Closed ttoth99 closed 7 months ago
a-langer
commented
8 months ago I've improved the script Pac4jAuthenticationListener.java to make error output easier. Update it yourself and try again. It is enough to enable debugging with the "TRACE" level only for the class Pac4jAuthenticationListener:
<logger name="com.github.alanger.nexus.bootstrap.Pac4jAuthenticationListener" level="TRACE" />
ttoth99
commented
7 months ago Hi,
Thanks for debugging settins and possibility! I noticed, that every parameter, fistname, lastname values were my email address! In the shiro.ini I added the EntraID parameters:
pac4jAuthenticationListener.attrs[id] = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress pac4jAuthenticationListener.attrs[firstName] = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname pac4jAuthenticationListener.attrs[lastName] = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname pac4jAuthenticationListener.attrs[email] = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
I also add directly the correct url: saml2Config.serviceProviderEntityId = https://j****.****.com/callback?client_name=SAML2Client clients.callbackUrl = https://j****.****.com/callback
The {PAC4J_BASE_URL-has value therefore the localhost that caused me problem.
Thanks for your hekp, I continue testing. I also upgraded Nexus version to 3.64.0, It seems is it working! I also tested the original [Pac4jAuthenticationListener.java and that verson is ok!
Thanks,
a-langer
commented
7 months ago Great, glad it worked out for you. As far as I know, after version 3.58.1, user tokens stopped working. Could you please check this? I'm currently working on fixing this problem and testing on 3.60.0.
a-langer
commented
7 months ago Released version 3.61.0. Instead of a patch, the Nexus plugin has been implemented:
Note: Since version
3.61.0for SSO and User Tokens, it is enough to have three realms: "Local Authenticating Realm", "SSO Pac4j Realm" and "SSO Token Realm". Other realms are not required and may lead to conflicts.
See README.md.
IstvanCsVarga
commented
4 months ago Hey, sorry to spam this issue, but I'm facing a very similar problem, however I've set up my shiro.ini files the same way as @ttoth99 suggested. @ttoth99, do you think you could share your sp-metadata,xml, metada.xml and shiro.ini files? I am having a hard time to set up this up even while following the docs.
ttoth99
commented
4 months ago Hi,
I removed the sensitive settins from the files. I replaces with ****. I just tested and not to use in the production.
Regartds, Tamás nexus_3.58.1.zip
IstvanCsVarga
commented
4 months ago Hi,
I removed the sensitive settins from the files. I replaces with ****. I just tested and not to use in the production.
Regartds, Tamás nexus_3.58.1.zip
Oh man thank you so much!!! Finally, I was able to make it work.
Hi,
I tried to configure SAML authenticaton with EntraID SAML. I am over the authenticaion, we are using 2FA, and the plugin receive the attributes I turned on debugging and I can see this in nexus.log:
[2024-01-17 19:12:47,436+0100 DEBUG [qtp409842249-99] *UNKNOWN io.buji.pac4j.engine.ShiroCallbackLogic - profile: #SAML2Profile# | id: tamas.toth@*.com | attributes: {http://schemas.microsoft.com/identity/claims/displayname=[Tamás Tóth], http://schemas.microsoft.com/identity/claims/identityprovider=[https://sts.windows.net/3b3***11/], http://schemas.microsoft.com/claims/authnmethodsreferences=[http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password, http://schemas.microsoft.com/claims/multipleauthn], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress=[tamas.toth@******.com], notBefore=2024-01-17T18:07:46.956Z, http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=[nx-admin], http://schemas.microsoft.com/identity/claims/tenantid=[e2a4fc77-c7c6-4afd-b73e-40a17f80d9af], http://schemas.microsoft.com/identity/claims/objectidentifier=[64ecc38e-1ca8-4470-8d93-8961392f538c], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname=[Tamás], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=[tamas.toth@*******.com], notOnOrAfter=2024-01-17T19:12:46.956Z, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname=[Tóth], sessionindex=_fb18f6bd-4c1e-4637-8af1-2c2af6ed2800} | roles: [] | permissions: [] | isRemembered: false | clientName: SAML2Client | linkedId: null | 2024-01-17 19:12:47,438+0100 DEBUG [qtp409842249-99] *UNKNOWN org.apache.shiro.realm.AuthenticatingRealm - Looked up AuthenticationInfo [tamas.toth@.com] from doGetAuthenticationInfo 2024-01-17 19:12:47,438+0100 DEBUG [qtp409842249-99] UNKNOWN org.apache.shiro.realm.AuthenticatingRealm - AuthenticationInfo caching is disabled for info [tamas.toth@****.com]. Submitted token: [io.buji.pac4j.token.Pac4jToken@32c05e3a]. 2024-01-17 19:12:47,438+0100 DEBUG [qtp409842249-99] UNKNOWN org.apache.shiro.authc.credential.SimpleCredentialsMatcher - Performing credentials equality check for tokenCredentials of type [java.lang.Integer and accountCredentials of type [java.lang.Integer] 2024-01-17 19:12:47,439+0100 DEBUG [qtp409842249-99] UNKNOWN org.apache.shiro.authc.AbstractAuthenticator - Authentication successful for token [io.buji.pac4j.token.Pac4jToken@32c05e3a]. Returned account [tamas.toth@.com] 2024-01-17 19:12:47,441+0100 TRACE [qtp409842249-99] *UNKNOWN com.github.alanger.nexus.bootstrap.Pac4jAuthenticationListener - token: io.buji.pac4j.token.Pac4jToken@32c05e3a, info: tamas.toth@.com, principals: tamas.toth@.com 2024-01-17 19:12:47,461+0100 DEBUG [qtp409842249-99] *SYSTEM org.sonatype.nexus.internal.web.ErrorPageServlet - Attaching cause javax.servlet.ServletException: Filtered request failed. at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:392) at org.sonatype.nexus.security.SecurityFilter.doFilterInternal(SecurityFilter.java:112)](url) . . at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
Caused by: java.lang.NullPointerException: Cannot invoke method getName() on null object at org.codehaus.groovy.runtime.NullObject.invokeMethod(NullObject.java:91)
2024-01-17 19:12:47,463+0100 DEBUG [qtp409842249-99] UNKNOWN org.apache.shiro.session.mgt.DefaultSessionManager - Unable to resolve session ID from SessionKey [org.apache.shiro.web.session.mgt.WebSessionKey@5b41738f]. Returning null to indicate a session could not be found. 2024-01-17 19:12:51,684+0100 DEBUG [nexus-httpclient-eviction-thread] SYSTEM org.sonatype.nexus.internal.httpclient.SharedHttpClientConnectionManager - Closing expired connections
Thanks,