Repository Management with Nexus

6.18. Authentication via Remote User Token

Nexus allows integration with external security systems that can pass along authentication of a user via the Remote_User HTTP header field - Remote User Token Rut authentication. There are either web-based container or server-level authentication systems like Shibboleth. In many cases, this is achieved via a server like Apache HTTPD or nginx proxying Nexus. These servers can in turn defer to other authentication storage systems e.g., via the Kerberos network authentication protocol. These systems and setups can be described as Central Authentication Systems CAS or Single Sign On SSO.

From the users perspective, he/she is required to login into the environment in a central login page that then propagates the login status via HTTP headers. Nexus simply receives the fact that a specific user is logged in by receiving the username in a HTTP header field.

The HTTP header integration can be activated by adding and enabling the Rut Auth capability as documented in Section 6.6, “Accessing and Configuring Capabilities” and setting the HTTP Header name to the header populated by your security system. Typically, this value is REMOTE_USER, but any arbitrary value can be set. An enabled capability automatically causes the Rut Auth Realm to be added to the Selected Realms in the Security Settings described in Section 6.1.3, “Security Settings”.

When an external system passes a value through the header, authentication will be granted and the value will be used as the user name for configured authorization scheme. For example, on a default Nexus installation with the Xml authorization scheme enabled, a value of deployment would grant the user the access rights in the user interface as the deployment user.

A seamless integration can be set up for users if the external security system is exposed via LDAP and configured in Nexus as LDAP authorization realm combined with external role mappings and in parallel the sign-on is integrated with the operating system sign-on for the user.