Comments (14)
Hi again, Thank you so much for your answers, finally my problem was solved after I cloned that again, I think the problem as you said was samlKeystore.jks.
from nexus-sso.
Hi,
This menu item is only available in the Nexus PRO version, so you should follow SAML.md instead of "Configure Sonatype Platform". I have clarified this point in README.md:
SAML/SSO authentication may be configured with environment variables in .env file, for more flexible settings, can make changes directly to shiro.ini (variable interpolation supported). However, this also requires that the configuration files of service provider (ex., sp-metadata.xml) and identity provider (ex., metadata-okta.xml or metadata-keycloak.xml) will be passed to the container. Examples of creating SAML configurations see in "Keycloak SAML integration with Nexus application" (except "Configure Sonatype Platform", instead follow SAML.md).
from nexus-sso.
Hi again, Thanks for your response, I configured those files but faced 500 Server Internal Error. I'm using KeyCloak version 19 as my Idp. and It doesn't request my Idp when I click on Single SSO.
This is my env:
PAC4J_BASE_URL="${PAC4J_BASE_URL:-https://nexus.mydomain.com}"
sp-metadata.xml:
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_84f5d7fa7c4d42a6b1be2ad565c324fdfcb01f9" entityID="https://keycloak.mydomain.com/callback?client_name=SAML2Client" validUntil="2042-03-17T05:02:50.999Z">
<md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha384"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha512"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
</md:Extensions>
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
<md:Extensions xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init">
<init:RequestInitiator Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://keycloak.mydomain.com/callback?client_name=SAML2Client"/>
</md:Extensions>
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
from nexus-sso.
Please follow the instructions from https://github.com/a-langer/nexus-sso/blob/main/docs/SAML.md#configure-service-and-identity-providers. entityID
in sp-metadata.xml in your case should be https://nexus.mydomain.com/callback?client_name=SAML2Client
. And also:
The value of the attribute "entityID" in sp-metadata.xml should be the same as the attribute "serviceProviderEntityId" and "callbackUrl" in shiro.ini (also depending on the DNS name you use), ex:
For diagnostics, use https://github.com/a-langer/nexus-sso/blob/main/docs/SAML.md#debug.
from nexus-sso.
Hi, Thanks for your time.
I followed the steps that you mentioned in SAML.md file, though it seems that it won't even send request to my keycloak. I did enable all the logging and change them to TRACE log level.(All the INFOs in nexus-sso/etc/logback/logback.xml changed to TRACE) but i got 500 server internal error still and surprisingly did not get any related log . It did not throw any log in fact which is odd. Also, I am receiving following error in the logs. Is it possible the 500 error might be related to this error?
nexus-sso-nexus-1 | 2023-07-25 18:14:07,160+0700 DEBUG [FelixStartLevel] *SYSTEM org.sonatype.nexus.bootstrap.jetty.ConnectorManager - No HTTPS configuration present
nexus-sso-nexus-1 | java.lang.IllegalStateException: Jetty HTTPS is not enabled in Nexus
nexus-sso-nexus-1 | at org.sonatype.nexus.bootstrap.jetty.ConnectorManager.verifyConfiguration(ConnectorManager.java:174)
nexus-sso-nexus-1 | at org.sonatype.nexus.bootstrap.jetty.ConnectorManager.buildDefaultConnectors(ConnectorManager.java:205)
nexus-sso-nexus-1 | at org.sonatype.nexus.bootstrap.jetty.ConnectorManager.<init>(ConnectorManager.java:67)
nexus-sso-nexus-1 | at org.sonatype.nexus.bootstrap.jetty.JettyServer.doStart(JettyServer.java:189)
nexus-sso-nexus-1 | at org.sonatype.nexus.bootstrap.jetty.JettyServer.lambda$0(JettyServer.java:117)
nexus-sso-nexus-1 | at java.security.AccessController.doPrivileged(Native Method)
nexus-sso-nexus-1 | at org.sonatype.nexus.bootstrap.jetty.JettyServer.start(JettyServer.java:115)
nexus-sso-nexus-1 | at org.sonatype.nexus.bootstrap.Launcher.start(Launcher.java:131)
nexus-sso-nexus-1 | at org.sonatype.nexus.bootstrap.Launcher.startAsync(Launcher.java:127)
nexus-sso-nexus-1 | at org.sonatype.nexus.bootstrap.osgi.LauncherActivator.start(LauncherActivator.java:67)
nexus-sso-nexus-1 | at org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.java:698)
nexus-sso-nexus-1 | at org.apache.felix.framework.Felix.activateBundle(Felix.java:2402)
nexus-sso-nexus-1 | at org.apache.felix.framework.Felix.startBundle(Felix.java:2308)
nexus-sso-nexus-1 | at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539)
nexus-sso-nexus-1 | at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
nexus-sso-nexus-1 | at java.lang.Thread.run(Thread.java:750)
nexus-sso-nexus-1 | Caused by: java.lang.IllegalStateException: Jetty XML configuration does not contain bean with name: sslContextFactory, type=org.eclipse.jetty.util.ssl.SslContextFactory
nexus-sso-nexus-1 | at org.sonatype.nexus.bootstrap.jetty.ConnectorManager.bean(ConnectorManager.java:267)
nexus-sso-nexus-1 | at org.sonatype.nexus.bootstrap.jetty.ConnectorManager.verifyConfiguration(ConnectorManager.java:165)
nexus-sso-nexus-1 | ... 15 common frames omitted
from nexus-sso.
