovery
      • Planning for disaster recovery
      • Web Console backup and restore
      • Engine backup and restore
      • Portal backup and restore
      • Rule-based assignment backup and restore
      • License backup and restore
      • PKI backup and restore
    • Branding
      • Branding the Portal
      • Branding of campaigns
  • User manual
    • Getting started
      • Logging in to the Finder
      • Logging in to the Portal
      • Enabling STIG in Webconsole
    • Querying the system
      • Searching the subject of interest
      • Executing an investigation
      • Creating an investigation
      • Editing the options of an investigation
      • Combining logical conditions in investigations
      • Navigating through the results of an investigation
      • Properties of users and devices
    • Visualizing system activity in the Finder
      • Getting a quick overview
      • Graphically observing the activity of users and devices
      • Observing service performance
      • Viewing network connections
      • Viewing web requests
      • Viewing executions
    • Monitoring IT custom metrics
      • Creating a metric
      • Examples of metrics
      • Session performance
      • Device performance
      • Following the evolution of a metric
      • Finding the visuals of a metric
    • Monitoring IT services
      • Analyzing service quality
      • Creating a service
      • Following the evolution of a service
      • Specifying URL paths of web-based services
    • Engaging with the end user
      • Getting feedback from the end users
      • Types of campaigns
      • Creating a campaign
      • Editing a campaign
      • Types of questions
      • Controlling the flow of questions
      • Translating a campaign
      • Triggering a campaign manually
      • Limiting the reception rate of campaigns
      • Scrutinizing the results of a campaign
      • Continuously measuring the satisfaction of employees
    • Rating devices and users with scores
      • Computing scores
      • Creating a score
      • Checking and comparing ratings
      • Computing potential savings
      • Score XML Reference
      • Documenting scores
    • Remotely acting on devices
      • Scenarios for remote actions
      • Creating a remote action
      • Executing remote actions
      • Triggering a remote action manually
      • Writing scripts for remote actions on Windows
      • Writing scripts for remote actions on Mac
      • Example of self-healing scenario
      • Example of self-help scenario
      • Application control and remote actions
    • Organizing objects with categories
      • Classifying objects of the same type
      • Creating categories and keywords
      • Tagging objects manually
      • Tagging objects automatically
      • Importing tags from text files
    • Getting notified by the system
      • Receiving Engage campaigns
      • Receiving email digests
      • Receiving alerts
      • Creating a service-based alert
      • Creating an investigation-based alert
    • Building web-based dashboards
      • Introducing dashboards in the Portal
      • Creating a dashboard
      • Examining metrics in depth
      • Documenting dashboards
      • Assessing license use
      • Computing dashboard data
      • Reusing dashboard content
    • Importing and exporting authored content
      • Methods for reusing authored content
      • Manually sharing Finder content
      • Importing a content pack
      • Conflict resolution
      • Exporting a content pack
  • Library packs
    • Compliance
      • Device Compliance
    • Configuration Manuals
      • Overview (Configuration Manuals)
      • Installing A New Version Of A Library Pack
    • Digital Employee Score (DEX score)
      • DEX Score Installation And Configuration
      • Detailed Library Pack Changelog
    • Device management
      • Reduce logon duration
      • Group Policy Management
      • Hardware Asset Renewal
      • Hardware Asset Renewal Advanced
      • Application Auto-Start Impact
    • Remote Employee Experience
      • Remote Worker Experience
      • Home Networking
      • Change Log And Upgrade Process
      • Remote Worker Vs Office Worker Device Category
      • Remote Worker Insights
      • DEX V2 Upgrade Of Remote Worker
    • Persona Insight
      • Persona Insight - Overview
      • Persona Insight - Library Pack
      • Persona Insight - Score Only Pack
      • Persona Insight - Without Campaign pack
      • Persona Insight - Getting Started and Upgrade Procedure
      • Persona Insight - Configuration Guide
      • Persona Insight - Troubleshooting - Multiple devices on multiple engines
      • Persona Insight - Reference Guide
      • Persona Insight - Example Pack
      • Persona Insight - Device Sizing
        • Persona Insight - Device Sizing Overview
        • Persona Insight - Device Sizing Configuration
      • Persona Insight - Application Sizing
        • Persona Insight - Application Sizing Overview
        • Persona Insight - Application Sizing Configuration
      • Legacy Persona documentation
