There isn't SAML option after I run the image

[aaii-z]

Hi, I have a separate VM that my Keycloak runs on that, Now I want to connect this Nexus to that Keycloak after I run that image and I go to browser and log in to that with the internal user of Nexus but I don't see the any SAML option and I read the README of this project and in this link It shows in Nexus UI there's SAML option, but I don't see it. should change any environment to true or it's a bug? ( I used the docker compose of this project)

(I meant I don't see this option after I run the docker compose in my Nexus, I see this picture from that link )

[a-langer]

Hi,

This menu item is only available in the Nexus PRO version, so you should follow SAML.md instead of "Configure Sonatype Platform". I have clarified this point in README.md:

SAML/SSO authentication may be configured with environment variables in .env file, for more flexible settings, can make changes directly to shiro.ini (variable interpolation supported). However, this also requires that the configuration files of service provider (ex., sp-metadata.xml) and identity provider (ex., metadata-okta.xml or metadata-keycloak.xml) will be passed to the container. Examples of creating SAML configurations see in "Keycloak SAML integration with Nexus application" (except "Configure Sonatype Platform", instead follow SAML.md).

[aaii-z]

Hi again, Thanks for your response, I configured those files but faced 500 Server Internal Error. I'm using KeyCloak version 19 as my Idp. and It doesn't request my Idp when I click on Single SSO.
This is my env:

PAC4J_BASE_URL="${PAC4J_BASE_URL:-https://nexus.mydomain.com}"

sp-metadata.xml:

<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_84f5d7fa7c4d42a6b1be2ad565c324fdfcb01f9" entityID="https://keycloak.mydomain.com/callback?client_name=SAML2Client" validUntil="2042-03-17T05:02:50.999Z">
    <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
        <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
        <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
        <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
        <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
        <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
        <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
        <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
        <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"/>
        <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha384"/>
        <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha512"/>
        <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
        <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
        <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    </md:Extensions>
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
        <md:Extensions xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init">
            <init:RequestInitiator Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://keycloak.mydomain.com/callback?client_name=SAML2Client"/>
        </md:Extensions>
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>

[a-langer]

Please follow the instructions from https://github.com/a-langer/nexus-sso/blob/main/docs/SAML.md#configure-service-and-identity-providers. entityID in sp-metadata.xml in your case should be https://nexus.mydomain.com/callback?client_name=SAML2Client. And also:

The value of the attribute "entityID" in sp-metadata.xml should be the same as the attribute "serviceProviderEntityId" and "callbackUrl" in shiro.ini (also depending on the DNS name you use), ex:

For diagnostics, use https://github.com/a-langer/nexus-sso/blob/main/docs/SAML.md#debug.

[aaii-z]

Hi, Thanks for your time.
I followed the steps that you mentioned in SAML.md file, though it seems that it won't even send request to my keycloak. I did enable all the logging and change them to TRACE log level.(All the INFOs in nexus-sso/etc/logback/logback.xml changed to TRACE) but i got 500 server internal error still and surprisingly did not get any related log . It did not throw any log in fact which is odd. Also, I am receiving following error in the logs. Is it possible the 500 error might be related to this error?

nexus-sso-nexus-1  | 2023-07-25 18:14:07,160+0700 DEBUG [FelixStartLevel] *SYSTEM org.sonatype.nexus.bootstrap.jetty.ConnectorManager - No HTTPS configuration present
nexus-sso-nexus-1  | java.lang.IllegalStateException: Jetty HTTPS is not enabled in Nexus
nexus-sso-nexus-1  |     at org.sonatype.nexus.bootstrap.jetty.ConnectorManager.verifyConfiguration(ConnectorManager.java:174)
nexus-sso-nexus-1  |     at org.sonatype.nexus.bootstrap.jetty.ConnectorManager.buildDefaultConnectors(ConnectorManager.java:205)
nexus-sso-nexus-1  |     at org.sonatype.nexus.bootstrap.jetty.ConnectorManager.<init>(ConnectorManager.java:67)
nexus-sso-nexus-1  |     at org.sonatype.nexus.bootstrap.jetty.JettyServer.doStart(JettyServer.java:189)
nexus-sso-nexus-1  |     at org.sonatype.nexus.bootstrap.jetty.JettyServer.lambda$0(JettyServer.java:117)
nexus-sso-nexus-1  |     at java.security.AccessController.doPrivileged(Native Method)
nexus-sso-nexus-1  |     at org.sonatype.nexus.bootstrap.jetty.JettyServer.start(JettyServer.java:115)
nexus-sso-nexus-1  |     at org.sonatype.nexus.bootstrap.Launcher.start(Launcher.java:131)
nexus-sso-nexus-1  |     at org.sonatype.nexus.bootstrap.Launcher.startAsync(Launcher.java:127)
nexus-sso-nexus-1  |     at org.sonatype.nexus.bootstrap.osgi.LauncherActivator.start(LauncherActivator.java:67)
nexus-sso-nexus-1  |     at org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.java:698)
nexus-sso-nexus-1  |     at org.apache.felix.framework.Felix.activateBundle(Felix.java:2402)
nexus-sso-nexus-1  |     at org.apache.felix.framework.Felix.startBundle(Felix.java:2308)
nexus-sso-nexus-1  |     at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539)
nexus-sso-nexus-1  |     at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
nexus-sso-nexus-1  |     at java.lang.Thread.run(Thread.java:750)
nexus-sso-nexus-1  | Caused by: java.lang.IllegalStateException: Jetty XML configuration does not contain bean with name: sslContextFactory, type=org.eclipse.jetty.util.ssl.SslContextFactory
nexus-sso-nexus-1  |     at org.sonatype.nexus.bootstrap.jetty.ConnectorManager.bean(ConnectorManager.java:267)
nexus-sso-nexus-1  |     at org.sonatype.nexus.bootstrap.jetty.ConnectorManager.verifyConfiguration(ConnectorManager.java:165)
nexus-sso-nexus-1  |     ... 15 common frames omitted

