You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2023/06/15 22:51:00 UTC

[jira] [Commented] (NIFI-11694) SAML logout failed

    [ https://issues.apache.org/jira/browse/NIFI-11694?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17733258#comment-17733258 ] 

David Handermann commented on NIFI-11694:
-----------------------------------------

Thanks for describing the issue [~fube1].

As noted in the NiFi Admin Guide section on [SAML|https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#saml], the {{saml.request.signing.enabled}} property controls how NiFi generates and renders the Service Provider Metadata XML. The property does not control how NiFi verifies single logout requests or responses.

The SAML Identity Provider configuration controls the signing of Single Logout Requests, and signature verification is a standard part of the process to avoid malicious logout requests.

It is possible to disable SAML Single Logout, which will invalidate the local NiFi session, without logging out of the identity provider.

> SAML logout failed
> ------------------
>
>                 Key: NIFI-11694
>                 URL: https://issues.apache.org/jira/browse/NIFI-11694
>             Project: Apache NiFi
>          Issue Type: Bug
>    Affects Versions: 1.21.0
>            Reporter: Beat Fuellemann
>            Assignee: David Handermann
>            Priority: Major
>
> We activated SAML Authentication with the following configuration:
> {code:java}
> nifi.security.user.saml.request.signing.enabled=false
> nifi.security.user.saml.want.assertions.signed=true
> nifi.security.user.saml.signature.algorithm=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
> nifi.security.user.saml.authentication.expiration=1 hours
> nifi.security.user.saml.single.logout.enabled=true
> nifi.security.user.saml.http.client.truststore.strategy=JDK
> nifi.security.user.saml.http.client.connect.timeout=30 secs
> nifi.security.user.saml.http.client.read.timeout=30 secs{code}
> Login works fine.
> But during logout, it looks that NIFI signs the request, even if we "request.signing.enabled=false". This causes the logout fail on the IdP.
> it gives us the following error:
> {code:java}
> 2023-06-15 06:38:35,629 INFO [NiFi Web Server-78] org.apache.nifi.web.api.AccessResource Logout Request [7b8370e8-752f-484e-8caa-5a8ce3f29caf] Identity [TXXXXX] started
> 2023-06-15 06:38:35,673 DEBUG [NiFi Web Server-78] o.o.xmlsec.algorithm.AlgorithmRegistry Runtime support eval for algorithm URI 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256': supported
> 2023-06-15 06:38:35,674 DEBUG [NiFi Web Server-78] o.o.xmlsec.algorithm.AlgorithmRegistry Runtime support eval for algorithm URI 'http://www.w3.org/2001/04/xmlenc#sha256': supported
> 2023-06-15 06:38:35,676 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver Resolved SignatureSigningParameters:
> 2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver      Signing credential with key algorithm: RSA
> 2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver      Signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
> 2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver      Signature KeyInfoGenerator: present
> 2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver      Reference digest method algorithm URI: http://www.w3.org/2001/04/xmlenc#sha256
> 2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver      Reference canonicalization algorithm URI: null
> 2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver      Canonicalization algorithm URI: http://www.w3.org/2001/10/xml-exc-c14n#