@a-langer I am also facing this error 500: Internal Server Error issue when configuring ADFS.
I also added these lines to the logback.xml
file https://github.com/a-langer/nexus-sso/blob/main/docs/SAML.md#debug but like @aaii-z said, I do not get any related log lines from the error 500.
from nexus-sso.
This is the logging that I am getting from pac4j/saml:
2023-07-26 13:20:54,740+0000 INFO [JettyShutdownThread] *SYSTEM org.ehcache.core.EhcacheManager - Cache 'pac4jRealm.authorizationCache' removed from EhcacheManager.
2023-07-26 13:22:09,225+0000 INFO [Thread-86] *SYSTEM org.pac4j.saml.util.Configuration - Bootstrapping OpenSAML configuration via Pac4j...
2023-07-26 13:22:10,441+0000 INFO [Thread-86] *SYSTEM org.ehcache.jsr107.ConfigurationMerger - Configuration of cache pac4jRealm.authorizationCache will be supplemented by template nexus-default
2023-07-26 13:22:10,444+0000 INFO [Thread-86] *SYSTEM org.ehcache.core.EhcacheManager - Cache 'pac4jRealm.authorizationCache' created in EhcacheManager.
2023-07-26 13:22:10,445+0000 INFO [Thread-86] *SYSTEM org.ehcache.jsr107.Eh107CacheManager - Registering Ehcache MBean javax.cache:type=CacheConfiguration,CacheManager=file./opt/sonatype/nexus/etc/fabric/ehcache.xml,Cache=pac4jRealm.authorizationCache
2023-07-26 13:22:10,446+0000 INFO [Thread-86] *SYSTEM org.ehcache.jsr107.Eh107CacheManager - Registering Ehcache MBean javax.cache:type=CacheStatistics,CacheManager=file./opt/sonatype/nexus/etc/fabric/ehcache.xml,Cache=pac4jRealm.authorizationCache
2023-07-26 13:22:10,787+0000 INFO [Thread-86] *SYSTEM com.github.alanger.nexus.bootstrap.Main - Current realm: pac4jRealm = com.github.alanger.shiroext.realm.pac4j.Pac4jRealmName@6d25425f
2023-07-26 13:22:41,580+0000 INFO [qtp151015507-361] *UNKNOWN org.pac4j.saml.config.SAML2Configuration - Bootstrapped Blacklisted Algorithms
2023-07-26 13:22:41,581+0000 INFO [qtp151015507-361] *UNKNOWN org.pac4j.saml.config.SAML2Configuration - Bootstrapped Signature Algorithms
2023-07-26 13:22:41,581+0000 INFO [qtp151015507-361] *UNKNOWN org.pac4j.saml.config.SAML2Configuration - Bootstrapped Signature Reference Digest Methods
2023-07-26 13:22:41,581+0000 INFO [qtp151015507-361] *UNKNOWN org.pac4j.saml.config.SAML2Configuration - Bootstrapped Canonicalization Algorithm
2023-07-26 13:22:04,477+0000 INFO [jetty-main-1] *SYSTEM com.github.alanger.nexus.bootstrap.Main - Context: [email protected]@7c45dfea{Sonatype Nexus,/,file:///opt/sonatype/nexus/public/,STARTING}, config: org.tuckey.web.filters.urlrewrite.RunConfig@1a8aa38e
2023-07-26 13:22:10,784+0000 INFO [Thread-86] *SYSTEM com.github.alanger.nexus.bootstrap.Main - Current realm: iniRealm = org.apache.shiro.realm.text.IniRealm@7819a76b
2023-07-26 13:22:10,785+0000 INFO [Thread-86] *SYSTEM com.github.alanger.nexus.bootstrap.Main - Current realm: tokenRealm = com.github.alanger.shiroext.realm.jdbc.JdbcRealmName@3a9a7220
2023-07-26 13:22:10,787+0000 INFO [Thread-86] *SYSTEM com.github.alanger.nexus.bootstrap.Main - Current realm: echoRealm = com.github.alanger.nexus.bootstrap.EchoRealm@3d09d1c9
2023-07-26 13:22:10,787+0000 INFO [Thread-86] *SYSTEM com.github.alanger.nexus.bootstrap.Main - Current realm: pac4jRealm = com.github.alanger.shiroext.realm.pac4j.Pac4jRealmName@6d25425f
2023-07-26 13:22:10,788+0000 INFO [Thread-86] *SYSTEM com.github.alanger.nexus.bootstrap.Main - Current realm: NexusAuthenticatingRealm = org.sonatype.nexus.security.internal.AuthenticatingRealmImpl@5832926f
2023-07-26 13:22:10,788+0000 INFO [Thread-86] *SYSTEM com.github.alanger.nexus.bootstrap.Main - Current realm: NexusAuthorizingRealm = org.sonatype.nexus.security.internal.AuthorizingRealmImpl@31d0e03b
2023-07-26 13:22:10,790+0000 INFO [Thread-86] *SYSTEM com.github.alanger.nexus.bootstrap.Main - Current realm: NpmToken = com.sonatype.nexus.repository.npm.internal.security.NpmTokenRealm@5d46de0
2023-07-26 13:22:10,790+0000 INFO [Thread-86] *SYSTEM com.github.alanger.nexus.bootstrap.Main - Current realm: LdapRealm = org.sonatype.nexus.ldap.internal.LdapRealm@493ac3fd
2023-07-26 13:22:10,791+0000 INFO [Thread-86] *SYSTEM com.github.alanger.nexus.bootstrap.Main - Current realm: DockerToken = org.sonatype.nexus.repository.docker.internal.security.DockerTokenRealm@49b926df
2023-07-26 13:22:10,860+0000 INFO [Thread-86] *SYSTEM com.github.alanger.nexus.bootstrap.Main - Init script done, env: org.apache.shiro.guice.web.WebGuiceEnvironment@58e428a
2023-07-26 09:40:50,350+0000 INFO [Thread-86] *SYSTEM org.opensaml.core.config.InitializationService - Initializing OpenSAML using the Java Services API
So no clear error why we are getting error 500
.
