1 of 5

Single sign-on (SSO)

Introduction to SSO

SSO is an enterprise feature that requires a valid license purchased from Ninox or a certified partner.

SAML- and OIDC-based single sign-on (SSO) gives collaborators access to your Ninox Private Cloud through an identity provider (IdP) of your choice.

By using SSO, collaborators will be able to log into Ninox using the familiar identity provider interface, instead of the Ninox login page. The collaborator's browser will then forward them to Ninox. The IdP grants access to Ninox when SSO is enabled and Ninox' own login mechanism is deactivated. In this way, authentication security is shifted to your IdP and coordinated with your other service providers.‌

3 main configuration strategies for Private Cloud and On-Premises

Security Assertion Markup Language (SAML)
- Example setup 1: SAML SSO with Okta
- Example setup 2: SAML SSO with Azure AD
OpenID Connect (OIDC)
- Example setup: OIDC SSO with Okta
Active Directory Domain Services (AD DS)
- Documentation not yet available

SAML SSO with Okta

Set up SSO for your Ninox server (Private Cloud or On-Premises) using SAML and a third-party app like Okta

SSO is an Enterprise feature available on request that requires a valid license purchased from Ninox or a certified partner.

We do not require you use Okta to set up a single sign-on with SAML.

However, we chose Okta to demonstrate a potential SAML setup with Ninox. Your setup may vary based on which third-party app you use.

What's new?

Merge SSO roles in Okta and Ninox

As of Ninox 3.6.9, you can assign roles to people or groups in your SAML integration and then merge existing roles in your Ninox server with the ones set up in a third-party app, like Okta.

Create a new SAML integration

Step 1: Log in and create app integration

Log in to Okta.
Click Applications in the left sidebar and select Applications (1) from the dropdown menu.
Click the Create App Integration (2) button.

In the Create a new app integration pop-up window, select SAML 2.0 (1) as Sign-in method. Click the Next (2) button to proceed.

Step 3: Create SAML integration

On the Create SAML Integration page, in the General Settings tab, enter a name in the App name field. In this example it's Ninox SAML (1).
Click the Next (2) button to proceed.

Step 4: Configure SAML integration

In the Configure SAML tab, fill in the fields listed below.

Single sign on URL: The URL is a combination of of the protocol https://, your Ninox server domain name (in this example, it's anastasiya.ninoxdb.de), and the path /ums/saml/consume, resulting in something like https://anastasiya.ninoxdb.de/ums/saml/consume (1). The domain name needs to be replaced with the domain name of your Ninox server.
Audience URI (SP Entity ID): ninox-saml (2)
Default RelayState: WEB (3)
Name ID format: EmailAddress (4)
Application username: Email (5)
Update application username on: Create and update (6) (default setting)
Group Attribute Statements (optional): Enter a name, e.g., roles and set the Name format to Basic (7). Set the filter to Matches regex and enter .* (8).

2. For a preview of the SAML configuration, click the Preview the SAML assertion (1) button.

3. A new browser tab opens and shows a preview similar to the one below.

Tip: Remember the audience and attribute name

Remember the audience ninox-saml (1) and the attribute name roles (2)—we'll need these again in your Ninox server setup.

4. Click the Next (1) button to proceed.

Step 5: Finish setup in Okta

In the Feedback tab, respond to Are you a customer or partner? by selecting I’m an Okta customer adding an internal app (1).
Tick the box This is an internal app that we have created (2).
Click the Finish (3) button to confirm.

Assign users to SAML integration

Make sure people have access to Ninox, either as members (paid by the owner) or as contributors (paid by themselves). If users cannot log in to Ninox, they won't be able to log in to your Ninox server using SSO.

Follow the steps below to either assign individual users or whole groups to your SAML integration.

Assign to people

On the new application page, click the Assignments (1) tab.
Click the Assign dropdown button, then select Assign to People (2).

