Multiple Identity providers
Hello all,
Has anyone successfully configured multiple identity providers for authentication with Nuxeo or does anyone have a clue as to if it is possible? My use case is that I have some users that will need to be able to authenticate with Azure AD and others via Okta. Any help or insight would be greatly appreciated.
Hello,
You need to setup the SAML2 addon and follow the documentation. Luckily, we use it internally, so all you need for Okta is to create a new app in the Okta Admin, setup the user field mapping and create in Nuxeo an XML extension like :
<require>org.nuxeo.ecm.platform.ui.web.auth.WebEngineConfig</require>
<require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>
<extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="authenticators">
<authenticationPlugin name="MY_OKTA_CONFIG" enabled="true" class="org.nuxeo.ecm.platform.auth.saml.SAMLAuthenticationProvider">
<loginModulePlugin>Trusting_LM</loginModulePlugin>
<needStartingURLSaving>true</needStartingURLSaving>
<parameters>
<parameter name="name">Okta</parameter>
<!-- Uri of the metadata -->
<parameter name="metadata">https://.........../sso/saml/metadata</parameter>
<!-- Request timeout in seconds -->
<parameter name="timeout">5</parameter>
</parameters>
</authenticationPlugin>
</extension>
<extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="chain">
<authenticationChain>
<plugins>
<plugin>BASIC_AUTH</plugin>
<plugin>FORM_AUTH</plugin>
<plugin>MY_OKTA_CONFIG</plugin>
</authenticationChain>
</extension>
<extension target="org.nuxeo.usermapper.service.UserMapperComponent" point="mapper">
<mapper name="saml" type="js">
<mapperScript>
searchAttributes.put("username", userObject.getNameID().getValue());
userAttributes.put("email", userObject.getNameID().getValue());
userAttributes.put("firstName", userObject.getAttributeByName("firstName").getAttributeValues().get(0).value);
userAttributes.put("lastName", userObject.getAttributeByName("lastName").getAttributeValues().get(0).value);
</mapperScript>
</extension>
In this example, you'll get the basic auth and the okta auth, with the login screen.
Good luck