> 2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver      HMAC output length: null
> 2023-06-15 06:38:35,678 DEBUG [NiFi Web Server-78] o.opensaml.security.crypto.SigningUtil Computing signature over input using private key of type RSA and JCA algorithm ID SHA256withRSA
> 2023-06-15 06:38:35,691 DEBUG [NiFi Web Server-78] o.opensaml.security.crypto.SigningUtil Computed signature: [3, e, 2, 0, d, 4, 0, 7, d, 8, 2, 6, 9, 7, a, f, c, 1, 0, 8, b, 9, 5, f, d, 0, a, 3, 2, 9, b, 9, 3, d, b, 5, 2, 4, 2, f, a, 9, 7, 1, 2, 3, d, 3, c, d, 9, 8, 1, 0, a, 5, 1, 8, 8, 6, 3, 3, 8, a, a, 7, f, 1, 8, 9, c, a, 3, 5, 7, b, 2, e, c, 2, 5, 3, 7, 1, 2, b, 2, 1, 4, 3, e, 6, f, 4, 8, 5, e, 1, d, 3, e, 1, a, 5, 1, a, f, 8, 2, f, a, 3, 8, a, 3, 2, f, 0, 6, d, e, 8, 7, b, 9, f, d, 2, 8, b, d, f, 8, 2, 7, 9, 3, 5, 1, d, c, 1, 2, e, 3, 4, 8, f, 3, 7, e, 6, 5, c, e, 3, 8, 3, 1, 2, a, 6, 5, 6, 1, 2, 8, c, 8, 3, 8, 3, a, a, 9, 6, 2, a, 8, 3, 2, 9, 2, 5, 9, 2, b, e, 6, d, 0, 0, e, 1, 8, 9, 2, 4, 0, 2, a, 5, c, b, 3, 1, b, 1, b, b, a, e, 0, f, 6, e, 8, 0, b, c, 9, 0, 0, f, c, 1, 7, 5, c, 4, d, b, 5, c, 1, 0, f, b, 3, d, 4, c, e, 5, 7, 4, 3, 8, f, b, 1, f, 1, d, a, a, 0, c, 8, e, d, b, 5, 0, 5, 9, 7, a, c, 8, 7, 9, 4, 4, d, f, 1, 3, 2, 9, 6, 6, 2, 4, 1, e, c, 8, 3, 7, 3, 2, 4, 9, a, 9, 4, 0, 3, c, 4, b, 2, f, 1, b, 9, b, 4, 3, 1, f, 6, d, 3, d, 4, 5, 0, f, 7, 8, d, 1, c, 1, 8, f, 2, 4, 8, 3, 3, 9, e, 3, 4, b, 5, 0, 9, 9, 1, 0, c, b, e, 3, 7, 9, 4, 4, d, 7, a, a, 4, 6, 6, 0, 1, b, c, 8, b, 4, c, 9, c, a, b, 2, b, e, d, 4, 4, 4, 0, a, b, 9, 4, 4, 4, 4, 9, e, a, b, 4, b, 0, 1, 4, 0, b, 7, 2, f, d, b, 8, a, a, 8, f, 8, e, 3, 8, 9, 0, c, 8, f, 3, 0, 6, 0, 9, 3, d, 5, c, 3, 5, 6, a, 6, e, 1, d, 5, c, 5, a, 4, 9, 2, 3, c, d, 5, 6, 8, f, 1, 3, f, c, 4, 5, 4, 4, 9, 5, 4, 1, 4, 7, f, d, 6, 1, d, 0, 6, 5, d, b, 5, 1, f, 5, 2, 8, 2, 6, f, 2, 6, a, c, b, e, 1, 5, 6, 2, 8, 8, 5, 9, f, 6, b, d, c, 1, 9, 8, f, 3, 6, 1, e, 0, 7, 6, b, f, 4, 4, 1, 9, c, a, 4, 9, 7, 7, 8, e, 2, 7, 5, 4, 4, e, f, 4, 6, 7, 7, 6, 4, 7, b, b, f, 4, a, 8, c, d, 1, d, f, 1, 0, c, a, 6, 8, 9, d, f, a, 9, 1, c, 9, c, 8, 9, 3, 0, a, a, 1, 3, 1, f, 9, 3, 9, 3, 8, 8, b, 0, 0, 6, e, d, 1, 1, 5, c, 4, 8, 5, 7, d, 7, 1, 2, 1, 1, 3, 9, 5, d, 9, 3, 2, d, 1, e, 4, 1, 1, 7, 3, 2, 1, d, f, 3, 7, 7, 8, 0, d, 7, a, 5, b, c, c, 5, 7, d, 4, 1, f, c, 7, 6, 5, e, 2, f, c, 7, 0, c, 5, 6, c, d, 5, 3, b, d, c, 0, e, 8, 4, 5, 5, a, 1, 1, 0, b, 9, c, f, a, 9, 3, f, f, 5, 8, 5, f, d, e, 3, 7, 1, 4, d, a, 0, 9, b, 8, f, 9, 3, 7, 3, 7, f, 3, 5, 9, c, f, 8, c, 6, 0, d, c, c, b, 8, 7, 7, a, e, e, 9, a, a, 7, 9, d, d, 9, b, 6, 6, f, e, 7, 3, e, 8, b, 2, 0, 8, e, e, 3, d, 9, f, 8, 3, d, 5, 8, 5, 0, 9, 4, c, c, f, e, 0, f, 8, b, 8, 0, 1, 5, 8, 9, 4, 6, 0, a, 1, a, 1, 0, 7, 4, 9, 0, b, e, 8, d, 4, f, c, 4, f, 2, c, 4, b, c, 7, 9, 7, 2, 9, 3, 0, f, 3, 0, 8, 6, a, 3, 0, 4, 8, c, 0, e, d, 9, 4, 5, 3, d, 4, b, a, 8, e, 8, f, 9, c, e, 5, 0, 7, 3, b, b, 6, 3, f, 0, 2, 3, 5, 1, 3, 0, 3, d, 6, b, d, 4, d, c, d, d, c, 0, a, f, 0, 8, 8, e, 0, 7, 7, f, 4, 3, 9, 8, c, 5, f, 9, a, d, 0, 9, 5, a, a, 9, 8, c, d, 9, a, a, 2, 1, f, 9, 9, 1, 5, 4, c, 5, 6, 8, a, a, 2, 6, 1, 2, e, 6, 7, 3, d, e, 4, 5, b, 2, 2, b, 5, f, f, f, 3, 2, 5, 7, 5, 0, f, 2, 9, 9, 7, a, 0, a, 7, e, c, b, 7, 5, 7, 1, 0, 6, f, 6, 0, e, 5, 7, b, 1, 1, d, 9, 8, 8, 5, 7, b, 2, d, 7, c, e, c, 2, 8, c, 0, 2, a, f, 0, a, a, 2, b, 4, d, 0, 1, e, 0, 3, 7, e, 7, 2, 8, 3, 7, 4, 1, 7, 3, e, 2, 8, 6, d, d, 7, 0, 8, 9, 2, 9, 6, f, d, 6, f, 2, f, 4, d, d, 6, f]{code}
>  
> Is there another switch to disable logout request singning ?
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)