3. A pop-up window opens. Select a user from the list to individually assign them to your app, then click Assign (1).

4. In a new new pop-up window, click the Save and Go Back (1) button to return to the previous view.

5. In the previous pop-up window, the label Assigned (1) appears next to the selected user. Click the Done (2) button to close the pop-up.

External resources

Assign to groups

Back on the application page, click the Assign dropdown button, then select Assign to Groups (1).

2. A pop-up window opens. Select a group from the list to individually assign it to your app, then click Assign (1).

3. The label Assigned (1) appears next to the selected group. Click the Done (2) button to return to the previous view.

External resources

Retrieve SAML credentials from Okta

Step 1: View SAML setup instructions

On the new application page, in the Sign On tab, click the View SAML setup instructions (1) button.
A new browser tab opens to show SAML setup instructions.

Step 2: Copy SAML setup instructions

Copy the Identity Provider Single Sign-On URL (1). This value corresponds to the following field in your Ninox server setup: Single Sign on URL (SSO URL). Refer to https://docs.ninox.com/en/private-cloud-on-premises/single-sign-on-sso/saml-single-sign-on-with-okta#step-2-transfer-saml-credentials
Copy the Identity Provider Issuer (2). This value corresponds to the following field in your Ninox server setup: Issuer. Refer to https://docs.ninox.com/en/private-cloud-on-premises/single-sign-on-sso/saml-single-sign-on-with-okta#step-2-transfer-saml-credentials

3. Click the Download certificate (1) button. A file named okta.cert is saved to your computer. This file corresponds to the following button in your Ninox server setup: IDP Certificate.

Finish SAML setup in your Ninox server setup (Private Cloud or On-Premises)

Step 1: Access Ninox server configuration

Log in to your Ninox Private Cloud or Ninox On-Premises as root user. In the example below we use a Private Cloud (1).
Click the gear icon (2) in the top-right corner to access the global settings.
From the dropdown menu, select Server Administration (3).

4. A new page opens. Click the Configuration (1) tab.

Tip: Copy the team ID to auto-assign users to that workspace

To automatically add users to a specific workspace (team), copy its team ID (1). In this example we use the same Private Cloud as mentioned in the steps above.

Step 2: Transfer SAML credentials

On the Server Configuration page, scroll down to Authentication Strategy, then select the SAML V2 (1) tab. Fill in the fields listed below and upload the certificate file from Okta.
1. Single Sign on URL (SSO URL): copy-paste the Identity Provider Single Sign-on URL, in this example https://dev-78357175.okta.com/app/dev-78357175_ninoxsaml_1/exk5s7f2zbbh9HGTh5d7/sso/saml (2)
2. Issuer: copy-paste the Identity Provider Issuer, in this example http://www.okta.com/exk5s7f2zbbh9HGTh5d7(3)
3. IDP Certificate: upload the .cert file (4)
4. Audience (5): ninox-saml (5)
5. Session Duration (in days): 2 (6)
6. Auto Assign To Team: copy-paste the team ID, in this example p75h1me5ngr0grptq (7)
7. Property name of group attributes in SAML assertion: copy-paste the attribute name, in this exampleroles(8)
8. Roles To Be Excluded For Mapping: optional, in this example Everyone (9)
9. Role mapping strategy: select Merge SAML and Ninox roles (10)
10. Click the Setup SAML and Restart button (11) to confirm.

If the configuration was successful, the login with SSO will look similar to the one shown in the GIF below. In this example we use the same Private Cloud as above.

SAML SSO with Azure AD

Setting up SSO for your Ninox server (Private Cloud or On-Premises) using SAML and Azure Active Directory

SSO is an Enterprise feature available on request that requires a valid license purchased from Ninox or a certified partner.

We do not require you use Azure AD, but we use it to demonstrate a potential SAML setup with Ninox. Your setup may vary based on which third-party app you use.

SSO using SAML and Azure AD

Microsoft Azure AD offers multiple options for single sign-on. In the following instructions we use SAML.

