Multiple Identity providers

Hello all,

Has anyone successfully configured multiple identity providers for authentication with Nuxeo or does anyone have a clue as to if it is possible? My use case is that I have some users that will need to be able to authenticate with Azure AD and others via Okta. Any help or insight would be greatly appreciated.

0 votes

1 answers

101 views

ANSWER



Hello,

You need to setup the SAML2 addon and follow the documentation. Luckily, we use it internally, so all you need for Okta is to create a new app in the Okta Admin, setup the user field mapping and create in Nuxeo an XML extension like :

<require>org.nuxeo.ecm.platform.ui.web.auth.WebEngineConfig</require>
<require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>
<extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="authenticators">

<authenticationPlugin name="MY_OKTA_CONFIG" enabled="true" class="org.nuxeo.ecm.platform.auth.saml.SAMLAuthenticationProvider">
<loginModulePlugin>Trusting_LM</loginModulePlugin>
<needStartingURLSaving>true</needStartingURLSaving>
<parameters>
<parameter name="name">Okta</parameter>
<!-- Uri of the metadata -->
<parameter name="metadata">https://.........../sso/saml/metadata</parameter>
<!-- Request timeout in seconds -->
<parameter name="timeout">5</parameter>
</parameters>
</authenticationPlugin>
</extension>

<extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="chain">
<authenticationChain>
<plugins>
<plugin>BASIC_AUTH</plugin>
<plugin>FORM_AUTH</plugin>
<plugin>MY_OKTA_CONFIG</plugin>
</authenticationChain>
</extension>

<extension target="org.nuxeo.usermapper.service.UserMapperComponent" point="mapper">
<mapper name="saml" type="js">
<mapperScript>
searchAttributes.put("username", userObject.getNameID().getValue());
userAttributes.put("email", userObject.getNameID().getValue());
userAttributes.put("firstName", userObject.getAttributeByName("firstName").getAttributeValues().get(0).value);
userAttributes.put("lastName", userObject.getAttributeByName("lastName").getAttributeValues().get(0).value);
  </mapperScript>
</extension>

In this example, you'll get the basic auth and the okta auth, with the login screen.

Good luck

0 votes