.
Overview
This article describes how to integrate Microsoft Entra ID with Sonatype Nexus Repository and Sonatype Lifecycle using OpenID Connect (OIDC). The example configuration authenticates against a test user and a test group created directly in Microsoft Entra ID.
Note
This setup is intended for testing purposes only. Additional configuration and security hardening may be required for a production environmen
Steps
1. Configure Microsoft Entra ID
For additional background, refer to the official Microsoft documentation
Configure OIDC SSO for custom (non-gallery) applications.
1.1 Create a Group
- From the Azure Portal Home, navigate to Microsoft Entra ID.
- From the Add drop-down menu, select Group.
- On the next screen, configure the Group name and Description, then click Create.
- For this example, select Security as the group type.
- After the group is created, navigate to Groups → All groups.
- Make a note of the group’s Object ID. This value will be required later when configuring role mappings in Nexus Repository.
1.2 Create a Test User
- Return to the Directory Overview page.
- From the Add drop-down menu, select User → Create new user.
Configure the user details on the next screen.
- Ensure the following fields are populated:
- First name
- Last name
On the group assignment screen, select the group created in Step 1.1.
1.3 Register an Application
- Navigate to App registrations → New registration.
- Configure the application as required for your environment.
Redirect URI Configuration
Use the appropriate redirect URI based on your Nexus Repository version:
- Nexus Repository 3.86
<your Nexus repository URL>/oidc/callback?hash=%23browse%2FwelcomeNexus Repository 3.88+
<your-nexus-url>/oidc/callbackNote: Nexus Repository 3.87.x, the OIDC/OAuth 2.0 integration with Microsoft Entra ID can fail after logout because Nexus appends a dynamic hash (derived from the last viewed page) to the redirect_uri, which causes Entra ID to reject the request with AADSTS50011 since it no longer matches the statically registered redirect URI.
This issue does not occur in 3.88+, where the redirect_uri remains constant (e.g. <base-url>/oidc/callback), so customers using Entra ID with OIDC should avoid 3.87.x and upgrade to 3.88 or later
1.4 Create a Client Secret
- Go to Certificates & secrets → Client secrets.
- Click New client secret.
- Store the secret value securely. This value will be required when configuring Nexus Repository.
1.5 Configure Token Claims
- Navigate to Token configuration → Add optional claim.
- These claims will later be mapped within Nexus Repository
Select Token configuration → Add groups claim.
1.6 Configure API Permissions
- Go to API permissions → Add a permission.
- Select Microsoft Graph → Delegated permissions.
- Add the required permissions as shown below.
1.7 Assign Users and Groups
- From the registered application’s Overview page, click Managed application in the local directory.
- Navigate to Users and groups → Add user/group.
- Select the test user created earlier and click Assign.
1.8 Collect Required Information
After completing the application registration, collect the following values:
1.8.1 Application Identifiers
From the Overview page:
- Application (client) ID – The application’s unique identifier
- Directory (tenant) ID – The tenant’s unique identifier
1.8.2 OIDC Metadata Endpoint
https://login.microsoftonline.com/{tenantID}/v2.0/.well-known/openid_configuration
2. Configure Nexus Repository
Log in to Nexus Repository as an administrator.
2.1 Configure OpenID Connect
Refer to the official for additional details: https://help.sonatype.com/en/openid-connect.html
| Field | Value | OIDC Metadata / Reference |
|---|---|---|
| Client ID | Application (client) ID from Step 1.8.1 | client_id |
| Client Secret | Client secret created in Step 1.4 | N/A (configured manually) |
| Authorization URL | https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/authorize |
authorization_endpoint |
| Logout URL | https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/logout |
end_session_endpoint |
| Token URL | https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token |
mtls_endpoint_aliases.token_endpoint |
| JSON Web Key URL | https://login.microsoftonline.com/{tenantID}/discovery/v2.0/keys |
jwks_uri |
| Username Claim |
email , name or preferred_username
|
Token claim |
| First Name Claim |
given_name (configured in Step 1.5) |
Token claim |
| Last Name Claim |
family_name (configured in Step 1.5) |
Token claim |
| Email Claim | email |
Token claim |
| Groups Claim |
groups (configured in Step 1.5) |
Token claim |
| JWT Signature Algorithm | RS256 |
id_token_signing_alg_values_supported |
2.2 Configure External Role Mapping
- Navigate to Settings → Security → Roles.
- Click Create an external role mapping.
- Set the Mapped Role to the Group Object ID collected in Step 1.1.
2.3 Test the Configuration
2.3.1 Log In
- Click Log in.
- NXRM 3.86: Select Sign in with OAuth2.
- NXRM 3.87+: Select Continue with SSO.
You will be redirected to the Microsoft sign-in page. Sign in using the user’s User Principal Name (UPN) from Entra ID.
2.3.2 Verify User Access
Confirm that:
- The user is successfully authenticated.
- The expected roles and permissions are applied.
- User profile information (name, email, groups) is populated correctly.
3. Configure Sonatype Lifecycle
Log in to Sonatype Lifecycle as an administrator.
3.1 Configure OIDC
Refer to the official for additional details: https://help.sonatype.com/en/oidc-oauth2-configuration.html
and 2.1
3.2 Mapping Entra ID Groups to Lifecycle Roles
After OIDC authentication is configured, authorization in Lifecycle is handled separately. Lifecycle does not automatically map IdP groups to roles; instead, group-to-role assignments must be configured using the Authorization Configuration (Role Membership) REST API.
In this example, an Entra ID group (created during the Entra ID setup) is mapped to the built-in System Administrator role in Lifecycle.
3.2.1 Identify the Lifecycle Role ID
Each Lifecycle role has a unique internal ID. To locate the role ID for System Administrator, query the Roles REST API:
curl -u <username>:<password> 'http://<Lifecycle_HOST>:<PORT>/api/v2/roles'
From the response, note the id value associated with the System Administrator role.
Example:
"id": "1b92fae3e55a411793a091fb821c422d"
3.2.2 Identify the Entra ID Group Object ID
Use the Object ID of the Entra ID group created during the user and group setup phase. This value must exactly match the group ID emitted in the OIDC groups claim.
Example:
5c46c1f7-853c-4d82-aa9a-96927bde6e01
3.2.3 Map the Group to the Lifecycle
Use the Role Membership REST API to associate the Entra ID group with the desired Lifecycle role:
curl -u <username>:<password> -X PUT \
'http://<Lifecycle_HOST>:<PORT>/api/v2/roleMemberships/global/role/{roleId}/group/{groupId}'Where:
-
{roleId}is the Lifecycle Server role ID (for example, System Administrator) -
{groupId}is the Entra ID Group Object ID
Example
curl -u admin:admin123 -X PUT \ 'http://localhost:8070/api/v2/roleMemberships/global/role/1b92fae3e55a411793a091fb821c422d/group/5c46c1f7-853c-4d82-aa9a-96927bde6e01'
3.2.4 Verify Role Membership
To confirm that the group has been successfully mapped to the role, query the role memberships endpoint:
curl -u <username>:<password> 'http://<Lifecycle_HOST>:<PORT>/api/v2/roleMemberships/global'
Verify that the Entra ID group ID appears under the expected role.
3.3 Test the Configuration
3.3.1 Log In
Sign in with "Single Sign-On (SSO)".You will be redirected to the Microsoft sign-in page. Sign in using the user’s User Principal Name (UPN) from Entra ID. (see 2.3.1)
3.3.2 Verify User Access
Confirm that:
- The user is successfully authenticated.
- The expected roles and permissions are applied.
- User profile information (name, email, groups) is populated correctly.