Creating a new SAML integration

Step 1: Log in and open Azure Active Directory

Log in with your account at the Azure AD portal.
At the top of the page, under Azure services, click the Azure Active Directory (1) icon. A new page opens.

Step 2: Add Enterprise application

On the Overview page, click the + Add (1) tab and select Enterprise application (2) from the dropdown menu. A new page opens.
On the Browse Azure AD Gallery page, click + Create your own application (3). A pop-up appears on the right half of the page.

Step 3: Create your app

On the right half of the page, under Create your own application, enter a name in the What’s the name of your app? (1) field, e.g., Ninox SAML.
Select Integrate any other application you don’t find in the gallery (Non-gallery) (2) under What are you looking to do with your application?.
Click the Create (3) button to confirm. A success message appears in the top-right corner of the page. The Overview page opens.

Configuring SAML in Azure AD

Step 1: Select a single-sign on method

On the Overview page, click the Set up single sign on (1) tile. A new page opens.
On the Single sign-on page, under Select a single sign-on method, click the SAML (2) tile.

Step 2: Configure SAML-based sign-on

On the SAML-based sign-on page, under Set up Single Sign-On with SAML, click the Edit (1) icon to fill in the fields listed below. (2) Identifier (Entity ID): Replace the default entry customappsso in the URL http://adapplicationregistry.onmicrosoft.com/customappsso/primary with ninoxsaml, resulting in something like http://adapplicationregistry.onmicrosoft.com/ninoxsaml/primary. (3) Reply URL (Assertion Consumer Service URL): This URL is a combination of the protocol https://, your Ninox server domain name (in this example it's anastasiya.ninoxdb.de), and the path /ums/saml/consume, resulting in something like https://anastasiya.ninoxdb.de/ums/saml/consume. The domain name needs to be replaced with the domain name of your Ninox server. (4) Sign on URL: This URL is a combination of the protocol https://, your Ninox server domain name (in this example it's anastasiya.ninoxdb.de) and the path /ums/saml/login, resulting in something like https://anastasiya.ninoxdb.de/ums/saml/login. The domain name needs to be replaced with the domain name of your Ninox server. (5) Relay State: WEB(6) Logout Url: This is optional and can be left blank

Step 3: Download certificate

Under SAML Signing Certificate tile, click Certificate (Base64).
Click the Download button. The download starts.

Assigning users to your SAML app in Azure AD

Step 1: Add users/groups

Return to the Overview page and click the Assign users and groups (1) tile. A new page opens.
On the Users and groups page, click + Add user/group (2). A new page opens.

Step 2: Select users

On the Add Assignment page, under Users, click None Selected (1).
On the right half of the page, under Users, users you previously created appear below. If you haven't created any users yet, refer to the Microsoft support article Add or delete users using Azure Active Directory.
Click the names of the users (2) you wish to add. Click the Select (3) button to proceed.

Step 3: Assign users

If groups are covered in your Active Directory plan level, you can assign groups in addition to users to your application.

On the right half of the page, under Users, click n user selected (1).
Click the Assign (2) button to confirm. A success message appears in the top-right corner of the page. The Users and groups page opens.

Retrieving SAML credentials from Azure AD

Copy the client credentials from Azure Active Directory to paste them in your Ninox server setup.

On the SAML-based sign-on page, under Set up Single Sign-On with SAML, visit the section Basic SAML Configuration and copy the Identifier (Entity ID) (1). The URL looks something like http://adapplicationregistry.onmicrosoft.com/ninoxsaml/primary.
On the same page, visit the section Set up Ninox SAML and copy the Login URL (2). The URL looks something like https://login.microsoftonline.com/e27eada0-11f1-4109-b4a5-1e22a03c95b8/saml2.

