You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Beat Fuellemann (Jira)" <ji...@apache.org> on 2023/06/15 04:56:00 UTC

[jira] [Created] (NIFI-11694) SAML logout failed

Beat Fuellemann created NIFI-11694:
--------------------------------------

             Summary: SAML logout failed
                 Key: NIFI-11694
                 URL: https://issues.apache.org/jira/browse/NIFI-11694
             Project: Apache NiFi
          Issue Type: Bug
    Affects Versions: 1.21.0
            Reporter: Beat Fuellemann


We activated SAML Authentication with the following configuration:
{code:java}
nifi.security.user.saml.request.signing.enabled=false
nifi.security.user.saml.want.assertions.signed=true
nifi.security.user.saml.signature.algorithm=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
nifi.security.user.saml.authentication.expiration=1 hours
nifi.security.user.saml.single.logout.enabled=true
nifi.security.user.saml.http.client.truststore.strategy=JDK
nifi.security.user.saml.http.client.connect.timeout=30 secs
nifi.security.user.saml.http.client.read.timeout=30 secs{code}
Login works fine.

But during logout, it looks that NIFI signs the request, even if we "request.signing.enabled=false". This causes the logout fail on the IdP.

it gives us the following error:
{code:java}
2023-06-15 06:38:35,629 INFO [NiFi Web Server-78] org.apache.nifi.web.api.AccessResource Logout Request [7b8370e8-752f-484e-8caa-5a8ce3f29caf] Identity [TXXXXX] started
2023-06-15 06:38:35,673 DEBUG [NiFi Web Server-78] o.o.xmlsec.algorithm.AlgorithmRegistry Runtime support eval for algorithm URI 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256': supported
2023-06-15 06:38:35,674 DEBUG [NiFi Web Server-78] o.o.xmlsec.algorithm.AlgorithmRegistry Runtime support eval for algorithm URI 'http://www.w3.org/2001/04/xmlenc#sha256': supported
2023-06-15 06:38:35,676 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver Resolved SignatureSigningParameters:
2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver      Signing credential with key algorithm: RSA
2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver      Signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver      Signature KeyInfoGenerator: present
2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver      Reference digest method algorithm URI: http://www.w3.org/2001/04/xmlenc#sha256
2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver      Reference canonicalization algorithm URI: null
2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver      Canonicalization algorithm URI: http://www.w3.org/2001/10/xml-exc-c14n#
2023-06-15 06:38:35,677 DEBUG [NiFi Web Server-78] o.o.x.i.BasicSignatureSigningParametersResolver      HMAC output length: null
2023-06-15 06:38:35,678 DEBUG [NiFi Web Server-78] o.opensaml.security.crypto.SigningUtil Computing signature over input using private key of type RSA and JCA algorithm ID SHA256withRSA
