cancel
Showing results for 
Search instead for 
Did you mean: 

Trying to make SAML2.0 SSO work with Azure AD

Gregory_Edigaro
Champ in-the-making
Champ in-the-making

Hello. Ok so here is the configuration from my very test environment:

Dockerfile:


FROM nuxeo:10.10
COPY nuxeo.conf /etc/nuxeo
COPY saml-authentication-config.xml ms.xml authchain.xml /opt/nuxeo/server/nxserver/config/
COPY log4j2.xml /opt/nuxeo/server/lib
USER root
RUN chown -R nuxeo /opt/nuxeo/server/nxserver/config/
RUN chmod 666 /etc/nuxeo/nuxeo.conf
RUN apt-get update && apt-get install -y build-essential cmake git tesseract-ocr gcc libcurl4-gnutls-dev libtesseract-dev libleptonica-dev 
RUN git clone https://github.com/CCExtractor/ccextractor.git /ccextractor
USER nuxeo

docker-compose.yml is rather simple:

version: "3"
services:
  mynuxeo:
    build: .
    environment:
      NUXEO_PACKAGES: "nuxeo-web-ui nuxeo-dam nuxeo-drive nuxeo-showcase-content nuxeo-template-rendering nuxeo-template-rendering-samples nuxeo-spreadsheet saml2-authentication openid-authentication"
    ports:

saml-authentication-config.xml:

<component name="org.nuxeo.ecm.platform.login.saml.auth">
  <require>org.nuxeo.ecm.platform.ui.web.auth.WebEngineConfig</require>
  <require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>
  <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="authenticators">
    <authenticationPlugin name="SAML_AUTH" enabled="true"
                          class="org.nuxeo.ecm.platform.auth.saml.SAMLAuthenticationProvider">
      <loginModulePlugin>Trusting_LM</loginModulePlugin>
      <!-- Setting needStartingURLSaving
        - to true: user will be redirected to the URL initially asked for after authentication.
        - to false: user will always be redirected to the home page after authentication. -->
      <needStartingURLSaving>true</needStartingURLSaving>
      <parameters>
        <!-- Make sure to use a unique name, especially if you have several identity providers -->
        <parameter name="name">AzureAD</parameter>
        <!-- The IdP's icon will only be shown if SAML auth is displayed
        as an alternative login option in the login form. -->
        <!-- <parameter name="icon">/img/idpIcon.png</parameter> -->
        <!-- The metadata parameter can either be a URL or a path to a static file -->
	<parameter name="metadata">/opt/nuxeo/server/nxserver/config/ms.xml</parameter>
	<parameter name="userResolverCreateIfNeeded">false</parameter>
        <parameter name="userResolverUpdate">false</parameter>
      </parameters>
    </authenticationPlugin>
  </extension>
  <extension  target="org.nuxeo.usermapper.service.UserMapperComponent" point="mapper">
    <mapper name="saml" type="js">
      <mapperScript>
         searchAttributes.put("username", userObject.getNameID().getValue());
         userAttributes.put("email", userObject.getNameID().getValue());
      </mapperScript>
   </mapper>
  </extension>

<extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="chain">
  <authenticationChain>
    <plugins>
      <plugin>BASIC_AUTH</plugin>
        <!-- Optionally, add the FORM_AUTH
        if you want to see the SAML authentication appear
        as an alternative option on the login form.
        In this case, make sure to fill in the icon's path
        in the authentication plugin parameters.
        -->
       <plugin>FORM_AUTH</plugin>
      <plugin>SAML_AUTH</plugin>
    </plugins>
  </authenticationChain>
</component>

also there is an ms.xml which stores metadata I've downloaded from Azure.

When I open the login page in the browser I see that AzureAD's 'icon'(as it is rather a simple link) appears on the login form. BUT: the link appears to be like: https://my.domain/nuxeo/null , not the right link from ms.xml

what am I missing?

3 REPLIES 3

Gregory_Carlin
Elite Collaborator
Elite Collaborator

Hello,

Your issue is not directly related to Azure AD. As an exemple, here is what we use to log in with okta (SAML based). As you can see, we explicitly write the URL in the metadata property:

<extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="authenticators">
<authenticationPlugin name="OKTA_AUTH_NUXEO" enabled="true" class="org.nuxeo.ecm.platform.auth.saml.SAMLAuthenticationProvider">
<loginModulePlugin>Trusting_LM</loginModulePlugin>
<needStartingURLSaving>true</needStartingURLSaving>
<parameters>
<parameter name="name">Okta</parameter>
<!-- Uri of the metadata -->
<parameter name="metadata">https://auth.nuxeo.com/app/XXXXXXXXXXXX/sso/saml/metadata</parameter>
<!-- Request timeout in seconds -->
<parameter name="timeout">5</parameter>
</parameters>
</authenticationPlugin>
</extension>

Ok, It seems to work now. another question

nuxeo.url is set to right value, but resets to http

Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.