Documentation

SAML/SSO Setup Guide

This document guides IT Administrators on how to connect the nLink Workspace with an enterprise Identity Provider (IdP) such as Okta, Azure Active Directory, or Google Workspace via the SAML 2.0 protocol.

Note: The SAML/SSO feature is only available for Workspaces on the BUSINESS or ENTERPRISE plans. Only the Owner or Admin of the Workspace has permission to configure these settings.

How it works (2-Way Trust)

Setting up SSO requires a 2-way exchange of information between nLink and your Identity Provider (IdP):

nLink needs to know about your IdP: To know where to redirect users for login and which key to use to verify them.
Your IdP needs to know about nLink: To know where to send the login result (ACS URL) back to nLink.

Step 1: Obtain Configuration from IdP

Before configuring nLink, the administrator needs to create a SAML Application on the organization's Identity Provider (IdP) system:

Log in to the Admin Console of Okta or Azure AD.
Create a new SAML 2.0 Application.
Complete the basic setup steps. Once the application is created, the IdP system will provide a configuration file known as the IdP Metadata XML.
Please Copy the entire content of this XML file to use in the next step.

Step 2: Automatic Configuration on nLink

nLink provides an automated XML parsing tool that helps administrators quickly extract security parameters without manual configuration.

Log in to your nLink Workspace, navigate to Settings -> SAML/SSO.
Enable the "Enable SAML SSO for this Workspace" toggle.
Declare your trusted domains in the Domain Whitelist (e.g., @yourcompany.com). The system will automatically route email addresses with this suffix through the IdP login portal.
In the Import from IdP Metadata XML section, click the [Import XML] button.
Paste the entire XML content copied from Step 1 into the text area.
Click [Parse & Auto-fill] to let the system process it automatically.

Information: The nLink platform will automatically extract the data and accurately fill in the 3 essential security parameters: IdP Entity ID, SSO Target URL, and X.509 Certificate.

Click [Save Configuration] to save your settings.

Step 3: Establish Connection from IdP (Trust Relationship)

After saving the configuration, nLink will automatically generate the Endpoint URLs under the Service Provider Setup section. Use this information to configure the application in Okta/Azure AD to establish a trusted connection:

Return to the SAML App on the Okta/Azure AD platform.
Locate the Single Sign-On URL (ACS URL) or Reply URL field:
- Copy the ACS URL provided by nLink (e.g., https://app.yourdomain.com/api/v1/saml/acs/1) and paste it into the corresponding field.
Locate the Audience URI (Entity ID) or Identifier field:
- Copy the Entity ID provided by nLink (e.g., https://app.yourdomain.com/api/v1/saml/metadata/1) and paste it into the corresponding field.
Ensure the User Identity Attribute (NameID Format) is set to EmailAddress.
Save the configuration and assign application access to the users or groups within your organization.

Completion & Just-in-Time Provisioning (JIT)

The Single Sign-On system has been successfully integrated. From this point forward, when users access nLink using an email that matches the configured Domain Whitelist, the system will automatically route the authentication process through Okta/Azure. Upon successful authentication, nLink will automatically create a new account in real-time (Just-in-Time Provisioning) and grant access to the Workspace.

Zero-Trust Policy: By default, all newly provisioned SSO users are granted the VIEWER role. They can view workflows but cannot modify or execute them. A Workspace Administrator must manually elevate their permissions to MEMBER or ADMIN when needed.