You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2020/11/18 17:47:00 UTC

[jira] [Commented] (NIFI-7888) Support authentication via SAML

    [ https://issues.apache.org/jira/browse/NIFI-7888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17234865#comment-17234865 ] 

ASF subversion and git services commented on NIFI-7888:
-------------------------------------------------------

Commit dcc4fb00a51ac4f5798a39a43d8033bb1b65a306 in nifi's branch refs/heads/main from Bryan Bende
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=dcc4fb0 ]

NIFI-7888 Added support for authenticating via SAML
- Add dependency on spring-security-saml2-core
- Updated AccessResource with new SAML end-points
- Updated Login/Logout filters to handle SAML scenario
- Updated logout process to track a logout request using a cookie
- Added database storage for cached SAML credential and user groups
- Updated proxied requests when clustered to send IDP groups in a header
- Updated X509 filter to process the IDP groups from the header if present
- Updated admin guide
- Fixed logout action on error page

- Updated UserGroupProvider with a default method for getGroupByName
- Updated StandardManagedAuthorizer to combine groups from request with groups from lookup
- Updated UserGroupProvider implementations with more efficient impl of getGroupByName
- Added/updated unit tests

- Ensure signing algorithm is applied to all signatures and not just metadata signatures
- Added property to specify signature digest algorithm

- Added option to specify whether JDK truststore or NiFi's truststore should be used when connecting to IDP over https
- Added properties to configure connect and read timeouts for http client

- Added URL encoding of issuer when generating JWT to prevent potential issue with the frontend performing base64 decoding

- Made atomic replace methods for storing groups and saml credential in database

- Added properties to control AuthnRequestsSigned and WantAssertionsSigned in the generated service provider metadata

- Dynamically determine the private key alias from the keystore and remove the property for specifying the signing key alias

- Fixed unit test

- Added property to specify an optional identity attribute which would be used instead of NameID

- Cleaned up logging

- Fallback to keystore password when key password is blank

- Make signature and digest default to SHA-256 when no value provided in nifi.properties

This closes #4614


> Support authentication via SAML
> -------------------------------
>
>                 Key: NIFI-7888
>                 URL: https://issues.apache.org/jira/browse/NIFI-7888
>             Project: Apache NiFi
>          Issue Type: Improvement
>            Reporter: Bryan Bende
>            Assignee: Bryan Bende
>            Priority: Major
>          Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> We should support configuring NiFi to authenticate against a SAML identity provider, similar to the current OIDC integration.
> Ideally we should also be able to obtain group information from the SAML assertions and make these groups available later during the authorization process.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)