search

a-langer / nexus-sso

Single Sign-On patch for Nexus OSS
Eclipse Public License 1.0
67 stars 16 forks source link

Context Path Support #15

Closed cireCloud closed 11 months ago

cireCloud commented 11 months ago

Greetings, by having our Nexus service behind "/nexus" context path, we're facing some issues with SAML functionality. After authentication against Azure, we're getting redirected to the root domain (without context path). Seems to be happening after "/callback". After it if we manually in browser go again to "/nexus", user is logged in and no issues. Where could be the issue? Shiro/metadatas url's are set with context path.

a-langer commented 11 months ago

Hi. As far as I understand, you have already indicated the "NEXUS_CONTEXT" variable, which is used in nexus-default.properties. Try specifying the parameter in shiro.ini callbackFilter.defaultUrl:

## Pac4j filters
callbackFilter = io.buji.pac4j.filter.CallbackFilter
callbackFilter.config = $config
callbackFilter.defaultUrl = /nexus
cireCloud commented 11 months ago

Thank you. We're having one more issue, Azure SAML tenant we're using has 1 hour session timeout. For other services it is enough to refresh the page and it will refresh the session, but with the Nexus plugin it just exits error 500 on login. error in the logs:

2023-10-18 14:42:40,176+0000 ERROR [qtp1313754792-102] *UNKNOWN org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator - Current assertion validation failed, continue with the next one org.pac4j.saml.exceptions.SAMLAuthnInstantException: Authentication issue instant is too old or in the future.

Is there an additional parameter to refresh it on login? For now I tried uncommenting "sessionManager.globalSessionTimeout" in shiro.ini, but as expected didn't help since its pac4j issue?

a-langer commented 11 months ago

Your error is described in this documentation https://www.pac4j.org/docs/clients/saml.html#6-adfs-subtleties, try:

# lifetime in seconds (7200s = 2h)
saml2Config.maximumAuthenticationLifetime = 7200

See also https://github.com/a-langer/nexus-sso/issues/10, https://github.com/a-langer/nexus-sso/issues/11.

If after that you still have problems with authentication lifetime, then please open another issue. Please don't mix different topics in one issue. Closing this issue because the recommendations for setting context path have been provided.