You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by Vijay Chhipa <vc...@apple.com> on 2018/08/31 22:14:21 UTC
SAML based identity provider
Hello,
I am setting up NiFi in the company, but the out-of-the-box authentication modules are not an option for me.
I would like to write a SAML based login identity provider,
Is there one out there already ?
I am on NiFi 1.7.1, with Java 8, SAML 2.0,
What do I need to get started with writing a new login identity provider? Any examples, sample, or pointers are highly appreciated
Vijay
Re: SAML based identity provider
Posted by Andy LoPresto <al...@apache.org>.
Hi Vijay,
Currently there are no community-supported SAML login identity providers. You can use the existing LDAP [1], Kerberos [2], and OIDC [3] implementations as examples on which to base your implementation. The LIP are not currently exposed as a first-class extension point, but you can certainly build a custom one and use it locally, even without submitting it for inclusion in the core project. Of course, this sounds like a valuable feature for the community, and we encourage contribution if possible.
We are open to rearchitecting the authentication and authorization mechanisms in NiFi, but cannot make breaking changes that would change backward compatibility on minor version releases because we follow semantic versioning [4]. Changes which alter the fundamental authentication story NiFi presents need to go in a major release (i.e. 2.0.0). NiFi strongly adheres to stable releases which follow the principle of least surprise.
If you have specific questions or need help with integrating the code, please feel free to reach out to the community here or on GitHub. You may also be interested in the developer mailing list at dev@nifi.apache.org <ma...@nifi.apache.org> for more code-related questions and discussion. Thanks.
[1] https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java#L65 <https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java#L65>
[2] https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-kerberos-iaa-providers-bundle/nifi-kerberos-iaa-providers/src/main/java/org/apache/nifi/kerberos/KerberosProvider.java <https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-kerberos-iaa-providers-bundle/nifi-kerberos-iaa-providers/src/main/java/org/apache/nifi/kerberos/KerberosProvider.java>
[3] https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java#L76 <https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java#L76>
[4] https://semver.org/ <https://semver.org/>
Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
> On Aug 31, 2018, at 3:40 PM, Curtis Ruck <cu...@gmail.com> wrote:
>
> I've been trying to figure out how to improve this area of NiFi. They support OpenID Direct Connect (OIDC), but when you combine it with a reverse proxy or their default/hardcoded PKI configuration, it's near impossible to use.
>
> Ideally the entire authn/z stack needs rearchitecting for better modularity for any decent SSO integration. The current APIs were built around having a writable authn/z store like LDAP/RDBMS. They are not designed for common SSO workflows where users connect to NiFi and inherit NiFi permissions based on their assertion/attributes.
>
> On Fri, Aug 31, 2018, 6:14 PM Vijay Chhipa <vchhipa@apple.com <ma...@apple.com>> wrote:
> Hello,
>
> I am setting up NiFi in the company, but the out-of-the-box authentication modules are not an option for me.
> I would like to write a SAML based login identity provider,
> Is there one out there already ?
>
> I am on NiFi 1.7.1, with Java 8, SAML 2.0,
>
> What do I need to get started with writing a new login identity provider? Any examples, sample, or pointers are highly appreciated
>
> Vijay
>
Re: SAML based identity provider
Posted by Curtis Ruck <cu...@gmail.com>.
I've been trying to figure out how to improve this area of NiFi. They
support OpenID Direct Connect (OIDC), but when you combine it with a
reverse proxy or their default/hardcoded PKI configuration, it's near
impossible to use.
Ideally the entire authn/z stack needs rearchitecting for better modularity
for any decent SSO integration. The current APIs were built around having
a writable authn/z store like LDAP/RDBMS. They are not designed for common
SSO workflows where users connect to NiFi and inherit NiFi permissions
based on their assertion/attributes.
On Fri, Aug 31, 2018, 6:14 PM Vijay Chhipa <vc...@apple.com> wrote:
> Hello,
>
> I am setting up NiFi in the company, but the out-of-the-box authentication
> modules are not an option for me.
> I would like to write a SAML based login identity provider,
> Is there one out there already ?
>
> I am on NiFi 1.7.1, with Java 8, SAML 2.0,
>
> What do I need to get started with writing a new login identity provider?
> Any examples, sample, or pointers are highly appreciated
>
> Vijay
>
>