        • Persona Insight - Library Pack (V.1.0.0.0)
        • Persona Insight - Base Pack
        • Persona Insight - Base Pack Advanced
        • Persona Insight - Customization Guide (V1.0.0.0)
        • Persona Insight - Configuration Guide (V1.0.0.0)
        • Persona Insight - Reference Guide (V1.0.0.0)
    • GSuite
      • GSuite: Health
      • GSuite: Services
      • GSuite: Sentiment
      • GSuite: Advanced Health
    • Support
      • Support: Level 1
    • Shadow IT
      • Shadow IT
    • Malware Protection
      • Malware Protection
    • Office 365 Health
      • Office 365 Health: Overview
      • Office 365 Health: Services
    • Office 365 OneDrive
      • OneDrive Summary
      • OneDrive Operations
      • OneDrive Advanced Health
      • OneDrive Migration
      • OneDrive Sentiment
      • OneDrive Management
      • OneDrive Advanced Operations
    • Office 365 Teams
      • Teams Overall Configuration
      • Teams - Migration
      • Teams - Health
      • Teams - Advanced Health
      • Teams - Adoption
    • Microsoft 365 Apps
      • Microsoft 365 Apps - Operate
    • Employee Self Service
      • Overview
      • Configuration
      • Usage
    • Onboarding Experience Management
      • OEM - Overview
      • OEM - Configuration
    • Office 365 Outlook
      • Outlook Troubleshooting
    • Virtualization
      • Virtualization: Operate
      • Virtualization: AVD - Advanced
      • Virtualization: Citrix Advanced
      • Virtualization: Project
      • Virtualization: Troubleshooting
        • Virtualization: Troubleshooting: Configuration
    • Windows
      • Win10: Configuration
      • Win10: Migration
      • Win10: Feature Update
      • Win10: Quality Update
      • Windows Defender Management
      • Administrators Management
    • Windows 11
      • Windows 11 - Readiness
      • Windows 11 - Migration Pilot
      • Windows 11 - Migration
      • Windows 11 - Operate
    • Webex
      • Webex Operate
    • Zoom
      • Zoom Operate
    • Remote Actions
      • Get Performance Monitor Data
      • Skype For Business
      • Restart Device
      • Upload Logs to S3 using PreSigned URLs
    • Software Asset Optimization
    • Collaboration Optimization
      • Collaboration Optimization - Solution Overview
      • Collaboration Optimization - Configuration
      • Collaboration Optimization - Usage / Troubleshooting
    • Systems Management
      • Manage Configuration Drift
      • MS ConfigMgr - Client Health
        • MS ConfigMgr - Client Health - Summary
        • MS ConfigMgr - Client Health - Configuration Guide
      • Intune
        • Intune - Health
          • Intune - Health - Summary
          • Intune - Health - Configuration Guide
    • Return to the office
      • Return to the office - Planning
      • Return to the office - Readiness
    • Green IT
      • Green IT - Overview
      • Green IT - Configuration Guide
    • Hybrid Working
      • Hybrid Working Experience
      • Hybrid Working Experience - Installation and upgrade procedure
  • Integrations
    • Nexthink ServiceNow Service Graph Connector
      • Overview
        • Roles and Permissions
        • Modules
      • Installation and Configuration Guide
        • Pre-requisites
          • Configure Identification Rules
          • Import and setup the CMDB categories in Finder
        • Setup
          • Configure the connection
          • Configure import properties
          • Configure additional engines
          • Set up scheduled import jobs
      • Data transformation and mapping by default
      • How to customize the behaviour of the Connector
      • FAQ
        • Why ServiceNow Service Graph Connector?
        • What about Nexthink CMDB Connector?
        • Why is the name the primary key for the devices?
      • Troubleshooting
        • IRE identification issues
          • [No Choice found in the sys_choice table for the target table](integrations/nexthink-servicenow-service-graph-connector/troubleshooting/ire-identification-issues/ no-choice-found-in-the-sys_choice-table-for-the-target-table.md)
          • Identification rules not created
          • Discovery_source choice not created
        • Timeout Errors
          • ECCResponseTimeoutException
          • HTTP 0 error
        • MID server issues
          • java.lang.NullPointerException
          • MID Server memory issues
          • Not trusted certificates in Quebec release
        • Configure credentials issues
          • [Not allowing update of property authentication_choice](integrations/nexthink-servicenow-service-graph-connector/troubleshooting/configure-credentials-issues/ not-allowing-update-of-property-authentication_choice.md)
          • Invalid username/password combo (HTTP 401/403)
        • Configure Engines Issues
          • [The client secret supplied for a confidential client is invalid](integrations/nexthink-servicenow-service-graph-connector/troubleshooting/configure-engines-issues/ the-client-secret-supplied-for-a-confidential-client-is-invalid.md)
        • No Cis imported and no errors found in the log
