Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-24916

SAML configuration error root causes are swallowed and not logged at default levels

    XMLWordPrintable

    Details

    • Notability:
      n/a

      Description

      A user was trying to get SAML configuration setup using OKTA.

      They failed to map attributes correctly from the IDP.

      The nexus.log reported the following error:

      2020-08-13 08:50:31,750+0000 ERROR [qtp1716917776-22465]  *UNKNOWN com.sonatype.nexus.saml.internal.SamlFilter - SAML authentication failed: Authentication token of type [class com.sonatype.nexus.saml.internal.SamlAuthenticationToken] could not be authenticated by any configured realms.  Please ensure that at least one realm can authenticate these tokens.
      org.sonatype.nexus.security.authc.NexusAuthenticationException: Authentication token of type [class com.sonatype.nexus.saml.internal.SamlAuthenticationToken] could not be authenticated by any configured realms.  Please ensure that at least one realm can authenticate these tokens.
      

      The realm list included the SAML realm already - so the error message was misleading. No further explanation of the issue could be determined until the logger org.sonatype.nexus.security.authc was created with a level of TRACE. Then the real problem surfaced:

      2020-08-13 14:22:16,191+0000 TRACE [qtp1716917776-22827]  *UNKNOWN org.sonatype.nexus.security.authc.FirstSuccessfulModularRealmAuthenticator - Attempting to authenticate token [com.sonatype.nexus.saml.internal.SamlAuthenticationToken - org.keycloak.adapters.saml.SamlPrincipal@6bb908fb] using realm of type [com.sonatype.nexus.saml.internal.SamlRealm@51fbfd11]
      2020-08-13 14:22:16,343+0000 TRACE [qtp1716917776-22827]  *UNKNOWN org.sonatype.nexus.security.authc.FirstSuccessfulModularRealmAuthenticator - Realm [com.sonatype.nexus.saml.internal.SamlRealm@51fbfd11] threw an exception during a multi-realm authentication attempt
      org.apache.shiro.authc.AuthenticationException: A username is required either from a username attribute or a SAML NameID.
       at com.sonatype.nexus.saml.internal.SamlRealm.requireUserName(SamlRealm.java:173)
       at com.sonatype.nexus.saml.internal.SamlRealm.requireUser(SamlRealm.java:147)
       at com.sonatype.nexus.saml.internal.SamlRealm.getSamlUserPrincipal(SamlRealm.java:135)
       at com.sonatype.nexus.saml.internal.SamlRealm.doGetAuthenticationInfo(SamlRealm.java:95)
       at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:571)
       at org.sonatype.nexus.security.authc.FirstSuccessfulModularRealmAuthenticator.doMultiRealmAuthentication(FirstSuccessfulModularRealmAuthenticator.java:59)
       at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:269)
      

      Expected

      SAML configuration issue root causes should be logged at default logging levels. One should not have to turn on TRACE loggers to see the root cause of normal and typical problem.

        Attachments

          Activity

            People

            Assignee:
            mpiggott Matthew Piggott
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Joseph Stephens
            Team:
            NXRM - Operations/Groot
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title

                  PagerDuty