Finishing SAML setup in your Ninox server setup (Private Cloud or On-Premises)

Log in to your Ninox Private Cloud or Ninox On-Premises.
Click the gear icon in the top-right corner.
Select Server Administration from the dropdown menu. A new page opens.
Click the Configuration tab.
On the Server Configuration page, under Authentication Strategy, click the SAML V2 (1) tab. Fill in the fields listed below. (2) Single Sign on URL (SSO URL): paste the Login URL, refer to Retrieving SAML credentials from Azure AD (3) Issuer: paste the Identifier (Entity ID), refer to Retrieving SAML credentials from Azure AD (4) IDP Certificate: upload the .cert file, refer to Configuring SAML in Azure AD (5) Audience: paste the Identifier (Entity ID), refer to Retrieving SAML credentials from Azure AD (6) Session Duration (in days): 30 (7) AutoProvision Users: enable
Click the Save and Restart (8) button to confirm.

Before testing the authentication, make sure you're logged out of your Ninox Private Cloud or your Ninox On-Premises server.

Return to the Azure AD portal and visit the SAML-based Sign-on page.
Visit the section Test single sign-on with Ninox SAML and click the Test (1) button. A pop-up appears on the right half of the page.
On the Test single sign-on with Ninox SAML window, under Testing sign in, leave the default selection Sign in as current user (2), then click the Test sign in (3) button. A new page opens.
The new page opens onto your Ninox Private Cloud or Ninox On-Premises server and you're logged in automatically. If this fails, return to the section on Configuring SAML in Azure AD as well as Finishing SAML setup in your Ninox server setup and verify all fields are filled in correctly.

OIDC SSO with Okta

Set up SSO for your Ninox server (Private Cloud or On-Premises) using OIDC and a third-party app like Okta

SSO is an Enterprise feature available on request that requires a valid license purchased from Ninox or a certified partner.

We do not require you use Okta to set up a single sign-on with OIDC.

However, we chose Okta to demonstrate a potential OIDC setup with Ninox. Your setup may vary based on which third-party app you use.

Create a new OIDC integration

Step 1: Log in and create app integration

Log in to Okta.
Click Applications in the left sidebar and select Applications (1) from the dropdown menu.
Click the Create App Integration (2) button.

In the Create a new app integration pop-up window, select OIDC - OpenID Connect (1) as Sign-in method and Web Application (2) as Application type.
Click the Next (3) button to proceed.

Step 3: Configure OIDC integration

On the New Web App Integration page, in the General Settings section, fill in the fields listed below. (1) App integration name: enter a name. In this example it's anastasiya oidc test. (2) Sign-in redirect URIs: The URI is a combination of the protocol https://, your Ninox server domain name (in this example it's anastasiya.ninoxdb.de), and the path /ums/oidc/callback, resulting in something like https://anastasiya.ninoxdb.de/ums/oidc/callback. The domain name needs to be replaced with the domain name of your Ninox server. (3) Sign-out redirect URIs: The URI is the domain name of your Ninox server. In this example it's https://anastasiya.ninoxdb.de.
Select the Skip group assignment for now (4) radio button for Controlled access in the Assignments section.
Click the Save (5) button to confirm. A new page opens and a success message appears at the top of the page.

Assign users to OIDC integration

Follow the steps below to either assign individual users or whole groups to your OIDC integration.

On the new application page, click the Assignments (1) tab.
Click the Assign (2) dropdown button and choose between Assign to People (3) and Assign to Groups.

Assign to people

In the pop-up window, select a user from the list to individually assign the user to your app and click Assign.
Enter the desired information in the pop-up window.
Click the Save and Go Back button to confirm.
Click the Done button to close the pop-up window.

Assign to groups

In the pop-up window, select Everyone and click Assign.
Click the Done button to close the pop-up window.

Retrieve OIDC credentials from Okta

Step 1: Copy from the General tab

On the new application page, click the General (1) tab.
Under Client Credentials, copy the Client ID (2) and Client secret (3).

Step 2: Copy from the Sign On tab

Click the Sign On (1) tab.
Under OpenID Connect ID Token, copy the Issuer (2) and Audience (3).

