Nectar DXP SSO with Microsoft ADFS
    • 16 Feb 2024
    • 2 Minutes to read
    • Contributors
    • Dark
    • PDF

    Nectar DXP SSO with Microsoft ADFS

    • Dark
    • PDF

    Article Summary


    This document provides specific information about configuring Nectar DXP SSO with Microsoft ADFS 2.0+. For more general information about enabling SSO in Nectar DXP, refer to Configure Nectar DXP for SSO. The below procedure is an example only. Your specific requirements for ADFS configuration may vary.


    1. From the Microsoft ADFS console, right-click on Relying Party Trusts and select Add Relying Party Trust...
    2. Select Claims aware and select Start
    3. Select Import data about the relying party from a file and select the SAML configuration file downloaded from Nectar DXP. Press Next
      If you receive an error message stating "This operation is not supported for a relative URI", perform the following steps:

      1. Open the downloaded configuration file in a text editor such as Notepad.
      2. Search for "HTTP-Artifact". You should see this towards the end of the file
      3. Remove the XML element containing "HTTP-Artifact", starting from where it says "<md:AssertionConsumerService Binding" and ending with "index="1"/>
          <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="nectar/saml/SSO" index="1"/>
      4. Save the file and try to import the file into the ADFS wizard again. You should not receive the error again.

    4. Enter a Display name for the trust. Suggested name is "Nectar DXP". Click Next
    5. Choose the access control policy appropriate for your organization. Click Next.
    6. Review the final settings and click Next.
    7. Once complete, right click on the new Relying Party Trust for Nectar DXP and select Edit Claim Issuance Policy...
    8. Click on Add Rule...
    9. Select Send LDAP Attributes as Claims and click Next
    10. Give the claim rule a name such as Default.
    11. Select Active Directory as the Attribute Store
    12. On the left side, under LDAP Attribute, select User-Principal-Name.
    13. On the right side, under Outgoing claim type, select Name ID
    14. On the next row, on the left side, select Token-Groups - Unqualified Names
    15. On the right side, select Group.
    16. Verify and click OK.
    17. Download a copy of your ADFS federation metadata file by navigating to https://<YourADFSServerName>/FederationMetadata/2007-06/FederationMetadata.xml from a browser. This should prompt you to save the file. Give it a memorable name and save it somewhere accessible.
    18. In Nectar DXP, upload your federation metadata file using the Upload metadata button under the Identity Provider Service Configuration section
    19. Under Additional Settings, place the following in the textbox for SSO User Groups Attribute:
    20.  Under User Roles Mapping, select a Nectar DXP Tenant User Role on the left. The defaults are Administrator and ReadOnly. Additional roles can be defined if desired.
    21. Under External User Role, enter the name of the Active Directory group that you want to allow members to logon to Nectar DXP
      This will allow members of Domain Admins to logon to Nectar DXP with Administrator privileges


    22. Add additional role mappings as required
    23. Finally, click the Enable SSO login checkbox and click UPDATE

    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.

    Eddy, a super-smart generative AI, opening up ways to have tailored queries and responses