[bogdankatishev]

@a-langer I am also facing this error 500: Internal Server Error issue when configuring ADFS.

I also added these lines to the logback.xml file https://github.com/a-langer/nexus-sso/blob/main/docs/SAML.md#debug but like @aaii-z said, I do not get any related log lines from the error 500.

[bogdankatishev]

This is the logging that I am getting from pac4j/saml:

2023-07-26 13:20:54,740+0000 INFO  [JettyShutdownThread]  *SYSTEM org.ehcache.core.EhcacheManager - Cache 'pac4jRealm.authorizationCache' removed from EhcacheManager.
2023-07-26 13:22:09,225+0000 INFO  [Thread-86]  *SYSTEM org.pac4j.saml.util.Configuration - Bootstrapping OpenSAML configuration via Pac4j...
2023-07-26 13:22:10,441+0000 INFO  [Thread-86]  *SYSTEM org.ehcache.jsr107.ConfigurationMerger - Configuration of cache pac4jRealm.authorizationCache will be supplemented by template nexus-default
2023-07-26 13:22:10,444+0000 INFO  [Thread-86]  *SYSTEM org.ehcache.core.EhcacheManager - Cache 'pac4jRealm.authorizationCache' created in EhcacheManager.
2023-07-26 13:22:10,445+0000 INFO  [Thread-86]  *SYSTEM org.ehcache.jsr107.Eh107CacheManager - Registering Ehcache MBean javax.cache:type=CacheConfiguration,CacheManager=file./opt/sonatype/nexus/etc/fabric/ehcache.xml,Cache=pac4jRealm.authorizationCache
2023-07-26 13:22:10,446+0000 INFO  [Thread-86]  *SYSTEM org.ehcache.jsr107.Eh107CacheManager - Registering Ehcache MBean javax.cache:type=CacheStatistics,CacheManager=file./opt/sonatype/nexus/etc/fabric/ehcache.xml,Cache=pac4jRealm.authorizationCache
2023-07-26 13:22:10,787+0000 INFO  [Thread-86]  *SYSTEM com.github.alanger.nexus.bootstrap.Main - Current realm: pac4jRealm = com.github.alanger.shiroext.realm.pac4j.Pac4jRealmName@6d25425f
2023-07-26 13:22:41,580+0000 INFO  [qtp151015507-361]  *UNKNOWN org.pac4j.saml.config.SAML2Configuration - Bootstrapped Blacklisted Algorithms
2023-07-26 13:22:41,581+0000 INFO  [qtp151015507-361]  *UNKNOWN org.pac4j.saml.config.SAML2Configuration - Bootstrapped Signature Algorithms
2023-07-26 13:22:41,581+0000 INFO  [qtp151015507-361]  *UNKNOWN org.pac4j.saml.config.SAML2Configuration - Bootstrapped Signature Reference Digest Methods
2023-07-26 13:22:41,581+0000 INFO  [qtp151015507-361]  *UNKNOWN org.pac4j.saml.config.SAML2Configuration - Bootstrapped Canonicalization Algorithm