Finish OIDC setup in your Ninox server setup (Private Cloud or On-Premises)

Log in to your Ninox Private Cloud or Ninox On-Premises.
Click the gear icon in the top-right corner.
Select Server Administration from the dropdown menu. A new page opens.
Click the Configuration tab.
On the Server Configuration page, under Authentication Strategy, click the Open Id tab. Fill in the fields listed below, then click the Save and Restart (8) button. (1) Discovery Url: The URI is a combination of the protocol https://, your Ninox server domain name (in this example it's anastasiya.ninoxdb.de), and the path /.well-known/openid-configuration, resulting in something like https://anastasiya.ninoxdb.de/.well-known/openid-configuration. (2) Client Id: paste from Okta, refer to Retrieving OIDC credentials from Okta (3) Client Secret: paste from Okta, refer to Retrieving OIDC credentials from Okta (4) Redirect Uris (Comma separated): The URI is your Ninox server domain. In this example it's https://anastasiya.ninoxdb.de. (5) Scopes: email, openid (6) Session Duration (in days): 2 (7) AutoProvision Users: enable
Click the Save and Restart (8) button to confirm.

SAML SSO with Okta

Set up SSO for your Ninox server (Private Cloud or On-Premises) using SAML and a third-party app like Okta

SSO is an Enterprise feature available on request that requires a valid license purchased from Ninox or a certified partner.

We do not require you use Okta to set up a single sign-on with SAML.

However, we chose Okta to demonstrate a potential SAML setup with Ninox. Your setup may vary based on which third-party app you use.

What's new?

Merge SSO roles in Okta and Ninox

As of Ninox 3.6.9, you can assign roles to people or groups in your SAML integration and then merge existing roles in your Ninox server with the ones set up in a third-party app, like Okta.

Create a new SAML integration

Step 1: Log in and create app integration

Log in to Okta.
Click Applications in the left sidebar and select Applications (1) from the dropdown menu.
Click the Create App Integration (2) button.

In the Create a new app integration pop-up window, select SAML 2.0 (1) as Sign-in method. Click the Next (2) button to proceed.

Step 3: Create SAML integration

On the Create SAML Integration page, in the General Settings tab, enter a name in the App name field. In this example it's Ninox SAML (1).
Click the Next (2) button to proceed.

Step 4: Configure SAML integration

In the Configure SAML tab, fill in the fields listed below.

Single sign on URL: The URL is a combination of of the protocol https://, your Ninox server domain name (in this example, it's anastasiya.ninoxdb.de), and the path /ums/saml/consume, resulting in something like https://anastasiya.ninoxdb.de/ums/saml/consume (1). The domain name needs to be replaced with the domain name of your Ninox server.
Audience URI (SP Entity ID): ninox-saml (2)
Default RelayState: WEB (3)
Name ID format: EmailAddress (4)
Application username: Email (5)
Update application username on: Create and update (6) (default setting)
Group Attribute Statements (optional): Enter a name, e.g., roles and set the Name format to Basic (7). Set the filter to Matches regex and enter .* (8).

2. For a preview of the SAML configuration, click the Preview the SAML assertion (1) button.

3. A new browser tab opens and shows a preview similar to the one below.

Tip: Remember the audience and attribute name

Remember the audience ninox-saml (1) and the attribute name roles (2)—we'll need these again in your Ninox server setup.

4. Click the Next (1) button to proceed.

Step 5: Finish setup in Okta

In the Feedback tab, respond to Are you a customer or partner? by selecting I’m an Okta customer adding an internal app (1).
Tick the box This is an internal app that we have created (2).
Click the Finish (3) button to confirm.

Assign users to SAML integration

Follow the steps below to either assign individual users or whole groups to your SAML integration.

Assign to people

On the new application page, click the Assignments (1) tab.
Click the Assign dropdown button, then select Assign to People (2).

