SAML for IQ Server

jwhitehouse · September 3, 2019, 1:23pm

SAML support is coming to IQ Server, stay tuned.

hugh.byrne · October 11, 2019, 5:48pm

Release 74 (September 2019)

IQ Server can now be configured to enable single sign-on via SAML during login…
https://help.sonatype.com/iqserver/managing/user-management/saml-integration

dwong · October 25, 2019, 8:50pm

I’m getting this XML validation error when using Azure AD as the IdP -

Identity provider metadata could not be validated: Invalid SAML metadata: cvc-elt.4.2: Cannot resolve ‘fed:SecurityTokenServiceType’ to a type definition for element ‘RoleDescriptor’.

jwhitehouse · October 25, 2019, 9:01pm

Damian, please file a support ticket and we’ll review through that channel.

brentbandelgar · November 11, 2019, 5:49pm

I’m also interested in using IQ Server SAML against Azure AD as an IdP. Perhaps a dedicated Azure AD walkthrough article for SAML is needed.

austin · February 3, 2020, 6:45pm

Hello @jwhitehouse, I started a new thread here:

Essentially, I can work around the IQ error (and another) above by removing two fields in the Azure XML file. However, this causes a problem with the token stored in cookies.

I’m still unable to get the Azure SSO to work though because I can’t get the Reply URL (Assertion Consumer Service URL) setting in Azure correct before generating the XML file. Can you provide any advice? I’ve attached a screen capture of the fields in Azure I need. The Identifier (Entity ID) from the Nexus IQ SAML configuration page works fine, but I’ve tried many things for the Reply URL and can’t find the correct setting. I also don’t know if I need the Sign on URL is needed.

clankow · March 19, 2020, 5:28pm

It would be a great feature if we had the option to allow SAML users to derive their role memberships from LDAP groups that are associated with e roles. I will need to abandon SAML for now until this become an option. Our authorization infrastructure uses AD LDAP.

jwhitehouse · March 23, 2020, 2:45pm

Christopher, can you use AD LDAP directly? What’s the need for both LDAP and SAML?

clankow · March 23, 2020, 4:28pm

The benefit of SAML is that we have corporately enabled desktop SSO using SAML. SAML would enable our users to authenticate from Windows session rather than entering their password again.

lubomir.pipiska · June 10, 2020, 12:07pm

It would be greatly appreciated if we can provision access to SAML groups using UI and do not have to do it via API.

jmcpherson · January 27, 2021, 11:46pm

I was able to correctly configure SAML for use with Azure AD. What I haven’t figured out is how to use claims in the SAML to identify who should have membership to the different roles in IQ Server (specifically Administrator). Does anyone know how to do this?

austin · January 28, 2021, 12:27pm

Hello @jmcpherson - when I was attempting the SAML setup, I was able to get the claims set up to match up to the IQ server groups. Tried to find something explicit in my old notes, but nothing for Nexus. However, this unrelated page may have some useful information to get you started.

jmcpherson · January 28, 2021, 5:01pm

@austin Thanks! That worked great. Have you been able to assign a role in Azure that maps to System Administrator? I would prefer to keep the number of local accounts to a minimum, and we have a policy against sharing passwords.

austin · January 29, 2021, 1:05pm

@jmcpherson at first glance, it seems you should be able to map system administrator like you can the other roles, like owner, developer, application evaluator, etc. That said, I think I remember someone having trouble mapping to the admin role. I don’t know what they tried, though. I can’t remember if I mapped to admin or not.

jmcpherson · January 29, 2021, 6:38pm

@austin The issue I ran into was that Azure AD doesn’t allow spaces in the role names. I can map all of the other roles successfully. However, any role other than System Administrator does not have access at the root level.

austin · January 29, 2021, 7:27pm

Can you create your own administrator role in IQ (no space in name) and assign it the administrator permissions, then map that in Azure?

jmcpherson · January 29, 2021, 8:42pm

No, unfortunately custom roles aren’t allowed the right degree of access, and only roles with spaces in them have the level of access I would like to delegate to SAML groups.

austin · January 29, 2021, 9:13pm

Ah, I see. Too bad there’s not a configuration file that IQ pulls the names from, but they seem to be in the .jar file. I wonder is %20 would work instead of space, so system%20administrator in the Azure config. Seems a long shot. I do remember having this issue when I configured Azure SAML for a different application. Fortunately, I’ve been able to ignore those roles so far.

jeremy-chua · June 9, 2021, 8:30pm

I’m able to integrate with Azure AD with some limitations.
1.) The Group ID claim returns the ID and not name of the group. This is a known limitation of Azure AD. It will be good to have a configuration for translation of the group ID claim to a group name in Nexus IQ server.

2.) Since (1) is not working, i would like to use local user to map SAML user. The username returned from SAML is email format. However, email format is not supported for local user username. It is very common to use email address as username.

Thanks & regards,
Jeremy