Trying to make SAML2.0 SSO work with Azure AD

Hello. Ok so here is the configuration from my very test environment:

Dockerfile:

FROM nuxeo:10.10
COPY nuxeo.conf /etc/nuxeo
COPY saml-authentication-config.xml ms.xml authchain.xml /opt/nuxeo/server/nxserver/config/
COPY log4j2.xml /opt/nuxeo/server/lib
USER root
RUN chown -R nuxeo /opt/nuxeo/server/nxserver/config/
RUN chmod 666 /etc/nuxeo/nuxeo.conf
RUN apt-get update && apt-get install -y build-essential cmake git tesseract-ocr gcc libcurl4-gnutls-dev libtesseract-dev libleptonica-dev 
RUN git clone https://github.com/CCExtractor/ccextractor.git /ccextractor
USER nuxeo

docker-compose.yml is rather simple:

version: "3"
services:
  mynuxeo:
    build: .
    environment:
      NUXEO_PACKAGES: "nuxeo-web-ui nuxeo-dam nuxeo-drive nuxeo-showcase-content nuxeo-template-rendering nuxeo-template-rendering-samples nuxeo-spreadsheet saml2-authentication openid-authentication"
    ports:

saml-authentication-config.xml:

<component name="org.nuxeo.ecm.platform.login.saml.auth">
  <require>org.nuxeo.ecm.platform.ui.web.auth.WebEngineConfig</require>
  <require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>
  <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="authenticators">
    <authenticationPlugin name="SAML_AUTH" enabled="true"
                          class="org.nuxeo.ecm.platform.auth.saml.SAMLAuthenticationProvider">
      <loginModulePlugin>Trusting_LM</loginModulePlugin>
      <!-- Setting needStartingURLSaving
        - to true: user will be redirected to the URL initially asked for after authentication.
        - to false: user will always be redirected to the home page after authentication. -->
      <needStartingURLSaving>true</needStartingURLSaving>
      <parameters>
        <!-- Make sure to use a unique name, especially if you have several identity providers -->
        <parameter name="name">AzureAD</parameter>
        <!-- The IdP's icon will only be shown if SAML auth is displayed
        as an alternative login option in the login form. -->
        <!-- <parameter name="icon">/img/idpIcon.png</parameter> -->
        <!-- The metadata parameter can either be a URL or a path to a static file -->
    <parameter name="metadata">/opt/nuxeo/server/nxserver/config/ms.xml</parameter>
    <parameter name="userResolverCreateIfNeeded">false</parameter>
        <parameter name="userResolverUpdate">false</parameter>
      </parameters>
    </authenticationPlugin>
  </extension>
  <extension  target="org.nuxeo.usermapper.service.UserMapperComponent" point="mapper">
    <mapper name="saml" type="js">
      <mapperScript>
         searchAttributes.put("username", userObject.getNameID().getValue());
         userAttributes.put("email", userObject.getNameID().getValue());
      </mapperScript>
   </mapper>
  </extension>

<extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="chain">
  <authenticationChain>
    <plugins>
      <plugin>BASIC_AUTH</plugin>
        <!-- Optionally, add the FORM_AUTH
        if you want to see the SAML authentication appear
        as an alternative option on the login form.
        In this case, make sure to fill in the icon's path
        in the authentication plugin parameters.
        -->
       <plugin>FORM_AUTH</plugin>
      <plugin>SAML_AUTH</plugin>
    </plugins>
  </authenticationChain>
</component>

also there is an ms.xml which stores metadata I've downloaded from Azure.

When I open the login page in the browser I see that AzureAD's 'icon'(as it is rather a simple link) appears on the login form. BUT: the link appears to be like: https://my.domain/nuxeo/null , not the right link from ms.xml

what am I missing?

0 votes

1 answers

159 views

ANSWER



Hello,

Your issue is not directly related to Azure AD. As an exemple, here is what we use to log in with okta (SAML based). As you can see, we explicitly write the URL in the metadata property:

<extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="authenticators">
<authenticationPlugin name="OKTA_AUTH_NUXEO" enabled="true" class="org.nuxeo.ecm.platform.auth.saml.SAMLAuthenticationProvider">
<loginModulePlugin>Trusting_LM</loginModulePlugin>
<needStartingURLSaving>true</needStartingURLSaving>
<parameters>
<parameter name="name">Okta</parameter>
<!-- Uri of the metadata -->
<parameter name="metadata">https://auth.nuxeo.com/app/XXXXXXXXXXXX/sso/saml/metadata</parameter>
<!-- Request timeout in seconds -->
<parameter name="timeout">5</parameter>
</parameters>
</authenticationPlugin>
</extension>
0 votes



Ok, It seems to work now. another question: because it is the experimental installation, I am running it in docker behind nginx. so my hostname as seen by nuxeo is localhost. I have found a solution to run it correctly in this environment when I try to authenticate over AzureAD i see that it passes host id as localhost, and of course AzureAD throws an unknown app error. Is there any config knob for this?
02/13/2020

nuxeo.url is set to right value, but resets to http://localhost when authenticate
02/13/2020