3. A pop-up window opens. Select a user from the list to individually assign them to your app, then click Assign (1).

4. In a new new pop-up window, click the Save and Go Back (1) button to return to the previous view.

5. In the previous pop-up window, the label Assigned (1) appears next to the selected user. Click the Done (2) button to close the pop-up.

External resources

Assign applications to users | Okta

Assign to groups

Back on the application page, click the Assign dropdown button, then select Assign to Groups (1).

2. A pop-up window opens. Select a group from the list to individually assign it to your app, then click Assign (1).

3. The label Assigned (1) appears next to the selected group. Click the Done (2) button to return to the previous view.

External resources

Manually assign people to a group | Okta

Retrieve SAML credentials from Okta

Step 1: View SAML setup instructions

On the new application page, in the Sign On tab, click the View SAML setup instructions (1) button.
A new browser tab opens to show SAML setup instructions.

Step 2: Copy SAML setup instructions

Copy the Identity Provider Single Sign-On URL (1). This value corresponds to the following field in your Ninox server setup: Single Sign on URL (SSO URL). Refer to https://docs.ninox.com/en/private-cloud-on-premises/single-sign-on-sso/saml-single-sign-on-with-okta#step-2-transfer-saml-credentials
Copy the Identity Provider Issuer (2). This value corresponds to the following field in your Ninox server setup: Issuer. Refer to https://docs.ninox.com/en/private-cloud-on-premises/single-sign-on-sso/saml-single-sign-on-with-okta#step-2-transfer-saml-credentials

3. Click the Download certificate (1) button. A file named okta.cert is saved to your computer. This file corresponds to the following button in your Ninox server setup: IDP Certificate.

Finish SAML setup in your Ninox server setup (Private Cloud or On-Premises)

Step 1: Access Ninox server configuration

Log in to your Ninox Private Cloud or Ninox On-Premises as root user. In the example below we use a Private Cloud (1).
Click the gear icon (2) in the top-right corner to access the global settings.
From the dropdown menu, select Server Administration (3).

4. A new page opens. Click the Configuration (1) tab.

Tip: Copy the team ID to auto-assign users to that workspace

To automatically add users to a specific workspace (team), copy its team ID (1). In this example we use the same Private Cloud as mentioned in the steps above.

Step 2: Transfer SAML credentials

On the Server Configuration page, scroll down to Authentication Strategy, then select the SAML V2 (1) tab. Fill in the fields listed below and upload the certificate file from Okta.
1. Single Sign on URL (SSO URL): copy-paste the Identity Provider Single Sign-on URL, in this example https://dev-78357175.okta.com/app/dev-78357175_ninoxsaml_1/exk5s7f2zbbh9HGTh5d7/sso/saml (2)
2. Issuer: copy-paste the Identity Provider Issuer, in this example http://www.okta.com/exk5s7f2zbbh9HGTh5d7(3)
3. IDP Certificate: upload the .cert file (4)
4. Audience (5): ninox-saml (5)
5. Session Duration (in days): 2 (6)
6. Auto Assign To Team: copy-paste the team ID, in this example p75h1me5ngr0grptq (7)
7. Property name of group attributes in SAML assertion: copy-paste the attribute name, in this exampleroles(8)
8. Roles To Be Excluded For Mapping: optional, in this example Everyone (9)
9. Role mapping strategy: select Merge SAML and Ninox roles (10)
10. Click the Setup SAML and Restart button (11) to confirm.

If the configuration was successful, the login with SSO will look similar to the one shown in the GIF below. In this example we use the same Private Cloud as above.

SAML SSO with Azure AD

Setting up SSO for your Ninox server (Private Cloud or On-Premises) using SAML and Azure Active Directory

SSO is an Enterprise feature available on request that requires a valid license purchased from Ninox or a certified partner.

We do not require you use Azure AD, but we use it to demonstrate a potential SAML setup with Ninox. Your setup may vary based on which third-party app you use.

SSO using SAML and Azure AD

Microsoft Azure AD offers multiple options for single sign-on. In the following instructions we use SAML.

