User Guide
Nitro Admin Portal

Single Sign-On Overview

Single Sign-On (SSO) allows your users to access Nitro's products by authenticating through your Identity Provider (IdP). Nitro supports SSO with any SAML-2.0 compliant IdP. See "Step-by-step instructions for various IdPs” for IDP-specific instructions.

Note: This feature is only available for Enterprise customers.

Prerequisites:

  1. Your account must have a verified domain to set up and enable SSO. Visit this article for instructions on verifying your domain
  2. You will need the following information from your IdP: 
    - Sign In URL 
    - X.509 Signing Certificate

Set up SAML SSO

  1. Login to the Nitro Admin Portal
  2. Select Settings in the left navigation pane and navigate to the Single Sign-On tab
  3. Click the Setup SAML SSO button.
    SSO Overview.png
  4. Enter your IdP's SignInURL and upload the x.509 Signing Certificate from your IdP. The x.509 Signing Certificate should be base 64 encoded and in a .ceror .pemformat.
    modal view.png
  5. When these have been submitted successfully, you will be provided with the SAMLEntity ID and ACS URL. Add these to your IdP
  6. Nitro requires the SAML assertion to contain NameID, email, given_name, family_name and employeeNumber of a user:
    1. NameID must be set to email address. 
    2. employeeNumber can be any value that is unique for a user. E.g. for Okta: user.id. Note, if there is no obvious unique ID value, use email address instead. 
    3. Please note the UI for adding custom attributes will vary depending on the identity provider in use. See example assertions from Okta, Azure AD below. 

Enable SSO

After completing the SAML SSO setup, check Enable Single Sign-On 

SSO setup.png

Testing SSO

Toggle Enable Single Sign-On to Disabled.

  1. Assign your test user permission to the Nitro application in your IdP 
  2. Test IdP initiated login from your IdP’s application launch page 
  3. Test SP initiated login from an incognito window 
  4. Navigate to https://sso.gonitro.com and enter the test users username 
Note: If you lose your active admin session while testing SSO login and are unable to log back in please contact customer support to disable the SSO configuration for you.

Disable SSO

Uncheck Enable Single Sign-On

Note: When SSO is disabled, users will need to log in with their Nitro account username and password.

Removing an IdP Configuration

To remove the IdP configuration, click the Remove Configuration button.

Note: Removing an IdP configuration will disable SSO for your account.

Step-by-step instructions for various IdPs:

Example Assertion from Okta:

single-sign-on-overview-4.jpeg

Example Assertion from Azure AD:

single-sign-on-overview-5.jpeg

Tags
Single Sign-On (SSO)