Authentication with SAML2

For examples of SAML2 configuration, click here.

General tab parameter Description

Activate

The toggle button defines whether the SAML2 provider should be available for the users to log in from the Login page.

When this option is enabled, a new button is displayed under External Accounts on the Login page.

Description

This is the text that will be displayed for the button that will be shown for the created provider on the Login page.

By default, it is set as New Provider and it is recommended that the text be changed to a label that is meaningful for the users when they go on the Login page.

Discovery Endpoint

This endpoint is optional in the configuration screen. The intention of the endpoint is to automatically populate the other required endpoints by retrieving the information from the available metadata.

Click the Discover button to populate the values for Provider Entity ID, Provider Login Endpoint and Provider Logout Endpoint.

Entity ID

This field is automatically populated based the server to which you are currently logged in. If needed, enter another unique identifier that will be used as Nectari ID. It must be the same as the Identifier (Entity ID) parameter set up in the Azure account or the Audience URI (SP Entity ID) set up in the Okta account.

Provider Entity ID

Application ID provided by the SAML2 provider. Since a user (Entity ID) could use multiple applications, this parameter specifies which one is used to connect to Nectari. It must be the same as the Azure ID Identifier parameter set up in the Azure account or the ID Provider Issuer set up in the Okta account.

This field is automatically populated if you clicked the Discover button.

Provider Login Endpoint

This is the URL where you will enter your email address and password. It must be the same as the Login URL parameter set up in the Azure or Okta account.

This field is automatically populated if you clicked the Discover button.

Provider Logout Endpoint

(Optional) If you provide a URL, users will be logged out from both Nectari and the Microsoft or Okta provider when they click Logout in the Web Client.

This field is automatically populated if you clicked the Discover button.

Saml2 ACS URL

This is the reply URL that will redirect you to the Web Client after entering your email address and password. It must be the same as the Reply URL (Assertion Consumer URL) parameter set up in the Azure or Okta account.

  • Web Client: This field is automatically populated based the server to which you are currently logged in.

  • Excel Add-in: Provides the URL defined for the Excel Add-in. Enter the port number that is available on the local machine where the Excel Add-in is installed.

Logout URL

(Optional) This is the reply URL that will redirect users to the login page when they click Logout in the Web Client. As opposed to the Provider Logout Endpoint parameter, they will still be logged in with their Microsoft or Okta account.

This field is automatically populated based the server to which you are currently logged in.

Certificate

The certificate is required as part of the authentication process. Drag and drop the certificate you downloaded for Azure or Okta.

User Identifier

This parameter specifies the claim that will be used to retrieve the mapped value in the Web Client user information.

For example, if the User Identifier is set to email, this parameter will search for the value of email based on mailnickname in Azure or nameidentifier in Okta and use it to compare and map the Web Client user.

Force re-Authentication

Select this option if you wish users to always re-enter their credentials. This setting will force the user to re-authenticate every time.

Allow Remember Me

Select this option to enable the browser to keep the authentication settings. For example, if the Web Client session is set to last 30 minutes, users will not be logged out of their session; they will stay logged in automatically.

 

Users tab parameter Description

Username

Indicates the Web Client user name that is used to log in.

Name

Indicates the Web Client user's name associated to the username.

Email

Indicates the Web Client user's email associated to the username.

User identifier

This is the only editable parameter. It specifies the value that is expected to be returned by the SAML2 provider for the specified User Identifier claim under the General tab.

For example, if the claim specified for User Identifier is email, this field should specify the user's email associated to the provider.