Creating a new SAML integration

Step 1: Log in and open Azure Active Directory

Log in with your account at the Azure AD portal.
At the top of the page, under Azure services, click the Azure Active Directory (1) icon. A new page opens.

Step 2: Add Enterprise application

On the Overview page, click the + Add (1) tab and select Enterprise application (2) from the dropdown menu. A new page opens.
On the Browse Azure AD Gallery page, click + Create your own application (3). A pop-up appears on the right half of the page.

Step 3: Create your app

On the right half of the page, under Create your own application, enter a name in the What’s the name of your app? (1) field, e.g., Ninox SAML.
Select Integrate any other application you don’t find in the gallery (Non-gallery) (2) under What are you looking to do with your application?.
Click the Create (3) button to confirm. A success message appears in the top-right corner of the page. The Overview page opens.

Configuring SAML in Azure AD

Step 1: Select a single-sign on method

On the Overview page, click the Set up single sign on (1) tile. A new page opens.
On the Single sign-on page, under Select a single sign-on method, click the SAML (2) tile.

Step 2: Configure SAML-based sign-on

Step 3: Download certificate

Under SAML Signing Certificate tile, click Certificate (Base64).
Click the Download button. The download starts.

Assigning users to your SAML app in Azure AD

Step 1: Add users/groups

Return to the Overview page and click the Assign users and groups (1) tile. A new page opens.
On the Users and groups page, click + Add user/group (2). A new page opens.

Step 2: Select users

On the Add Assignment page, under Users, click None Selected (1).
On the right half of the page, under Users, users you previously created appear below. If you haven't created any users yet, refer to the Microsoft support article Add or delete users using Azure Active Directory.
Click the names of the users (2) you wish to add. Click the Select (3) button to proceed.

Step 3: Assign users

If groups are covered in your Active Directory plan level, you can assign groups in addition to users to your application.

On the right half of the page, under Users, click n user selected (1).
Click the Assign (2) button to confirm. A success message appears in the top-right corner of the page. The Users and groups page opens.

Retrieving SAML credentials from Azure AD

Copy the client credentials from Azure Active Directory to paste them in your Ninox server setup.

On the SAML-based sign-on page, under Set up Single Sign-On with SAML, visit the section Basic SAML Configuration and copy the Identifier (Entity ID) (1). The URL looks something like http://adapplicationregistry.onmicrosoft.com/ninoxsaml/primary.
On the same page, visit the section Set up Ninox SAML and copy the Login URL (2). The URL looks something like https://login.microsoftonline.com/e27eada0-11f1-4109-b4a5-1e22a03c95b8/saml2.

Finishing SAML setup in your Ninox server setup (Private Cloud or On-Premises)

Log in to your Ninox Private Cloud or Ninox On-Premises.
Click the gear icon in the top-right corner.
Select Server Administration from the dropdown menu. A new page opens.
Click the Configuration tab.
On the Server Configuration page, under Authentication Strategy, click the SAML V2 (1) tab. Fill in the fields listed below. (2) Single Sign on URL (SSO URL): paste the Login URL, refer to Retrieving SAML credentials from Azure AD (3) Issuer: paste the Identifier (Entity ID), refer to Retrieving SAML credentials from Azure AD (4) IDP Certificate: upload the .cert file, refer to Configuring SAML in Azure AD (5) Audience: paste the Identifier (Entity ID), refer to Retrieving SAML credentials from Azure AD (6) Session Duration (in days): 30 (7) AutoProvision Users: enable
Click the Save and Restart (8) button to confirm.

Before testing the authentication, make sure you're logged out of your Ninox Private Cloud or your Ninox On-Premises server.

Return to the Azure AD portal and visit the SAML-based Sign-on page.
Visit the section Test single sign-on with Ninox SAML and click the Test (1) button. A pop-up appears on the right half of the page.
On the Test single sign-on with Ninox SAML window, under Testing sign in, leave the default selection Sign in as current user (2), then click the Test sign in (3) button. A new page opens.
The new page opens onto your Ninox Private Cloud or Ninox On-Premises server and you're logged in automatically. If this fails, return to the section on Configuring SAML in Azure AD as well as Finishing SAML setup in your Ninox server setup and verify all fields are filled in correctly.

