02-13-2020 01:27 AM
Hello. Ok so here is the configuration from my very test environment:
Dockerfile:
FROM nuxeo:10.10
COPY nuxeo.conf /etc/nuxeo
COPY saml-authentication-config.xml ms.xml authchain.xml /opt/nuxeo/server/nxserver/config/
COPY log4j2.xml /opt/nuxeo/server/lib
USER root
RUN chown -R nuxeo /opt/nuxeo/server/nxserver/config/
RUN chmod 666 /etc/nuxeo/nuxeo.conf
RUN apt-get update && apt-get install -y build-essential cmake git tesseract-ocr gcc libcurl4-gnutls-dev libtesseract-dev libleptonica-dev
RUN git clone https://github.com/CCExtractor/ccextractor.git /ccextractor
USER nuxeo
docker-compose.yml is rather simple:
version: "3"
services:
mynuxeo:
build: .
environment:
NUXEO_PACKAGES: "nuxeo-web-ui nuxeo-dam nuxeo-drive nuxeo-showcase-content nuxeo-template-rendering nuxeo-template-rendering-samples nuxeo-spreadsheet saml2-authentication openid-authentication"
ports:
saml-authentication-config.xml:
<component name="org.nuxeo.ecm.platform.login.saml.auth">
<require>org.nuxeo.ecm.platform.ui.web.auth.WebEngineConfig</require>
<require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>
<extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="authenticators">
<authenticationPlugin name="SAML_AUTH" enabled="true"
class="org.nuxeo.ecm.platform.auth.saml.SAMLAuthenticationProvider">
<loginModulePlugin>Trusting_LM</loginModulePlugin>
<!-- Setting needStartingURLSaving
- to true: user will be redirected to the URL initially asked for after authentication.
- to false: user will always be redirected to the home page after authentication. -->
<needStartingURLSaving>true</needStartingURLSaving>
<parameters>
<!-- Make sure to use a unique name, especially if you have several identity providers -->
<parameter name="name">AzureAD</parameter>
<!-- The IdP's icon will only be shown if SAML auth is displayed
as an alternative login option in the login form. -->
<!-- <parameter name="icon">/img/idpIcon.png</parameter> -->
<!-- The metadata parameter can either be a URL or a path to a static file -->
<parameter name="metadata">/opt/nuxeo/server/nxserver/config/ms.xml</parameter>
<parameter name="userResolverCreateIfNeeded">false</parameter>
<parameter name="userResolverUpdate">false</parameter>
</parameters>
</authenticationPlugin>
</extension>
<extension target="org.nuxeo.usermapper.service.UserMapperComponent" point="mapper">
<mapper name="saml" type="js">
<mapperScript>
searchAttributes.put("username", userObject.getNameID().getValue());
userAttributes.put("email", userObject.getNameID().getValue());
</mapperScript>
</mapper>
</extension>
<extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="chain">
<authenticationChain>
<plugins>
<plugin>BASIC_AUTH</plugin>
<!-- Optionally, add the FORM_AUTH
if you want to see the SAML authentication appear
as an alternative option on the login form.
In this case, make sure to fill in the icon's path
in the authentication plugin parameters.
-->
<plugin>FORM_AUTH</plugin>
<plugin>SAML_AUTH</plugin>
</plugins>
</authenticationChain>
</component>
also there is an ms.xml which stores metadata I've downloaded from Azure.
When I open the login page in the browser I see that AzureAD's 'icon'(as it is rather a simple link) appears on the login form. BUT: the link appears to be like: https://my.domain/nuxeo/null , not the right link from ms.xml
what am I missing?
02-13-2020 01:32 AM
Hello,
Your issue is not directly related to Azure AD. As an exemple, here is what we use to log in with okta (SAML based). As you can see, we explicitly write the URL in the metadata
property:
<extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="authenticators">
<authenticationPlugin name="OKTA_AUTH_NUXEO" enabled="true" class="org.nuxeo.ecm.platform.auth.saml.SAMLAuthenticationProvider">
<loginModulePlugin>Trusting_LM</loginModulePlugin>
<needStartingURLSaving>true</needStartingURLSaving>
<parameters>
<parameter name="name">Okta</parameter>
<!-- Uri of the metadata -->
<parameter name="metadata">https://auth.nuxeo.com/app/XXXXXXXXXXXX/sso/saml/metadata</parameter>
<!-- Request timeout in seconds -->
<parameter name="timeout">5</parameter>
</parameters>
</authenticationPlugin>
</extension>
02-13-2020 03:38 AM
Ok, It seems to work now. another question
02-13-2020 03:55 AM
nuxeo.url is set to right value, but resets to http
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.