Skip to main content

Setup Single-Sign On for dab Nexus On-Premise

Note

To use Single-Sign On it must be activated in your License.

Instead of logging in to dab Nexus with your Mail-Address and Password you can connect an existing Single Sign-On (SSO) Solution such as Microsoft Entra ID (formerly Azure Active Directory) or Active Directory Federation Services.

Configure SSO with Microsoft Entra ID (formerly Azure AD)

  • Open the Azure Active Directory Menue in the Azure Portal

  • Click on Enterprise applications
    nexus_sso_op_1

  • Chose New Application and then Create your own Application

  • Insert a name such as dab Nexus and activate the Checkbox Integrate any other application you don't find in the gallery (Non-gallery)
    nexus_sso_op_2

  • Click on Single Sign-On and then on SAML as SSO-Method
    nexus_sso_op_3

  • Click in the Basic SAML Configuration tab on Edit

  • Enter an Identifier, e.g. dab Nexus, and a Reply URL. This Reply URL is the Application URL you have choosen in the dab Nexus installation. You can find it in the Configuration.json in the DAB_NEXUS_HOME directory, it ends with /sso/saml/acs
    nexus_sso_op_4

  • Download a certificate from the SAML Signing Certificate section and install it in the Trusted Root Certification Authorities of the server dab Nexus is running on
    nexus_sso_op_5

Adjust the Configuration.json and add the following rows:

  "AuthMode": "SAML",
  "SAML": {
    "Issuer": "dab Nexus",
    "IdentityProviderMetadataUrl": "https://login.microsoftonline.com/...",
    "IdentityProviderMetadataFile": "IdPMetadata.xml"
  }
  • Change the AuthMode to SAML
  • Enter the previously selected Issuer in the SAML area
    • Enter either the IdentityProviderMetadataUrl or the IdentityProviderMetadataFile. You only need one of the two values.
      • If you want to use the IdentityProviderMetadataUrl (recommended), copy and paste the App Federation Metadata Url from the SAML Signing Certificate section
      • If you want to use the IdentityProviderMetadataFile, download the Federation Metadata XML from the SAML Signing Certificate section and copy and paste it in the DAB_NEXUS_HOME folder. Insert the name of this file as value of IdentityProviderMetadataFile
  • Restart the dab Nexus Windows Service

Configure SSO with Active Directory Federation Services (AD FS)

  • Open the AD FS Managementtool and navigate to the Trust settings of the trusting side

  • Click on Add trust settings of the trusting side
    nexus_sso_1

  • The Assistant to Add trust settings of the trusting side will open
    nexus_sso_2

  • Activate the checkbox Enter data manually via the trusting side
    nexus_sso_3

  • Enter a display name such as dab Nexus (we used ZeusDev in the screenshots - change the name to the display name you chose earlier, e.g. dab Nexus)
    nexus_sso_4

  • Select the AD FS Profile because dab Nexus uses the SAML 2 protocol
    nexus_sso_5

  • Click on Continue without to configure the optional Token encryption certificate
    nexus_sso_6

  • Activate the checkbox Support for the SAML 2.0 WebSSO protocol and insert the Application URL from the dab Nexus installation as URL which ends with /sso/saml/acs
    nexus_sso_7

  • Enter an identifier for the Trust Position of the trusting side such as dab Nexus
    nexus_sso_8

  • Skip the settings for the multi-factor authentication by activating the checkbox 'Do not configure settings for multi-factor authentication now'
    nexus_sso_9

  • Configure the user access as required
    nexus_sso_10

  • Check the settings and click on Continue
    nexus_sso_11

  • Close the assistant
    nexus_sso_12

  • If necessary, open the dialog for Editing the Entitlement Rules by right-clicking on the created entry and select Edit Entitlement Rules
    nexus_sso_13

  • Navigate to the Tab Issueing Transformation Rules and click on the button Add Rule
    nexus_sso_14

  • Chose the option Send LDAP Attributes as Claims in the Assistant for Adding a Transformation Rule
    nexus_sso_15

  • Enter any Claim Rule Name and select e-mail-addresses as LDAP Attribute and assign it to the Outgoing Claim Type e-mail-address, then save the transformation claim rule
    nexus_sso_16

  • Adjust the Configuration.json and add the following rows:

  "AuthMode": "SAML",
  "SAML": {
    "Issuer": "dab Nexus",
    "IdentityProviderMetadataUrl": "https://my-dc.mycompany.com/...",
    "IdentityProviderMetadataFile": "FederationMetadata.xml"
  }

  • Change the AuthMode to SAML

  • Insert the previously chosen Issuer in the SAML area

    • Enter either the IdentityProviderMetadataUrl or the IdentityProviderMetadataFile. You only need one of the two values. Navigate in the AD FS Administrationtool to Service/Endpoint. Quite at the end of the list you find a URL for the FederationMetadata.xml
      nexus_sso_17

  • Add the URL to the hostname of your AD FS-Server, e.g. my-dc.mycompany.com/FederationMetadata/2007-06/FederationMetadata.xml

  • Enter the URL in your Browser to check it. Now you have the oportunity to download the XML file:

  • If you want to use the IdentityProviderMetadataUrl (recommended), insert this URL as IdentityProviderMetadataUrl

  • If you want to use the IdentityProviderMetadataFile, download the XML File with your Broswer and copy and paste it in the DAB_NEXUS_HOME folder. Insert the name of this file as value of IdentityProviderMetadataFile

  • Navigate to Service/Certificate and copy the certificate into a file by selecting the certificate and choosing View Certificate

  • Install it in the Trusted Root Certificate Authorities of the server of the server dab Nexus is running on
    nexus_sso_18

  • Restart the dab Nexus Windows Service