Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

GO Workforce service options

Owned by Ann Base (Deactivated)
Last updated: Jun 25, 2024 by Ylva AnderssonVersion comment
3 min read

This article gives an overview of the different ways to fetch user data from the customer into the GO Workforce service. There is also information regarding how to federate towards the service with SAML. 

User catalogue options

These are the options where user data can be fetched from, and then created in the GO Workforce service.

LDAP

When using LDAP as a user creation/management option, you must install "Nexus Smart ID Agent". The agent is used to contact the services backend in a secure way without the need of VPN.

Prerequisites

  • Java Runtime 11 (there are multiple OpenJRE vendors which can be used for this purpose, such as Microsoft's own OpenJRE package)

  • Outbound TCP 443 (TLS/HTTPS) to Internet

  • Internal server/computer which is able to contact LDAP directory via port 389.

Installation

You will receive the Smart ID Agent (a Java application) from the GO Services delivery team, which contains all configuration you need.

To start the Smart ID Agent, either execute a Windows Batch file or a Shell script.

Runtime

It is important that the Smart ID Agent application is running at all times for the synchronization features to work as expected and for the data to be transferred to our backend accordingly.

Smart ID Agent on Windows

Examples for the Smart ID Agent on Windows:

Example 1.
You can run it as a scheduled task to be executed upon startup using the Task Scheduler in Windows. Information about the Task Scheduler can be found here: https://learn.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler .

Example 2.
You can use opensource software to create a Windows Service and making it execute the Java application on system startup.

Smart ID Agent on Linux

You can create the Smart ID Agent as a service to make sure it starts up every time the server starts.

Either approach, you need to make sure that the application has the correct access to be able to write logs (in the same folder it is executed from) or the startup will fail. With either approach, you can also limit the application by running it as a specific user.

Limitations

Nexus GO Services is responsible for the application being able to be executed (manually test is usually performed by just running the Batch file or Shell script and functionality is verified), we do not setup nor alter any information on customer environments, we simply provide the application which needs to run.

Synchronization

When doing synchronization towards an LDAP, the following logic is applied for life cycle management.

  • Unique identifier (such as GUID from AD LDAP) is used.

  • A Organizational Unit (OU) for Active users is used.

  • An Organizational Unit (OU) for Inactive users is used.

  • When a user has moved into the Inactive users, it is deactivated in GO Services along with all certificates and credentials connected to it.

  • If a user is deleted from the Active OU in the LDAP, it is considered an orphan and is no longer life-cycle managed. If this happens by mistake, you must restore the deleted user and move it into the inactive OU.

API

When using API as a user creation/management option, this is REST API based. For more information, see Identity Manager Process REST API.

Manual/CSV

When using manual and/or CSV as an option for user creation, there are no prerequisites. A template for CSV will be provided by the GO Services team.

User federation options

SAML Federation

With SAML (2.0) federation, there is an option to federate the customer Service Provider (SP) with the GO Services Identity Provider (IdP).

Metadata information

  • Metadata information from the customer can be provided via an XML file or manually. 

  • IdP Metadata will be provided from Nexus in a standard SAML XML file.

Required customer information

When federating with SAML, the following information is required from the customer: 

  • Entity ID

  • Service Provider URL

Signed authentication requests

Nexus requires signed authentication requests. To achieve that, the customer must set these values in the customer environment to which the federation shall be done:

  • Sign Assertion: True

  • Signing Digest Method: SHA256

  • Digest Method: SHA256

Related information

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions