Configure SAML-based single sign-on (SSO) with ADFS

Who can use this feature?

☞ Only team owners and admins can configure single sign-on (SSO)

☆ Available on the standard and premium plan.

Step 1: Prepare the configuration

  1. Log in to Nuclino.

  2. Click the menu button in the top left corner to open the main menu.

  3. Click on your team name and select Team settings.

  4. Go to the Authentication section and choose SAML-based single sign-on (SSO).

  5. Note the ACS URL and Entity ID.

Step 2: Set up ADFS (Active Directory Federated Services) for Nuclino

  1. Open AD FS Management on your ADFS server.

  2. Right click Relying party trusts and select Add relying party trust.

  3. Click Start on the welcome step.

  4. In the step Select data source, choose Enter data about the relying party manually and click Next.

  5. Enter a Display name e.g. Nuclino Login and click Next.

  6. In the step Choose profile, choose AD FS profile with SAML 2.0 and click Next.

  7. Click Next on the Configure certificate step without choosing any certificate.

  8. Select Enable support for the SAML 2.0 SSO Web SSO prototcol.

  9. Enter the ASC URL from Step 1 as the login URL and click Next.

  10. Enter https://api.nuclino.com as a Relying party trust identifier.

  11. Click Next until you reach the Finish step.

  12. Choose Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and click Close. This will launch the Edit Claim Rules window.

  13. In the Edit Claim Rules window, click Add rule, choose Send LDAP Attributes as Claims as the Claim rule template and click Next.

  14. Enter Nuclino Attributes as Claim rule name and choose Active Directory as the Attribute store. Map the LDAP Attribute Given-Name to first_name, Surname to last_name, and click Finish.

  15. Click Add rule again in the Edit Claim Rules window, choose Transform an Incoming Claim as the Claim rule template, and click Next.

  16. Enter NameIDNuclino as the Claim rule name, choose E-Mail Address as Incoming claim type, Name ID as the Outgoing claim type, Email as the outgoing name ID format, select Pass through all claim values, and click Finish.

  17. Make sure the rule Nuclino Attributes is above the rule NameIDNuclino in the Edit Claim Rules window.

  18. In the AD FS Management window, right click on the Relying party for Nuclino and choose properties. Select the Advanced tab and choose SHA-256 as the Secure hash algorithm.

  19. In the AD FS Management window, navigate to Services and then to Certificates. Right click on the Token-signing certificate and choose View certificate... and export it as a Base-64 encoded X.509 certificate. You'll need to open the certificate in a text editor and copy/paste the content in the field Certificate data in Nuclino as detailed in Step 3.

Step 3: Integrate Nuclino with your identity provider

  1. Log in to Nuclino.

  2. Click the menu button in the top left corner to open the main menu.

  3. Click on your team name and select Team settings.

  4. Go to the Authentication section and choose SAML-based single sign-on (SSO)

  5. Enter the following information

    1. SSO URL: https://[your-adfs-domain.com]/adfs/ls

    2. Entity ID: http://[your-adfs-domain.com]/adfs/services/trust

    3. Certificate data: Open the certificate you downloaded in Step 2 in a text editor and copy/paste the content into this field.

  6. Click Save changes.

  7. Optional: Enforce single sign-on (SSO)

After you have successfully set up SSO

Your team can now sign up and log in via your team URL that you can find in your team settings in the section authentication.

  • People who already have a Nuclino account with the same email address as their SSO account can choose to link this account. Afterwards, they can log in using their existing Nuclino account or use SSO instead.

  • For people who don't have a Nuclino account yet, a new account is provisioned when they log in for the first time using your team URL. They can only log in using SSO as long as they don't generate a separate password using Nuclino's reset password functionality.

Users who have already set up SSO for their Nuclino account can also go to the normal login (https://app.nuclino.com/login) and select Log in via single sign-on (SSO).

Questions?

If you have any questions or need help to set up SSO for Nuclino, please contact us.