User Authentication

Nexus Repository Manager includes a simple user management system and integrations with a number of external authentication sources. Users stored in the internal system can also be managed via the REST API .

After authentication methods have been configured they can be activated or deactivated without removing the configuration through the user interface as detailed in the Security Realms section.

Supported External Authentication Methods

Atlassian Crowd

Nexus Repository Manager can be configured as an application in Atlassian Crowd.

LDAP

A server supporting the Lightweight Directory Access Protocol can also be used by Nexus Repository Manager for authentication.

RUT Authentication

With Remote User Token (RUT) authentication a reverse proxy placed in front of Nexus Repository Manager supplies the identification for the user as a header.

SAML NEW IN 3.22

An identity provider supporting SAML can also provide authentication for Nexus Repository Manager.

User Tokens

PRO For improved security consider enabling user token support which allows users to generate a random token pair for use with client tools and avoids storing credentials in local files.

Security Realms

The feature view for security realms administration displayed in Figure: “Security Realms Administration” allows you to activate and prioritize security realms used for authentication and authorization by adding them to the Active list on the right and placing them higher or lower on the list. It can be accessed via the Realms menu item located under Security, in the Administration main menu.

Figure: Security Realms Administration

Effectively, this configuration determines what authentication realm is used to grant a user access and the order the realms are used.

Local Authenticating Realm and Local Authorizing Realm

These are the built-in realms used by default. They allow the repository manager to manage security setup without additional external systems.

Recommended Ordering

Sonatype recommends keeping the Local realms at the top of the active list.  In the event of system recovery, if you have them lower in the order (or removed), restoration may be more difficult.

Crowd Realm

This realm identifies external storage in an Atlassian Crowd system with details documented in Atlassian Crowd Support.

Default Role Realm

This realm will append the configured role to all users when they are authenticated, see the Default Role page.

Docker Bearer Token Realm

This realm permits docker repositories with the ability to have anonymous read enabled on their repositories in conjunction with the Force basic authentication configuration setting.  This is documented further in Docker Authentication, found in the Docker section.

LDAP Realm

This realm identifies external storage in an LDAP system including e.g., Microsoft ActiveDirectory, ApacheDS, OpenLDAP with details documented in LDAP.

npm Bearer Token Realm

This realm permits users with previously generated bearer tokens to publish npm packages. See npm Security to learn how to establish a connection in order to publish.

NuGet API-Key Realm

This realm is required for deployments to NuGet repositories as documented in NuGet Repositories.

Rut Auth Realm

This realm uses an external authentication in any system with the user authorization passed to the repository manager in a HTTP header field with details documented in Authentication via Remote User Token.

SAML Realm

This realm uses an external Identity Provider (IdP) to handle authentication, details documented in the SAML page.

User Token Realm

This realm activates token-based authentication for users as a substitute for plain-text username and password authentication. When the user token capability is enabled, the realm is automatically added to the Active Realms list. A full description of this realm is documented in Accessing User Tokens in Realms.

Removing all realms from the Active section prevents access to the repository manager for any user including any administrative access and has to be avoided.