    • Nexthink ServiceNow Incident Management Connector (IMC)
      • Installation and configuration guide (IMC)
      • Troubleshooting Guide (IMC)
      • Domain separation installation (IMC)
    • Nexthink ServiceNow CMDB Connectors
      • Installation and Configuration Guide
      • Troubleshooting Guide
      • Field transformation and normalisation examples
    • Nexthink Event Connector
      • High level overview
      • Installation and Configuration Guide
      • Troubleshooting guide
      • RPM installation
      • Splunk specific documentation
        • Upgrading from Splunk Connector to Event Connector
        • Splunk add-on installation and usage
    • Nexthink Chatbot SDK
      • Introduction and concepts
      • Installation, configuration and update guide
        • Installation and configuration
        • Update to newer version
        • Uninstallation
        • Authentication
        • Topics configuration
        • Remote action configuration
        • Advanced configuration
        • Additional resources and references
      • Dimensioning guide
      • Troubleshooting
      • Technical solution description
      • Downloads and release notes
  • Glossary and references
    • Search and information display
      • Search in Finder
      • Keyboard shortcuts for column display selection
      • Campaign display compatibility
      • Real-time and consolidated service data
      • Service errors and warnings
      • Errors and warnings for devices and executions
      • Types of widgets
      • Widget compute state in charts
      • Errors in the execution of remote actions
      • Top results of Cross-Engine investigations
      • Engine data history
    • Tooltips in the user and device views
      • Alerts tooltips
      • Warnings tooltips
      • Errors tooltips
      • Activity tooltips
      • Services tooltips
    • Database information and organization
      • Maximum supported values
      • Local and shared content
      • Device Identification
      • Local IP address of devices
      • Timestamping of events
      • Boot and logon duration
      • Application startup duration
      • Application not responding events
      • Memory and CPU usage
      • Status of TCP connections
      • Status of UDP connections
      • Network and port scan conditions
      • Binary paths
      • Maximum number of Binaries
      • Package Executable Mapping
      • Metro apps
      • Investigation with packages
      • Portal aggregation and grouping
      • Focus time metric
    • Security
      • Access rights and permissions
      • Active Directory authentication
      • Canonical domain names for Windows authentication
      • System alerts
      • Audit trail
      • Appliance hardening
      • STIG hardening
      • FIPS 140-2 compliance
      • Security bulletins
        • Is Nexthink affected by Okta breach
        • Is Nexthink affected by SolarWinds breach
        • Nexthink and Log4j - Security bulletin
        • CVE-2022-22965 - Security Vulnerability Spring4shell - Spring Framework
        • Version 6.22.2.10: Security Vulnerability Maintenance Release
        • The Collector V6.27.X Release – Security Bulletin
    • References
      • Components of the Collector
      • Server support
      • Compatibility mode
    • Glossary
      • Activity
      • Alert
      • Application
      • Binary
      • Campaign
      • Category
      • Connection
      • Dashboard
      • Destination
      • Device
      • Domain
      • Entity
      • Event
      • Executable
      • Execution
      • Focus time
      • Hierarchy
      • Installation
      • Investigation
      • Keyword
      • Metric
      • Module
      • Object
      • Package
      • Platform
      • Port
      • Printer
      • Score
      • Service
      • Session
      • System boot
      • User
      • User logon
      • Web request
      • Widget
  • API and integrations
    • Integrating with Nexthink
      • Event Connector
      • Getting data through the NXQL API
      • Bidirectional integration with the Finder
      • Count metrics API
      • Software metering API
      • Services API
      • List Engines API
      • GetSID API
      • Triggering campaigns via their API
      • Triggering remote actions via their API
      • Audit trail API
      • Integrating investigation-based alerts
      • Downloads
    • NXQL API
      • Introducing the NXQL API
      • NXQL Tutorial
      • NXQL language definition
      • NXQL Data Model
    • Integrations
      • Excel integration with NXQL
      • Power BI
      • Azure Data Lake Storage Gen2
      • Splunk Event Connector
    • ServiceNow
      • CMDB Connector
      • Incident Management Connector
      • Event Management
On this page
  • Overview
  • Prerequisites
  • Procedure and method
  • Enable JIT provisioning in the Portal
  • Advanced configuration
  • Adding group membership and personal information to SAML assertions
  • Configuring claims in AD FS
  • Configuring claims in Azure AD
  • Mapping groups to profiles
  • Determining mapping precedence

