Configure Nectar DXP for SSO
  • 13 Jun 2022
  • 3 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

Configure Nectar DXP for SSO

  • Dark
    Light
  • PDF

Overview

Nectar DXP supports single sign-on (SSO) to allow user access based on company credentials. Nectar DXP SSO is based on SAML 2.0 standards to support multiple identity providers such as (but limited to): Okta, Centrify, Microsoft Active Directory and many others. Before single sign-on can be used to log into a Nectar DXP environment, SSO must be configured by an administrator. 

In the context of SSO, Nectar DXP acts as a Service Provider and offers automatic provisioning of users. Users do not need to be explicitly created within Nectar DXP when SSO is enabled and configured properly. When a new user attempts to access Nectar DXP, the Nectar DXP sign-on service will validate that the user has the appropriate credentials via the Identity Provider (using SAML) and, following a successful validation, a new user account will be created in Nectar DXP automatically. 

Follow the steps below to configure single sign-on (SSO). Please note that some of the steps below may require the involvement of an Identity Provider (IdP) administrator within your organization. This article will provide you with the information your IdP admin will likely require to complete the process. If your IdP admin requires information not addressed here, please contact Nectar support by email at support@nectarcorp.com to request any additional required information.  

Generate the SAML Configuration File

Start by navigating to the SSO Configuration in Nectar DXP (requires administrator credentials): Admin > SSO Configuration.

Click Generate SAML File. (The SSO Configuration window opens.)

Enter the following information.

Field

Description

Service Provider Entity ID

  • Enter the service provider entity ID. 
  • This is the identifier that the identity provider (IDP) will use to reference the tenant. This needs to be a unique value within the IDP’s implementation. 
  • Recommended format is nectar<tenant name>.

SSO User Groups Attribute

  • Enter the IDP attribute name, in this case, OU
  • The attribute name contains the group membership details (such as AD groups). Other IDPs may use different attribute names. 
  • The customer needs to provide this information and can refer to the IDP documentation for this information.


Click Generate to create the Nectar DXP SSO configuration file. Once generated, the Nectar DXP SSO configuration file appears in the shaded area as seen in the example here:

Click Download File (in the lower right corner of the window) to download the SAML configuration file locally or use Copy to clipboard to enable pasting the configuration into another document. 

Once downloaded, send the file to an IdP administrator within your organization to generate the IdP configuration file. This is usually done via an IdP portal.

Upload IdP Configuration

After the IdP configuration file is generated, it must be uploaded to Nectar DXP using the same SSO Configuration section used to generate the SAML configuration file above.

Click the Upload metadata button which is located just below the original configuration file.

If the ID attribute name that contains group membership details needs to be modified, use the SSO User Groups Attribute text box. The default value is OU.

Configure User Role Mapping

Multiple SSO User Groups may be configured to support Role-Based Access (RBAC) within Nectar DXP . In order to support this configuration, your Nectar DXP User Roles (created within Nectar DXP ) must be matched to the appropriate user roles from your IdP. 

For each user type that you would like to support, click the Role Mapping button to add new role mappings one at a time. Use the Tenant User Role and External User Role drop-downs to map the Nectar DXP user roles to the appropriate IdP (external user role) user groups as seen in this example:

In this example, the Administrator role (defined in ADMIN > Roles) is mapped to the following group: CN=NectarDXPLoginTesting,OU=NectarDXP,OU=Development-Product,OU=Nectar Users,DC=nectarcorp,DC=com 

Note
  • Multiple Nectar DXP roles can be assigned to the same customer user group or vice versa.
  • Recursive group checking is supported.


Enable SSO

Once the steps above have been completed, enable SSO for your Nectar DXP environment by checking the Enable SSO Login box.

Finally, click UPDATE (in the lower right corner of the screen) to save your changes.

Be sure to click UPDATE!

All of the above configuration settings will be lost if you navigate away from this page with out clicking the UPDATE button located in the lower right corner of the Admin > SSO Configuration screen.


Was this article helpful?