Login
      Contents x
      Nectar DXP SSO with Microsoft ADFS
      • 16 Feb 2024
      • 2 Minutes to read
      • Contributors
      • Print
      • Dark
        Light
      • PDF
      Contents

      Nectar DXP SSO with Microsoft ADFS

      • Updated on 16 Feb 2024
      • 2 Minutes to read
      • Contributors
      • Print
      • Dark
        Light
      • PDF
      Article Summary

      Overview

      This document provides specific information about configuring Nectar DXP SSO with Microsoft ADFS 2.0+. For more general information about enabling SSO in Nectar DXP, refer to Configure Nectar DXP for SSO. The below procedure is an example only. Your specific requirements for ADFS configuration may vary.

      Procedure

      1. From the Microsoft ADFS console, right-click on Relying Party Trusts and select Add Relying Party Trust...
      2. Select Claims aware and select Start
      3. Select Import data about the relying party from a file and select the SAML configuration file downloaded from Nectar DXP. Press Next
        If you receive an error message stating "This operation is not supported for a relative URI", perform the following steps:

        1. Open the downloaded configuration file in a text editor such as Notepad.
        2. Search for "HTTP-Artifact". You should see this towards the end of the file
        3. Remove the XML element containing "HTTP-Artifact", starting from where it says "<md:AssertionConsumerService Binding" and ending with "index="1"/>
            Example:
            <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="nectar/saml/SSO" index="1"/>
        4. Save the file and try to import the file into the ADFS wizard again. You should not receive the error again.

      4. Enter a Display name for the trust. Suggested name is "Nectar DXP". Click Next
      5. Choose the access control policy appropriate for your organization. Click Next.
      6. Review the final settings and click Next.
      7. Once complete, right click on the new Relying Party Trust for Nectar DXP and select Edit Claim Issuance Policy...
      8. Click on Add Rule...
      9. Select Send LDAP Attributes as Claims and click Next
      10. Give the claim rule a name such as Default.
      11. Select Active Directory as the Attribute Store
      12. On the left side, under LDAP Attribute, select User-Principal-Name.
      13. On the right side, under Outgoing claim type, select Name ID
      14. On the next row, on the left side, select Token-Groups - Unqualified Names
      15. On the right side, select Group.
      16. Verify and click OK.
      17. Download a copy of your ADFS federation metadata file by navigating to https://<YourADFSServerName>/FederationMetadata/2007-06/FederationMetadata.xml from a browser. This should prompt you to save the file. Give it a memorable name and save it somewhere accessible.
      18. In Nectar DXP, upload your federation metadata file using the Upload metadata button under the Identity Provider Service Configuration section
      19. Under Additional Settings, place the following in the textbox for SSO User Groups Attribute: http://schemas.xmlsoap.org/claims/Group
      20.  Under User Roles Mapping, select a Nectar DXP Tenant User Role on the left. The defaults are Administrator and ReadOnly. Additional roles can be defined if desired.
      21. Under External User Role, enter the name of the Active Directory group that you want to allow members to logon to Nectar DXP
        This will allow members of Domain Admins to logon to Nectar DXP with Administrator privileges

         

      22. Add additional role mappings as required
      23. Finally, click the Enable SSO login checkbox and click UPDATE
      Was this article helpful?
      What's Next
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout
      ESC

      Eddy, a super-smart generative AI, opening up ways to have tailored queries and responses