Documentation

SAML/SSO Setup Guide

This document guides IT Administrators on connecting an nLink Workspace with an enterprise Identity Provider (IdP)—such as Okta, Azure Active Directory, or Google Workspace—via the SAML 2.0 protocol.

Note: The SAML/SSO feature is exclusively available for Workspaces on the BUSINESS or ENTERPRISE plans. Only the Owner or Admin of the Workspace can configure these settings.

How It Works (2-Way Trust)

Setting up SSO requires a two-way information exchange between nLink and your Identity Provider (IdP):

nLink needs to know about your IdP: To determine where to redirect users for login and which key to use for verification.
Your IdP needs to know about nLink: To determine where to send the login result (ACS URL) back to nLink.

Step 1: Obtain Configuration from the IdP

Before configuring nLink, the administrator must create a SAML Application within the organization's Identity Provider (IdP) system:

Log in to the Admin Console of Okta or Azure AD.
Create a new SAML 2.0 Application.
Complete the basic setup steps. Once the application is created, the IdP system will provide a configuration file known as the IdP Metadata XML.
Copy the entire content of this XML file for use in the next step.

Step 2: Automatic Configuration in nLink

nLink provides an automated XML parsing tool that helps administrators quickly extract security parameters, eliminating the need for manual configuration.

Log in to your nLink Workspace, navigate to Settings -> SAML/SSO.
Enable the Enable SAML SSO for this Workspace toggle.
Declare your trusted domains in the Domain Whitelist (e.g., @yourcompany.com). The system will automatically route email addresses with this suffix through the IdP login portal.
In the Import from IdP Metadata XML section, click the [Import XML] button.
Paste the entire XML content copied from Step 1 into the text area.
Click [Parse & Auto-fill] to let the system process it automatically.

Information: The nLink platform will automatically extract the data and accurately populate the three essential security parameters: IdP Entity ID, SSO Target URL, and X.509 Certificate.

Click [Save Configuration] to save your settings.

Step 3: Establish the Connection from the IdP (Trust Relationship)

After saving the configuration, nLink automatically generates the Endpoint URLs under the Service Provider Setup section. Use this information to configure the application in Okta/Azure AD to establish a trusted connection:

Return to the SAML App on the Okta/Azure AD platform.
Locate the Single Sign-On URL (ACS URL) or Reply URL field:
- Copy the ACS URL provided by nLink (e.g., https://app.yourdomain.com/api/v1/saml/acs/1) and paste it into the corresponding field.
Locate the Audience URI (Entity ID) or Identifier field:
- Copy the Entity ID provided by nLink (e.g., https://app.yourdomain.com/api/v1/saml/metadata/1) and paste it into the corresponding field.
Ensure the User Identity Attribute (NameID Format) is set to EmailAddress.
Save the configuration and assign application access to the users or groups within your organization.

Completion & Just-in-Time (JIT) Provisioning

The Single Sign-On system is now successfully integrated. When users access nLink using an email matching the configured Domain Whitelist, the system will automatically route the authentication process through Okta/Azure. Upon successful authentication, nLink will automatically create a new account in real-time (Just-in-Time Provisioning) and grant access to the Workspace.

Zero-Trust Policy: By default, all newly provisioned SSO users are granted the VIEWER role. They can view workflows but cannot modify or execute them. A Workspace Administrator must manually elevate their permissions to MEMBER or ADMIN as needed.