2023-07-26 13:22:04,477+0000 INFO  [jetty-main-1]  *SYSTEM com.github.alanger.nexus.bootstrap.Main - Context: ServletContext@o.e.j.w.WebAppContext@7c45dfea{Sonatype Nexus,/,file:///opt/sonatype/nexus/public/,STARTING}, config: org.tuckey.web.filters.urlrewrite.RunConfig@1a8aa38e
2023-07-26 13:22:10,784+0000 INFO  [Thread-86]  *SYSTEM com.github.alanger.nexus.bootstrap.Main - Current realm: iniRealm = org.apache.shiro.realm.text.IniRealm@7819a76b
2023-07-26 13:22:10,785+0000 INFO  [Thread-86]  *SYSTEM com.github.alanger.nexus.bootstrap.Main - Current realm: tokenRealm = com.github.alanger.shiroext.realm.jdbc.JdbcRealmName@3a9a7220
2023-07-26 13:22:10,787+0000 INFO  [Thread-86]  *SYSTEM com.github.alanger.nexus.bootstrap.Main - Current realm: echoRealm = com.github.alanger.nexus.bootstrap.EchoRealm@3d09d1c9
2023-07-26 13:22:10,787+0000 INFO  [Thread-86]  *SYSTEM com.github.alanger.nexus.bootstrap.Main - Current realm: pac4jRealm = com.github.alanger.shiroext.realm.pac4j.Pac4jRealmName@6d25425f
2023-07-26 13:22:10,788+0000 INFO  [Thread-86]  *SYSTEM com.github.alanger.nexus.bootstrap.Main - Current realm: NexusAuthenticatingRealm = org.sonatype.nexus.security.internal.AuthenticatingRealmImpl@5832926f
2023-07-26 13:22:10,788+0000 INFO  [Thread-86]  *SYSTEM com.github.alanger.nexus.bootstrap.Main - Current realm: NexusAuthorizingRealm = org.sonatype.nexus.security.internal.AuthorizingRealmImpl@31d0e03b
2023-07-26 13:22:10,790+0000 INFO  [Thread-86]  *SYSTEM com.github.alanger.nexus.bootstrap.Main - Current realm: NpmToken = com.sonatype.nexus.repository.npm.internal.security.NpmTokenRealm@5d46de0
2023-07-26 13:22:10,790+0000 INFO  [Thread-86]  *SYSTEM com.github.alanger.nexus.bootstrap.Main - Current realm: LdapRealm = org.sonatype.nexus.ldap.internal.LdapRealm@493ac3fd
2023-07-26 13:22:10,791+0000 INFO  [Thread-86]  *SYSTEM com.github.alanger.nexus.bootstrap.Main - Current realm: DockerToken = org.sonatype.nexus.repository.docker.internal.security.DockerTokenRealm@49b926df
2023-07-26 13:22:10,860+0000 INFO  [Thread-86]  *SYSTEM com.github.alanger.nexus.bootstrap.Main - Init script done, env: org.apache.shiro.guice.web.WebGuiceEnvironment@58e428a

2023-07-26 09:40:50,350+0000 INFO  [Thread-86]  *SYSTEM org.opensaml.core.config.InitializationService - Initializing OpenSAML using the Java Services API

So no clear error why we are getting error 500.

[a-langer]

@aaii-z For some reason the https request comes to Nexus directly instead of through Nginx. All requests must go through the Nexus container on ports 80 or 443 if you configured SSL certificates. The settings are not correct, attach files sp-metadata.xml, shiro.ini and .env.

[a-langer]

@bogdankatishev Open another issue and attach files sp-metadata.xml, shiro.ini and .env.

[aaii-z]

Hi,
These are the 3 files that you said I should attach them.

shiro.ini.txt

sp-metadata.xml.txt

env.txt

[a-langer]

In shiro.ini uses httpS protocol:

saml2Config.serviceProviderEntityId = https://MyNexus.Domain.com/callback?client_name=SAML2Client
clients.callbackUrl = https://MyNexus.Domain.com/callback

In sp-metadata.xml uses plain http protocol:

.. entityID="http://MyNexus.Domain.com/callback?client_name=SAML2Client"
.. Location="http://MyNexus.Domain.com/callback?client_name=SAML2Client"
...

Correct "entityID" and "Location" depending on the DNS name and protocol you use, this value must also match the SAML client ID in the IdP server. See https://github.com/a-langer/nexus-sso/blob/main/docs/SAML.md#saml-configuration:

• Configure new SAML client in the IdP server with DNS name for your Nexus instance and download metadata.xml.
• Replace the protocol and DNS name in sp-metadata.xml and shiro.ini (as show above).
• Pass metadata.xml, sp-metadata.xml and shiro.ini to the Nexus container, see _compose.override_prod.yml for an example.

I recommend that you first set up authorization through a simple http and make sure that everything works correctly, and only then set up SSL encryption.

[aaii-z]

I've tried http on nexus, still getting 500 error on Request URL: http://MyNexus.Domain.com/index.html. and also there is no related log.

[a-langer]

The error returned will always be error 500, because it is any internal server error. To see more information you can enabling in logback.xml the TRACE debug level for the root logger:

<root level="${root.level:-TRACE}">
...

It is better to perform each check in a new private browser window (or delete cookies for Nexus and IdP sites, which is quite difficult), otherwise the browser may remember invalid cookies and will not go to the login page, which in turn confuses and complicates diagnostics.

[a-langer]

Pay attention to the issue #8. The samlKeystore.jks file needed to be loaded additionally via git LFS, which could lead to a configuration error. The file is now loaded as a normal binary c71047a, to update the files run git pull.

[aaii-z]

Hi again, Thank you so much for your answers, finally my problem was solved after I cloned that again, I think the problem as you said was samlKeystore.jks.