Hello, following on from “SAML for IQ Server,” two users were asking about Azure SSO support help for the SAML integration. I couldn’t find an applicable forum entry that resolved this. I am also receiving the following error when uploading the Federation Metadata XML (Azure language) in the Identity Provider Metadata XML (Nexus IQ language) field:
Identity provider metadata could not be validated: Invalid SAML metadata: cvc-elt.4.2: Cannot resolve ‘fed:SecurityTokenServiceType’ to a type definition for element ‘RoleDescriptor’.
I solved this particular problem, though I’m not sure the repercussions of making these changes. In the Federation Metadata XML file from Azure, I removed the following fields, indicated by the two errors I was receiving when importing in Nexus IQ:
<RoleDescriptor xsi:type=“fed:ApplicationServiceType” …>
< /RoleDescriptor>
(remove the space before /)
and
<RoleDescriptor xsi:type=“fed:SecurityTokenServiceType” …>
< /RoleDescriptor>
(remove the space before /)
though now I’m having trouble finding the correct reply URL to use in Azure before generating the XML file.
For anyone following this saga, I think removing the SecurityTokenServiceType affects the SAML in Nexus IQ from using a token in a browser for a user who is already logged in with their Azure account. When I click the Single Sign-On button in Nexus IQ from another tab in the logged in browser, I get a “Missing credentials” error, whereas if I do so from a private tab, I am taken to my normal Azure login prompt.
I’m still struggling to find the correct reply URL to use in Azure before generating the XML file, so after entering my credentials in the Azure UI, I get the following error:
Sorry, but we’re having trouble signing you in.
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: ‘…’
Thank you, @nickcook. I’ve submitted a ticket and will post what I learn here after it’s resolved. I realized I’m also missing some information above about proxying to my internal server from an Azure public URL. I’ll include the details in the answer so others can benefit if their Nexus IQ setup is similar.
It think your reply URL would be <baseurl>/saml (e.g. https://nexus.domain.com/saml). This is the value I see for the AssertionConsumerService tag from the SP metadata file. You can pull your metadata file with something like, curl -u admin:admin123 -X GET "http://localhost:8081/service/rest/v1/security/saml/metadata". As for the fed:SecurityTokenServiceType error when integrating with Azure AD, I am also using the same workaround by removing the RoleDescriptor tags. The effect I see is that Nexus doesn’t get any of the claims for authorization. Because of this, I’m using local authorizations for users.
I forgot to update this thread. I found the same thing, @mronquillo. I think I had everything set up properly, but I found that Nexus wasn’t getting the claims. I saw some proxy settings in one of the configuration files, but I’d lost motivation to keep trying to solve this. So now I’m using local accounts and will probably integrate it with LDAP and my local AD domain when I have time.
@mronquillo and @austin could you clarify if this issue is related to IQ Server and not Nexus Repository Manager? I ask because some of the information provided signals that it is related to Nexus Repository Manager. For example, the port number 8081 is usually a default port for Nexus Repository Manager as are the Rest API endpoints described.
Hello @mdodgson, at the time I was attempting my SAML integration, Nexus Repository Manager didn’t have a version that supported it yet. I can confirm that I was trying to integrate SAML with Nexus IQ.
I was able to get it working with Azure AD by deleting XML nodes as @austin pointed out. I can confirm the recommendation from @mronquillo of /saml allows you to sign in. Does anyone know how to use claims for group membership? I’d like to have members of specific groups have different roles, but don’t see anything for SAML.