Skip to content

Setting up SAML (generic)

Introduction

Setting up Nanitor to support login with SAML is fairly straightforward. You will need to be a system administrator in Nanitor and an admin in your identity provider to set up the integration.

This article will give you instructions on how to add your favorite identity provider, focusing on Nanitor side of things. You'll have to know your identity provider. For specific instructions related to identity providers we formally support please see SAML topic

Downloading Service Provider Metadata

You need to start by downloading an XML file from Nanitor that you then need to upload to your identity provider containing various settings. Here is how you do that:

Start by logging in to Nanitor with your system admin credentials, then click on the wheel in the upper right and select System Management. If System management isn't available, then your user probably does not have system admin permissions (note that having organization admin permissions is not enough). You can contact another Nanitor system admin or submit a support ticket to Nanitor to gain system admin access. If you are self hosted with access to the server running Nanitor check out this article.

system management

Next, select SAML identity providers in the left bar:

system management menu

Then click the three dots and "Download service provider metadata":

Download option

Steps in your identity provider

  • Create a new application.
  • Enable SAML authentication for the application.
  • Upload the XML file, or apply the values from it manually. Refer to your identity provider specialist for details.
  • Enable the group claim attribute if possible so that the user's group ID is included in the response from your identity provider. If you do not do this, Nanitor will be unable to assign permissions based on user groups, giving all users who log in with this identity provider the same level of access by default.
  • Associate the appropriate user groups with this new application.
  • Find the App Federation Metadata URL, then copy that to your clipboard. You will need to paste this into Nanitor.

Configuring Nanitor System

Now go back to your Nanitor instance, to the SAML identity provider screen you were on at the start of this journey, and click on "Add identity provider".

add identity provider

Provide a name that makes sense and paste in the URL you just copied and click ADD.

add provider

Note that the login screen will prefix the name you provide here with "Sign in with ". So if you use the string "EntraID" as I did in this example then the login screen will add a button with the text "Sign in with EntraID".

Mapping User Groups with Nanitor Privileges

The only thing left now is to map your identity provider's user groups to Nanitor roles. For this, you need to start by grabbing the ObjectID for the group from the identity provider.

GroupID

Then return to Nanitor and go into Organization management.

Org Management

Select Users on the left and click the SAML Permissions tab, then click on "Add SAML permission".

SAML permission

Select the name you selected above ("EntraID" in this example), the role you want to assign, and the Object ID you copied from the identity provider. Then click Add SAML. Repeat for all other permissions you want to assign. If you leave the group ID blank, then all users who log in with the identity provider will get this role assigned.

permission screen

That's all, folks; you're all done. As always, if you have any issues or questions reach out to our support team. The link to the ticketing system is in the footer of this site.