SAML for IQ Server - Azure SSO Support

Hello, following on from “SAML for IQ Server,” two users were asking about Azure SSO support help for the SAML integration. I couldn’t find an applicable forum entry that resolved this. I am also receiving the following error when uploading the Federation Metadata XML (Azure language) in the Identity Provider Metadata XML (Nexus IQ language) field:

Identity provider metadata could not be validated: Invalid SAML metadata: cvc-elt.4.2: Cannot resolve ‘fed:SecurityTokenServiceType’ to a type definition for element ‘RoleDescriptor’.

I solved this particular problem, though I’m not sure the repercussions of making these changes. In the Federation Metadata XML file from Azure, I removed the following fields, indicated by the two errors I was receiving when importing in Nexus IQ:

<RoleDescriptor xsi:type=“fed:ApplicationServiceType” …>
< /RoleDescriptor>
(remove the space before /)

and

<RoleDescriptor xsi:type=“fed:SecurityTokenServiceType” …>
< /RoleDescriptor>
(remove the space before /)

though now I’m having trouble finding the correct reply URL to use in Azure before generating the XML file.

For anyone following this saga, I think removing the SecurityTokenServiceType affects the SAML in Nexus IQ from using a token in a browser for a user who is already logged in with their Azure account. When I click the Single Sign-On button in Nexus IQ from another tab in the logged in browser, I get a “Missing credentials” error, whereas if I do so from a private tab, I am taken to my normal Azure login prompt.

I’m still struggling to find the correct reply URL to use in Azure before generating the XML file, so after entering my credentials in the Azure UI, I get the following error:

Sorry, but we’re having trouble signing you in.

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: ‘…’

Hey Austin,

I’m not sure I can be much help on this one. Let me see if I can find some folks that might be able to provide some more insight.

For this particular issue It might be better to open a support request @ support.sonatype.com so the team can dive into the specifics a bit more.

Thank you, @nickcook. I’ve submitted a ticket and will post what I learn here after it’s resolved. I realized I’m also missing some information above about proxying to my internal server from an Azure public URL. I’ll include the details in the answer so others can benefit if their Nexus IQ setup is similar.

1 Like