OIDC SSO with Okta

Set up SSO for your Ninox server (Private Cloud or On-Premises) using OIDC and a third-party app like Okta

SSO is an Enterprise feature available on request that requires a valid license purchased from Ninox or a certified partner.

We do not require you use Okta to set up a single sign-on with OIDC.

However, we chose Okta to demonstrate a potential OIDC setup with Ninox. Your setup may vary based on which third-party app you use.

Create a new OIDC integration

Step 1: Log in and create app integration

Log in to Okta.
Click Applications in the left sidebar and select Applications (1) from the dropdown menu.
Click the Create App Integration (2) button.

In the Create a new app integration pop-up window, select OIDC - OpenID Connect (1) as Sign-in method and Web Application (2) as Application type.
Click the Next (3) button to proceed.

Step 3: Configure OIDC integration

On the New Web App Integration page, in the General Settings section, fill in the fields listed below. (1) App integration name: enter a name. In this example it's anastasiya oidc test. (2) Sign-in redirect URIs: The URI is a combination of the protocol https://, your Ninox server domain name (in this example it's anastasiya.ninoxdb.de), and the path /ums/oidc/callback, resulting in something like https://anastasiya.ninoxdb.de/ums/oidc/callback. The domain name needs to be replaced with the domain name of your Ninox server. (3) Sign-out redirect URIs: The URI is the domain name of your Ninox server. In this example it's https://anastasiya.ninoxdb.de.
Select the Skip group assignment for now (4) radio button for Controlled access in the Assignments section.
Click the Save (5) button to confirm. A new page opens and a success message appears at the top of the page.

Assign users to OIDC integration

Follow the steps below to either assign individual users or whole groups to your OIDC integration.

On the new application page, click the Assignments (1) tab.
Click the Assign (2) dropdown button and choose between Assign to People (3) and Assign to Groups.

Assign to people

In the pop-up window, select a user from the list to individually assign the user to your app and click Assign.
Enter the desired information in the pop-up window.
Click the Save and Go Back button to confirm.
Click the Done button to close the pop-up window.

Assign to groups

In the pop-up window, select Everyone and click Assign.
Click the Done button to close the pop-up window.

Retrieve OIDC credentials from Okta

Step 1: Copy from the General tab

On the new application page, click the General (1) tab.
Under Client Credentials, copy the Client ID (2) and Client secret (3).

Step 2: Copy from the Sign On tab

Click the Sign On (1) tab.
Under OpenID Connect ID Token, copy the Issuer (2) and Audience (3).

Finish OIDC setup in your Ninox server setup (Private Cloud or On-Premises)

Log in to your Ninox Private Cloud or Ninox On-Premises.
Click the gear icon in the top-right corner.
Select Server Administration from the dropdown menu. A new page opens.
Click the Configuration tab.
On the Server Configuration page, under Authentication Strategy, click the Open Id tab. Fill in the fields listed below, then click the Save and Restart (8) button. (1) Discovery Url: The URI is a combination of the protocol https://, your Ninox server domain name (in this example it's anastasiya.ninoxdb.de), and the path /.well-known/openid-configuration, resulting in something like https://anastasiya.ninoxdb.de/.well-known/openid-configuration. (2) Client Id: paste from Okta, refer to Retrieving OIDC credentials from Okta (3) Client Secret: paste from Okta, refer to Retrieving OIDC credentials from Okta (4) Redirect Uris (Comma separated): The URI is your Ninox server domain. In this example it's https://anastasiya.ninoxdb.de. (5) Scopes: email, openid (6) Session Duration (in days): 2 (7) AutoProvision Users: enable
Click the Save and Restart (8) button to confirm.