from nexus-sso.
@aaii-z For some reason the https request comes to Nexus directly instead of through Nginx. All requests must go through the Nexus container on ports 80 or 443 if you configured SSL certificates. The settings are not correct, attach files sp-metadata.xml, shiro.ini and .env.
from nexus-sso.
@bogdankatishev Open another issue and attach files sp-metadata.xml, shiro.ini and .env.
from nexus-sso.
Hi,
These are the 3 files that you said I should attach them.
from nexus-sso.
In shiro.ini uses httpS protocol:
saml2Config.serviceProviderEntityId = https://MyNexus.Domain.com/callback?client_name=SAML2Client
clients.callbackUrl = https://MyNexus.Domain.com/callback
In sp-metadata.xml uses plain http protocol:
.. entityID="http://MyNexus.Domain.com/callback?client_name=SAML2Client"
.. Location="http://MyNexus.Domain.com/callback?client_name=SAML2Client"
...
Correct "entityID" and "Location" depending on the DNS name and protocol you use, this value must also match the SAML client ID in the IdP server. See https://github.com/a-langer/nexus-sso/blob/main/docs/SAML.md#saml-configuration:
- Configure new SAML client in the IdP server with DNS name for your Nexus instance and download metadata.xml.
- Replace the protocol and DNS name in sp-metadata.xml and shiro.ini (as show above).
- Pass metadata.xml, sp-metadata.xml and shiro.ini to the Nexus container, see _compose.override_prod.yml for an example.
I recommend that you first set up authorization through a simple http and make sure that everything works correctly, and only then set up SSL encryption.
from nexus-sso.
I've tried http on nexus, still getting 500 error on Request URL: http://MyNexus.Domain.com/index.html. and also there is no related log.
from nexus-sso.
The error returned will always be error 500, because it is any internal server error. To see more information you can enabling in logback.xml the TRACE debug level for the root logger:
<root level="${root.level:-TRACE}">
...
It is better to perform each check in a new private browser window (or delete cookies for Nexus and IdP sites, which is quite difficult), otherwise the browser may remember invalid cookies and will not go to the login page, which in turn confuses and complicates diagnostics.
from nexus-sso.
Pay attention to the issue #8. The samlKeystore.jks file needed to be loaded additionally via git LFS, which could lead to a configuration error. The file is now loaded as a normal binary c71047a, to update the files run git pull
.
from nexus-sso.
Related Issues (20)
- 500 Internal Server Error on SSO login (Force re-authenticate) HOT 3
- User Authentication Tokens not working HOT 2
- Nuget API Key not working after upgrading to 3.58.1-02 HOT 2
- Context Path Support HOT 3
- User ID Format HOT 2
- NuGet API Key access issue HOT 10
- Microsoft EntraID Error 500 (Attributes mapping) HOT 7
- SAML for authentification and LDAP for authorization HOT 6
- Error 500 Internal Server Error (after 3.58.1) HOT 23
- Azure Entra ID SAML Integration HOT 1
- SAML Role Permissions are Not Applied HOT 5
- 500 Internal Server Error (Attributes mapping) HOT 13
- Error 500 Internal Server Error (WantAuthnRequestsSigned="false" ) HOT 8
- CVE-2024-4956 (fixed in version 3.68.0-04) HOT 7
- update to new version (done) HOT 1
- Errors building for version 3.70.1-02 (Maven dependency) HOT 1
- how to reset or remove user token HOT 1
- Warning for CVE-2024-4956 Nexus Repository 3 Vulnerability still shows on UI HOT 1
- Upgrade to `3.71.0` to enable support for the H2 database HOT 1
- Nexus is capped at 20k requests per day HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nexus-sso.