Repository Management with Nexus
Nexus allows integration with external security systems that can pass
along authentication of a user via the
Remote_User HTTP header
field - Remote User Token Rut authentication. There are either
web-based container or server-level authentication systems like
Shibboleth. In many cases, this is achieved
via a server like Apache HTTPD or
nginx proxying Nexus. These servers can in turn
defer to other authentication storage systems e.g., via the
Kerberos network authentication
protocol. These systems and setups can be described as Central
Authentication Systems CAS or Single Sign On SSO.
From the users perspective, he/she is required to login into the environment in a central login page that then propagates the login status via HTTP headers. Nexus simply receives the fact that a specific user is logged in by receiving the username in a HTTP header field.
The HTTP header integration can be activated by adding and enabling
the Rut Auth capability as documented in
Section 6.6, “Accessing and Configuring Capabilities” and setting the HTTP Header name to
the header populated by your security system. Typically, this value is
REMOTE_USER, but any arbitrary value can be set. An enabled
capability automatically causes the Rut Auth Realm to be added to
the Selected Realms in the Security Settings described in
Section 6.1.3, “Security Settings”.
When an external system passes a value through the header, authentication will be granted and the value will be used as the user name for configured authorization scheme. For example, on a default Nexus installation with the Xml authorization scheme enabled, a value of deployment would grant the user the access rights in the user interface as the deployment user.
A seamless integration can be set up for users if the external security system is exposed via LDAP and configured in Nexus as LDAP authorization realm combined with external role mappings and in parallel the sign-on is integrated with the operating system sign-on for the user.