Note: To set it up, you need admin rights in nuwacom and access to your identity provider.
Activate Single Sign-On
First, activate SSO and specify for which email domains login via your identity provider should apply.- Open the Workspace Settings.
- Go to SSO & User Sync.
- Activate the toggle Enable SSO.
- Enter the domain for which SSO should apply under Email Domains.
- Then select the appropriate provider type to connect your identity provider to nuwacom via OpenID Connect (OIDC) or SAML 2.0.
OpenID Connect (OIDC)
If you select OpenID Connect (OIDC), enter the connection details of your identity provider. Enter the following values:| Field | Description |
|---|---|
| Discovery URL | The discovery URL of your identity provider. |
| Client ID | The client ID of the application from your identity provider. |
| Client Secret | The client secret of the application from your identity provider. |
SAML 2.0
If you select SAML 2.0, enter the metadata of your identity provider. You can enter the metadata in two ways:| Option | Description |
|---|---|
| URL | Enter the metadata URL of your identity provider. |
| XML | Paste the metadata XML directly into the text field. |
| Value | Description |
|---|---|
| ACS URL | The URL to which your identity provider sends the SAML response. |
| SP Entity ID | The unique identifier of nuwacom as service provider. |
Advanced Settings
In the Advanced Settings you define how external attributes from your identity provider are mapped to user attributes in nuwacom. Open the Advanced Settings section and check the attribute mapping. By default, for example, the following mappings may be set:| Claim from IdP | User Attribute |
|---|---|
| given_name | firstName |
| family_name | lastName |
| Sync Mode | Description |
|---|---|
| Force | Attributes are overwritten at every login. |
| Import | Attributes are only imported at the first login. |
| Legacy | Existing sync mode for older configurations. |
Activate SCIM User Sync
With SCIM, you automatically synchronize users from your identity provider to nuwacom.- Activate the toggle Enable SCIM User Sync.
- Copy the displayed SCIM Endpoint URL and enter it in your identity provider.
- Click Generate Token to create a bearer token.
- Copy the bearer token and enter it in your identity provider for the SCIM connection.
Important: Treat the bearer token like a password. Do not share it publicly and store it only in secure locations.
Role Mapping
Through Role Mapping you define which IdP roles or IdP groups correspond to which workspace roles in nuwacom.- In the Role Mapping section, click Add Rule.
- Enter the name of the role or group from your identity provider.
| Role | Description |
|---|---|
| Administrator | Has full access to the workspace and settings. |
| Editor | Can create and edit content. |
| Reader | Can read shared content. |
Note: The first matching rule is applied. Users without a matching rule will not have access to the workspace if no fallback rule is defined.
Team Sync
If you want to use SCIM groups also as user groups in nuwacom, activate Sync SCIM groups as teams. nuwacom will then automatically create and update user groups based on SCIM group memberships.Troubleshooting
SSO login is not working. What should I check?
SSO login is not working. What should I check?
Make sure that the email domain is entered correctly and that SSO is activated for this domain. Also verify that the required values are configured exactly in your identity provider:
- For OIDC: Redirect URI
- For SAML: ACS URL and SP Entity ID
Users are not redirected to the identity provider. What could be the reason?
Users are not redirected to the identity provider. What could be the reason?
Check whether the user’s email domain is registered in nuwacom. Automatic redirection only works for users whose email domain matches a domain configured for SSO.
A user does not have access to the workspace. What should I check?
A user does not have access to the workspace. What should I check?
Verify that a matching role mapping exists for the user. If no mapping rule applies and no fallback rule is defined, the user will not be granted access to the workspace.
Users are not synchronized via SCIM. What should I check?
Users are not synchronized via SCIM. What should I check?
Make sure that SCIM user sync is activated. Also check whether the SCIM endpoint URL is entered correctly in your identity provider and whether the bearer token is still valid.
Groups are not imported as user groups in nuwacom. What should I check?
Groups are not imported as user groups in nuwacom. What should I check?
Check whether Synchronize SCIM Groups as User Groups is activated. Also verify that group memberships are correctly maintained in your identity provider and transferred via SCIM.
Changes from the identity provider do not appear in nuwacom. What should I check?
Changes from the identity provider do not appear in nuwacom. What should I check?
Synchronization is triggered by your identity provider. Check there whether the change was successfully sent to nuwacom. Also make sure that SCIM is active and that the connection to nuwacom is working.
Attributes such as first name, last name, or email are not imported correctly. What should I check?
Attributes such as first name, last name, or email are not imported correctly. What should I check?
Open the Advanced Settings and verify the attribute mapping. Make sure that the claims from your identity provider are mapped to the correct user attributes in nuwacom.