Patch for Nexus OSS with authorization via SSO and tokens. By default this features available only in PRO version (see comparison), but this patch provides them an alternative implementation without violating the license.
Solution implement as Docker container (based on official image with SSO patch applied) and compose.yml config with Nginx. Example of usage:
# Clone configuration and change to working directory
git clone https://github.com/a-langer/nexus-sso.git
cd ./nexus-sso
# Copy compose.override.yml from template for you settings
cp _compose.override.yml compose.override.yml
# Set environment variables for container user
export NEXUS_USER=$(id -u) NEXUS_GROUP=$(id -g)
# Run service and open http://localhost in web browser
docker compose up -d
Warn: Since version
3.70.1-java11-ubi
:
- Your need migrate from legacy OrientDB to H2DB. Version 3.71.0 and beyond do not support OrientDB, Java 8, or Java 11, see Migration.md for more information.
- Class
com.github.alanger.nexus.bootstrap.Pac4jAuthenticationListener
has been deprecated, see SAML.md.- Image released without nexus-repository-ansiblegalaxy, cause by plugin does not support new storage API, see issue #25.
Since version 3.61.0
for using SSO and User Tokens, it is enough to have following realms in the order listed:
- "Local Authenticating Realm" - built-in realm used by default.
- "SSO Pac4j Realm" - single sign-on realm uses an external Identity Provider (IdP).
- "SSO Token Realm" - realm allows you to use user tokens instead of a password.
- "Docker Bearer Token Realm" - required to access Docker repositories through a Docker client (must be below the "SSO Token Realm").
Other realms are not required and may lead to conflicts.
List of features this patch adds:
-
SAML/SSO - authentication via Single Sign-On (SSO) using a SAML identity provider such as Keycloak, Okta, ADFS and others.
-
User Auth Tokens - are applied when security policies do not allow the users password to be used, such as for storing in plain text (in settings Docker, Maven and etc.) or combined with SAML/SSO.
-
Nginx Reverse Proxy - this Nginx configuration implements a proxy strategy to use Docker registries without additional ports or hostnames. Also provides pre-configured SSL.
-
Docker Compose - provide flexible Compose configuration and DB console - web interface to interact with an embedded database.
-
Patch features - additional features implemented in this patch.
Need installed Maven and Docker with Compose and BuildKit plugins:
-
Change Nexus version if update required (see Release Notes and Maven Central for more information), ex.:
# Set version of the current project and any child modules mvn versions:set -DnewVersion=3.46.0 # Optional can set revision number of the Nexus plugins mvn versions:set-property -Dproperty=nexus.extension.version -DnewVersion=02
-
Execute assembly commands:
# Build docker image mvn clean install -PbuildImage # Or build only jar bundle if needed mvn clean package
-
Run docker container and test it:
# Run service and open http://localhost in web browser docker compose down && docker compose up
-
Accept or revert modifications to the pom.xml files:
# Accept modifications mvn versions:commit # Or revert modifications and rebuild docker image mvn versions:revert && mvn clean install -PbuildImage