Problem
After an upgrade to Nexus Repo 3 or Sonatype IQ Server, users may observe a SAML authentication error attempting to login to the upgraded application.
The application log will contain the following:
error:org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler - Destination field required.
Diagnosis
The problem may occur if the SAML Authentication was being used with IDP signed messages after upgrading from earlier product versions:
- Nexus Repository 3.22.0 to 3.26.1
- IQ Server 73 to 97
If an upgrade was performed from these versions, and the SAML messages are being signed by your Identity Provider (IDP), then your IDP may need to adjust its message payloads.
Starting in Nexus Repository 3.27.0 and IQ Server 98, the Keycloak libraries used in the SAML implementation have been upgraded. To adhere to the SAML HTTP-POST binding for responses from the IDP, Keycloak libraries now require the "Destination" field to be set, if the SAML messages (request/response) are signed by the IDP.
As a result, if the SAML assertions are being signed, then the IDP messages must now set a Destination attribute with a value of the server application Assertion Consumer URL (<BaseURL>/saml).
These requirements are in line with the SAML specification which states the following:
If the message is signed, the Destination XML attribute in the root SAML element of the protocol message MUST contain the URL to which the sender has instructed the user agent to deliver the message. The recipient MUST then verify that the value matches the location at which the message has been received.
https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf ( HTTP-REDIRECT binding lines 661-664).
https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf ( HTTP-POST binding lines 843-846).
More information about configuring secure SAML integration is provided in our documentation:
Repository Manager
https://help.sonatype.com/en/saml.html#securing-saml-integration-162127
IQ Server