Was this helpful?

  1. Installation and configuration
  2. Security and user account management

Just-In-Time provisioning of user accounts

Last updated 10 months ago

Was this helpful?

© Nexthink

  • Privacy policy
  • Responsible Disclosure Policy

Overview

Manually adding users to Nexthink through the Portal may be a tedious and error prone operation, specially if you have a fair amount of users to add to your setup.

Thanks to the just-in-time (JIT) provisioning of user accounts, take advantage of the users and groups managed by your SAML identity provider to automatically create the required user accounts in the Portal when users log in for the first time.

In addition, user information is verified and access rights updated on every login. For instance, if the group membership of a user changes, the access rights of the user change accordingly.

Prerequisites

To provision users just-in-time with SAML, you need first to:

  • Have an admin account in Nexthink that is not SAML authenticated (local or AD account). This admin account will be required to complete JIT SAML configuration.

  • in Nexthink.

  • in Nexthink.

  • Add users to your SAML identity provider and define groups of users.

Procedure and method

These are the main steps to provision users just-in-time with SAML:

  1. Enable JIT provisioning of users through SAML in the Portal.

  2. Instruct your SAML identity provider to convey group membership and personal information in the SAML assertions about a user.

  3. Map user groups to user profiles in the Portal.

The idea is thus to assign profiles to users based on their group membership and update their personal information on every login. Depending on whether a particular user account already exists in Nexthink or not, the system does the following:

Group to profile mapping:

Successful

Unsuccessful

User account missing in Nexthink

  • Create user account in Nexthink:

    • Username = Name ID

    • Set profile based on group mapping

    • Set full name and email

  • Log the user in

  • Deny access to the user

User account exists in Nexthink

  • Update account in Nexthink:

    • Update profile based on group mapping

    • Update full name and email

  • Log the user in

  • Deny access to the user

  • Deactivate / Delete user account

In case of an unsuccessful mapping of a user group to a profile, the user gets its account:

  • Deactivated, if the user logged in to the system in the past.

  • Deleted, if the user has never logged in to the system before.

When deactivated, a user account still keeps the data associated to it, including modules, dashboards, etc. If a deactivated user later joins a properly mapped group and is thus reprovisioned, all associated data is recovered. In turn, if a user account is deleted, it loses all its associated data.