2023-06-15 06:38:35,691 DEBUG [NiFi Web Server-78] o.opensaml.security.crypto.SigningUtil Computed signature: [3, e, 2, 0, d, 4, 0, 7, d, 8, 2, 6, 9, 7, a, f, c, 1, 0, 8, b, 9, 5, f, d, 0, a, 3, 2, 9, b, 9, 3, d, b, 5, 2, 4, 2, f, a, 9, 7, 1, 2, 3, d, 3, c, d, 9, 8, 1, 0, a, 5, 1, 8, 8, 6, 3, 3, 8, a, a, 7, f, 1, 8, 9, c, a, 3, 5, 7, b, 2, e, c, 2, 5, 3, 7, 1, 2, b, 2, 1, 4, 3, e, 6, f, 4, 8, 5, e, 1, d, 3, e, 1, a, 5, 1, a, f, 8, 2, f, a, 3, 8, a, 3, 2, f, 0, 6, d, e, 8, 7, b, 9, f, d, 2, 8, b, d, f, 8, 2, 7, 9, 3, 5, 1, d, c, 1, 2, e, 3, 4, 8, f, 3, 7, e, 6, 5, c, e, 3, 8, 3, 1, 2, a, 6, 5, 6, 1, 2, 8, c, 8, 3, 8, 3, a, a, 9, 6, 2, a, 8, 3, 2, 9, 2, 5, 9, 2, b, e, 6, d, 0, 0, e, 1, 8, 9, 2, 4, 0, 2, a, 5, c, b, 3, 1, b, 1, b, b, a, e, 0, f, 6, e, 8, 0, b, c, 9, 0, 0, f, c, 1, 7, 5, c, 4, d, b, 5, c, 1, 0, f, b, 3, d, 4, c, e, 5, 7, 4, 3, 8, f, b, 1, f, 1, d, a, a, 0, c, 8, e, d, b, 5, 0, 5, 9, 7, a, c, 8, 7, 9, 4, 4, d, f, 1, 3, 2, 9, 6, 6, 2, 4, 1, e, c, 8, 3, 7, 3, 2, 4, 9, a, 9, 4, 0, 3, c, 4, b, 2, f, 1, b, 9, b, 4, 3, 1, f, 6, d, 3, d, 4, 5, 0, f, 7, 8, d, 1, c, 1, 8, f, 2, 4, 8, 3, 3, 9, e, 3, 4, b, 5, 0, 9, 9, 1, 0, c, b, e, 3, 7, 9, 4, 4, d, 7, a, a, 4, 6, 6, 0, 1, b, c, 8, b, 4, c, 9, c, a, b, 2, b, e, d, 4, 4, 4, 0, a, b, 9, 4, 4, 4, 4, 9, e, a, b, 4, b, 0, 1, 4, 0, b, 7, 2, f, d, b, 8, a, a, 8, f, 8, e, 3, 8, 9, 0, c, 8, f, 3, 0, 6, 0, 9, 3, d, 5, c, 3, 5, 6, a, 6, e, 1, d, 5, c, 5, a, 4, 9, 2, 3, c, d, 5, 6, 8, f, 1, 3, f, c, 4, 5, 4, 4, 9, 5, 4, 1, 4, 7, f, d, 6, 1, d, 0, 6, 5, d, b, 5, 1, f, 5, 2, 8, 2, 6, f, 2, 6, a, c, b, e, 1, 5, 6, 2, 8, 8, 5, 9, f, 6, b, d, c, 1, 9, 8, f, 3, 6, 1, e, 0, 7, 6, b, f, 4, 4, 1, 9, c, a, 4, 9, 7, 7, 8, e, 2, 7, 5, 4, 4, e, f, 4, 6, 7, 7, 6, 4, 7, b, b, f, 4, a, 8, c, d, 1, d, f, 1, 0, c, a, 6, 8, 9, d, f, a, 9, 1, c, 9, c, 8, 9, 3, 0, a, a, 1, 3, 1, f, 9, 3, 9, 3, 8, 8, b, 0, 0, 6, e, d, 1, 1, 5, c, 4, 8, 5, 7, d, 7, 1, 2, 1, 1, 3, 9, 5, d, 9, 3, 2, d, 1, e, 4, 1, 1, 7, 3, 2, 1, d, f, 3, 7, 7, 8, 0, d, 7, a, 5, b, c, c, 5, 7, d, 4, 1, f, c, 7, 6, 5, e, 2, f, c, 7, 0, c, 5, 6, c, d, 5, 3, b, d, c, 0, e, 8, 4, 5, 5, a, 1, 1, 0, b, 9, c, f, a, 9, 3, f, f, 5, 8, 5, f, d, e, 3, 7, 1, 4, d, a, 0, 9, b, 8, f, 9, 3, 7, 3, 7, f, 3, 5, 9, c, f, 8, c, 6, 0, d, c, c, b, 8, 7, 7, a, e, e, 9, a, a, 7, 9, d, d, 9, b, 6, 6, f, e, 7, 3, e, 8, b, 2, 0, 8, e, e, 3, d, 9, f, 8, 3, d, 5, 8, 5, 0, 9, 4, c, c, f, e, 0, f, 8, b, 8, 0, 1, 5, 8, 9, 4, 6, 0, a, 1, a, 1, 0, 7, 4, 9, 0, b, e, 8, d, 4, f, c, 4, f, 2, c, 4, b, c, 7, 9, 7, 2, 9, 3, 0, f, 3, 0, 8, 6, a, 3, 0, 4, 8, c, 0, e, d, 9, 4, 5, 3, d, 4, b, a, 8, e, 8, f, 9, c, e, 5, 0, 7, 3, b, b, 6, 3, f, 0, 2, 3, 5, 1, 3, 0, 3, d, 6, b, d, 4, d, c, d, d, c, 0, a, f, 0, 8, 8, e, 0, 7, 7, f, 4, 3, 9, 8, c, 5, f, 9, a, d, 0, 9, 5, a, a, 9, 8, c, d, 9, a, a, 2, 1, f, 9, 9, 1, 5, 4, c, 5, 6, 8, a, a, 2, 6, 1, 2, e, 6, 7, 3, d, e, 4, 5, b, 2, 2, b, 5, f, f, f, 3, 2, 5, 7, 5, 0, f, 2, 9, 9, 7, a, 0, a, 7, e, c, b, 7, 5, 7, 1, 0, 6, f, 6, 0, e, 5, 7, b, 1, 1, d, 9, 8, 8, 5, 7, b, 2, d, 7, c, e, c, 2, 8, c, 0, 2, a, f, 0, a, a, 2, b, 4, d, 0, 1, e, 0, 3, 7, e, 7, 2, 8, 3, 7, 4, 1, 7, 3, e, 2, 8, 6, d, d, 7, 0, 8, 9, 2, 9, 6, f, d, 6, f, 2, f, 4, d, d, 6, f]{code}
 

Is there another switch to disable logout request singning ?

 

 

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)