You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Nathan Gough (Jira)" <ji...@apache.org> on 2019/11/05 16:25:00 UTC

[jira] [Comment Edited] (NIFI-6837) Test and document 2FA using an external OIDC provider

    [ https://issues.apache.org/jira/browse/NIFI-6837?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16967643#comment-16967643 ] 

Nathan Gough edited comment on NIFI-6837 at 11/5/19 4:24 PM:
-------------------------------------------------------------

Using Google's G Suite as identity management and OIDC provider I was able to enable 2FA with NiFi. The steps were:
 # Set up a G Suite account. This requires owning your own domain. I got a free trial for a paid version, but I think there's a free version as well
 # Verified ownership of the domain by adding a TXT entry at your domain host which will be detected by Google
 # Change your domain host (mine was namecheap) mail server to Google's mail server
 # Add an admin and a normal user
 # The Security tab in G Suite allows enabling and enforcing 2FA/2SV
 # All users should have this set up before it is enforced, otherwise they will not be able to authenticate for G Suite or NiFi
 # Various 2FA mechanisms available including SMS, phone call, Google prompt, Google authenticator etc
 # In Google Console ([https://console.cloud.google.com/]), log in as your admin user, go to ‘APIs & Services’ and create a 'NiFi' project 
 # In ‘APIs & Services’, create an OAuth Consent screen for the 'NiFi' project
 # Application type: Internal
 # Application name: NiFi
 # Logo: I added a NiFi Logo
 # Support email: Users attempting to log in will see this email for support questions
 # Authorized domains: The domain where NiFi is hosted (yourdomain.com)


 # In 'APIs & Services', under Credentials, click 'Create credentials' > 'OAuth Client ID' (this generates ${nifi.oauth.client.id} and ${nifi.oauth.client.secret})
 # Type: Web application
 # Name: NiFi
 # Redirect URL:[ [https://${nifi.hostname}:${nifi.port}/nifi-api/access/oidc/callback|https://natog0.com:9550/nifi-api/access/oidc/callback|about:blank]]


 # Set the NiFi properties ([https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect])
 # nifi.security.user.oidc.discovery.url=[https://accounts.google.com/.well-known/openid-configuration]
 # nifi.security.user.oidc.client.id=${nifi.oauth.client.id}
 # nifi.security.user.oidc.client.secret=${nifi.oauth.client.secret}


 # Set the NiFi authorizers.xml
 # <property name="Initial User Identity 4">gsuiteuser@yourdomain.com</property>
 # <property name="Initial Admin Identity">gsuiteuser@yourdomain.com</property>

You should now be able to visit the NiFi UI, it will redirect to the OAuth consent screen you created, you can log in as your created user, Google will request the 2FA step you configured, and once authenticated it will redirect you to the NiFi UI logged in as the gsuiteuser@yourdomain.com


was (Author: thenatog):
Using Google's G Suite as identity management and OIDC provider I was able to enable 2FA with NiFi. The steps were:
 # Set up a G Suite account. This requires owning your own domain. I got a free trial for a paid version, but I think there's a free version as well
 # Verified ownership of the domain by adding a TXT entry at your domain host which will be detected by Google
 # Change your domain host (mine was namecheap) mail server to Google's mail server
 # Add an admin and a normal user
 # The Security tab in G Suite allows enabling and enforcing 2FA/2SV
 # All users should have this set up before it is enforced, otherwise they will not be able to authenticate for G Suite or NiFi
 # Various 2FA mechanisms available including SMS, phone call, Google prompt, Google authenticator etc


 # In Google Console ([https://console.cloud.google.com/]), log in as your admin user, go to ‘APIs & Services’ and create a 'NiFi' project 
 # In ‘APIs & Services’, create an OAuth Consent screen for the 'NiFi' project
 # Application type: Internal
 # Application name: NiFi
 # Logo: I added a NiFi Logo
 # Support email: Users attempting to log in will see this email for support questions
 # Authorized domains: The domain where NiFi is hosted (yourdomain.com)


 # In 'APIs & Services', under Credentials, click 'Create credentials' > 'OAuth Client ID' (this generates ${nifi.oauth.client.id} and ${nifi.oauth.client.secret})
 # Type: Web application
 # Name: NiFi
 # Redirect URL:[ https://${nifi.hostname}:${nifi.port}/nifi-api/access/oidc/callback|https://natog0.com:9550/nifi-api/access/oidc/callback]


 # Set the NiFi properties ([https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect])
 # nifi.security.user.oidc.discovery.url=[https://accounts.google.com/.well-known/openid-configuration]
 # nifi.security.user.oidc.client.id=${nifi.oauth.client.id}
 # nifi.security.user.oidc.client.secret=${nifi.oauth.client.secret}


 # Set the NiFi authorizers.xml
 # <property name="Initial User Identity 4">gsuiteuser@yourdomain.com</property>
 # <property name="Initial Admin Identity">gsuiteuser@yourdomain.com</property>

You should now be able to visit the NiFi UI, it will redirect to the OAuth consent screen you created, you can log in as your created user, Google will request the 2FA step you configured, and once authenticated it will redirect you to the NiFi UI logged in as the gsuiteuser@yourdomain.com

> Test and document 2FA using an external OIDC provider 
> ------------------------------------------------------
>
>                 Key: NIFI-6837
>                 URL: https://issues.apache.org/jira/browse/NIFI-6837
>             Project: Apache NiFi
>          Issue Type: Sub-task
>          Components: Security
>            Reporter: Nathan Gough
>            Assignee: Nathan Gough
>            Priority: Major
>
> * Enable 2FA for an OIDC provider and enforce that users must require 2FA to authenticate before they can access NiFi



--
This message was sent by Atlassian Jira
(v8.3.4#803005)