Enable JIT provisioning in the Portal

Configure the Portal to support the JIT provisioning of users:

  1. Log in to the CLI of the appliance that hosts the Portal.

  2. Optional: If the Portal has no configuration file yet, that is, if portal.conf does not exist in folder /var/nexthink/portal/conf, create it by copying the defaults from the sample configuration file: sudo -u nxportal cp /var/nexthink/portal/conf/portal.conf.sample \ /var/nexthink/portal/conf/portal.conf

  3. Edit the configuration file of the Portal: sudo vi /var/nexthink/portal/conf/portal.conf

  4. Add a configuration line to it:

    1. Press Shift + G to go to the last line of the file.

    2. Press o to add a new line.

    3. Type in the following line: globalconfig.saml.jit-user-provisioning = true​

    4. Press Esc and type in the following colon command to save changes an exit: :wq

  5. Restart the Portal: sudo systemctl restart nxportal

Advanced configuration

In case that your SAML identity provider does not allow you to modify the name of the attribute in the SAML assertions that conveys the required information, add the name that identifies that piece of information system (usually a URI) to the configuration file of the Portal. There is a dedicated entry for each one of the required assertions: full name, group membership, and email.

The default values in the configuration file of the Portal support the names used by AD FS and the ones that you supply when configuring Azure AD as indicated below.

Code
fullname-attribute-names =
 [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
 "nexthink.fullname" ]
groups-attribute-names =
 [ "http://schemas.xmlsoap.org/claims/Group",
 "nexthink.groups",
 "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" ]
email-address-attribute-names =
 [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
 "nexthink.email" ]

Adding group membership and personal information to SAML assertions

Configure your SAML identity provider to include the group membership and the personal information (full name and email address) of users in its SAML assertions, also known as claims in Azure AD and AD FS.

Configuring claims in AD FS

To configure the claims in Microsoft AD FS:

  1. Log in to the Windows Server machine that runs AD FS as administrator.

  2. Open AD FS management console.

  3. On the left-hand side panel, under Trust relationships, select Relying Party Trusts.

  4. From the context menu, select the entry to edit the policy for issuing claims:

    • In Windows Server 2016, select Edit Claim Issuance Policy....

    • In Windows Server 2012, select Edit Claim Rules....

  5. In the Issuance Transform Rules tab, click Add rule... to get the full name of the user in the SAML assertions. The wizard to add a new transform rule for claim issuance shows up.

    1. On the Choose Rule Type step, select Send LDAP Attributes as Claims under Claim rule template.

    2. Click Next >.

    3. On the Configure Claim Rule step, provide the following information:

      • Under Claim rule name, type in: nexthink.fullname

      • Under Attribute store, select Active Directory.

      • Under Mapping of LDAP attributes to outgoing claim types, select Display-Name as LDAP Attribute and Name as Outgoing Claim Type.

    4. Click Finish

  6. Back to the Issuance Transform Rules tab, click Add rule... again to add the groups of the user to the SAML assertions.

    1. On the Choose Rule Type step, select Send LDAP Attributes as Claims under Claim rule template.

    2. Click Next >.

    3. On the Configure Claim Rule step, provide the following information:

      • Under Claim rule name, type in: nexthink.groups

      • Under Attribute store, select Active Directory.

      • Under Mapping of LDAP attributes to outgoing claim types, select Token-Groups - Qualified by Long Domain Name as LDAP Attribute and Group as Outgoing Claim Type.

    4. Click Finish

  7. Back to the Issuance Transform Rules tab, click Add rule... for the third time to add the email address of the user to the SAML assertions.

    1. On the Choose Rule Type step, select Send LDAP Attributes as Claims under Claim rule template.

    2. Click Next >.

    3. On the Configure Claim Rule step, provide the following information:

      • Under Claim rule name, type in: nexthink.email

      • Under Attribute store, select Active Directory.

      • Under Mapping of LDAP attributes to outgoing claim types, select E-Mail-Addresses as LDAP Attribute and E-Mail Address as Outgoing Claim Type.

    4. Click Finish.

  8. Click OK to close the page for editing claim rules.

Configuring claims in Azure AD

To configure the claims in Azure AD:

  1. Click Azure Active Directory on the left-hand side panel.

  2. Under Manage, select Enterprise applications.

  3. Click the pencil icon at the top right corner of the second tile to edit the User Attributes & Claims. The page to edit the claims appears.

  4. Click the pencil icon to the right of Groups returned in claim. The page Group Claims (Preview) shows up.

    1. Choose Groups assigned to the application, as the groups associated to the user to be returned in the claim.

    2. Select Group ID as the Source attribute to return.

    3. Under Advanced options, tick Customize the name of the group claim.

    4. As Name (required), type in: nexthink.groups

    5. Click Save to return to the User Attributes & Claims page.

  5. Click the button Add new claim to include the full name of the user in the issued SAML assertions. The page Manage user claims shows up:

    1. As Name, type in: nexthink.fullname

    2. Choose Attribute as type of Source.

    3. As Source attribute, select: user.displayname

    4. Click Save.

  6. Click the button Add new claim to include the email of the user in the issued SAML assertions. The page Manage user claims shows up:

    1. As Name, type in: nexthink.email

    2. As Source attribute, select: user.mail or user.userprincipalname

    3. Click Save.

  7. Optional: Delete the claims not consumed by the Nexthink Portal.

  8. Get the identifiers of the groups in Azure AD to map them to Nexthink profiles later.

    1. Back to the main page of the Azure portal, click Azure Active Directory on the left-hand side panel.

    2. Under Manage, select Groups. The list of active groups appears on the page Groups - All groups.

    3. Select one of the groups that you wish to map to a profile in Nexthink.

    4. On the left-hand side menu of the page, select Properties under Manage.

    5. In the Properties page, under the General settings section.

    6. Click the paper icon to the right of the Object ID field to copy the identifier of the group.

    7. Paste the Object ID somewhere else (e.g. a text editor) and save it, so that you can reuse it later.

    8. Click Discard at the top of the Properties page to go back to group selection and repeat the operation for as many groups as you need to map to profiles in Nexthink.

Mapping groups to profiles

To map the groups defined in your SAML identity provider to the profiles defined in Nexthink Portal:

    • Warning: Do not try to log in through corporate single sign-on with this account! As user groups are not mapped to profiles yet, the mapping will fail and the account might be deactivated (if not local).

  1. Click the ADMINISTRATION drop-down menu at the top of the window.

  2. Select Accounts under ACCOUNT MANAGEMENT. The page to manage user accounts appears.

  3. Click the button SAML Groups at the top of the page.

  4. Click the button Add group to set a new mapping.

    1. Type in the name of a group in the column AD group name.

      • If Azure AD is your SAML identity provider, type in or paste the previously saved Object ID of the group.

    2. Select an available user profile from the list in the Profile column.

      • If the profile is parameterized, choose the view domain of the users to be imported from the View list in the Profile Domain column.

      • Additionally, if the parameterized profile is of the administration type, choose the administration domain of the users to be imported from the Admin list in the Profile Domain column.

  5. Optional: Repeat the previous step to add more mappings.

  6. Click OK.

At login time, the Portal grants access to all users that are members of at least one of the mapped groups. The exact permissions of the user are determined by the assigned profile.

Determining mapping precedence

Because users may belong to more than one group, the order in which you specify the mapping of the groups is important. Namely, if a user belongs to two groups and both groups are mapped to different profiles in the Portal, the user gets assigned the profile that is mapped to the first group in the list.


RELATED TASKS

Right-click the entry that to define the Portal as a relying party.

Log in to Azure from your web browser .

Select the Nexthink Portal application that .

Log in to the Portal with a local or AD admin account (see above).

https://portal.azure.com
Enabling SAML authentication of users
Adding users
prerequisites
Enable SAML authentication of users
you must have previously configured
you must have previously configured
Define user profiles