[jira] [Commented] (NIFI-12202) SAML Infinitely Redirects

2024-02-22 Thread David Handermann (Jira) 


[ 
https://issues.apache.org/jira/browse/NIFI-12202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17819746#comment-17819746
 ] 

David Handermann commented on NIFI-12202:
-

Thanks for following up [~uxapj], glad to hear you were able to get past the 
SAML login issues.

The group membership sounds like it could be a configuration issue, related to 
the {{group.attribute.name}} setting in nifi.properties, and the name of groups 
defined in NiFi.

I will proceed with closing this particular issue related to SAML redirection, 
and I recommend starting a new thread for the troubleshooting the group 
membership question.

> SAML Infinitely Redirects
> -
>
> Key: NIFI-12202
> URL: https://issues.apache.org/jira/browse/NIFI-12202
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.24.0, 1.23.1, 1.23.2, 1.25.0
>Reporter: Alex Jackson
>Priority: Major
> Attachments: image-2024-02-21-14-41-53-054.png
>
>
> We have SAML configured and when I updated from 1.20.0 to 1.23.1 (at the 
> time) and just tried now 1.23.2 I see that SAML authentication takes place 
> but I am infinitely redirected and eventually land on a nifi-api address. I 
> havent got it deployed in this bad state anymore but I feel like there is an 
> issue with SAML and it would be great if someone could look into it



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (NIFI-12202) SAML Infinitely Redirects

2024-02-21 Thread Alex Jackson (Jira) 


[ 
https://issues.apache.org/jira/browse/NIFI-12202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17819259#comment-17819259
 ] 

Alex Jackson commented on NIFI-12202:
-

[~exceptionfactory]  sorry again for being late on this - it was somehow 
related to the cookie (this helped us direct our attention to what was going 
on) but we had to remove the line single-user-provider from here:
{{nifi.security.user.login.identity.provider}}
strangely this always worked even though we have managed-authorizer set: 
{{nifi.security.user.authorizer=managed-authorizer}}

now we have another problem though - before we had to put the user and the 
group in nifi users in order for them to login. The user name would let them 
login but the groups were where we gave them their policy access etc.

It seems now though that unless we physically add the user to the member of the 
group it will not give them their policies - do I need to create a separate 
ticket for this or is this somehow expected behavior??
!image-2024-02-21-14-41-53-054.png!

We tested the fact that the username does now no longer need to be in NiFi 
users but the policies with the groups no longer work and only work when we add 
the user to be a member of said group. But the group is definitely coming 
through from the saml token/cookie

> SAML Infinitely Redirects
> -
>
> Key: NIFI-12202
> URL: https://issues.apache.org/jira/browse/NIFI-12202
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.24.0, 1.23.1, 1.23.2
>Reporter: Alex Jackson
>Priority: Major
> Attachments: image-2024-02-21-14-41-53-054.png
>
>
> We have SAML configured and when I updated from 1.20.0 to 1.23.1 (at the 
> time) and just tried now 1.23.2 I see that SAML authentication takes place 
> but I am infinitely redirected and eventually land on a nifi-api address. I 
> havent got it deployed in this bad state anymore but I feel like there is an 
> issue with SAML and it would be great if someone could look into it



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (NIFI-12202) SAML Infinitely Redirects

2024-01-06 Thread David Handermann (Jira) 


[ 
https://issues.apache.org/jira/browse/NIFI-12202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17803842#comment-17803842
 ] 

David Handermann commented on NIFI-12202:
-

Thanks for the additional details [~uxapj].

Does the NiFi deployment have a reverse proxy or load balancer in front? This 
can be impact the properties of the Authorization Bearer Cookie if not 
configured correctly.

The referenced Jira issue does not appear to relate to this issue, but there 
could be other changes related to strict cookie handling that might apply to 
your situation.

In particular, if you look at the Set-Cookie response header from the NiFi API, 
it should include several attributes, including path and domain. These values 
must match in order for the browser to send the token back in a request Cookie 
header for subsequent authentication. When this works, there should be a Cookie 
request header containing __Secure-Authorization-Bearer on the request to 
nifi-api/flow/current-user. The fact that NiFi API returns an HTTP 401 makes it 
sound like the browser is not sending the cookie, resulting in the 
authentication loop.

> SAML Infinitely Redirects
> -
>
> Key: NIFI-12202
> URL: https://issues.apache.org/jira/browse/NIFI-12202
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.24.0, 1.23.1, 1.23.2
>Reporter: Alex Jackson
>Priority: Major
>
> We have SAML configured and when I updated from 1.20.0 to 1.23.1 (at the 
> time) and just tried now 1.23.2 I see that SAML authentication takes place 
> but I am infinitely redirected and eventually land on a nifi-api address. I 
> havent got it deployed in this bad state anymore but I feel like there is an 
> issue with SAML and it would be great if someone could look into it



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (NIFI-12202) SAML Infinitely Redirects

2023-12-28 Thread Alex Jackson (Jira) 


[ 
https://issues.apache.org/jira/browse/NIFI-12202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17800983#comment-17800983
 ] 

Alex Jackson commented on NIFI-12202:
-

Hi, apologies for the delay in update. I didn't get notified and I am 
revisiting this topic again on my end...
Our SAML is done via ADFS.

What I notice when I monitor the network tab is that I initially get 401 for 
current-user (this is expected as we do not know the user yet) then I am sent 
to the login page  nifi login page /nifi/login which is found and following 
this I get consumer /nifi-api/saml2/authenticate/consumer which is also found, 
after this i see my saml request adfs/ls/?SAMLRequest=... which is 200 and then 
I am again at consumer 302 and then finally nifi with 200. It then lodas all 
the elements it should css wise etc. and gets the regular 409 for kerberos 
(makes sense as this is not configured) but on both expiration 
nifi-api/access/token/expiration and current-user nifi-api/flow/current-user I 
get a 401.
So what I see is the whole loop again to saml happens, same game, to then again 
get 401 on current user...
I cannot load any screenshots for you as my company is very strict with 
external internet access, this browser is in an isolated virtual machine that I 
cannot copy data to or from.

I do not have this problem in 1.22 but as soon as I try 1.23.2 or 1.24 this 
problem exists. I believe this is related to this change:
https://issues.apache.org/jira/browse/NIFI-11492
I cannot find anything else in the release notes that talks about SAML 
otherwise...

I also do not see anything in nifi-app or nifi-user logs, not even me 
attempting to make my request, the only requests are my technical user that 
goes to the nifi-api/flow/metrics/prometheus endpoint.

> SAML Infinitely Redirects
> -
>
> Key: NIFI-12202
> URL: https://issues.apache.org/jira/browse/NIFI-12202
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.24.0, 1.23.1, 1.23.2
>Reporter: Alex Jackson
>Priority: Major
>
> We have SAML configured and when I updated from 1.20.0 to 1.23.1 (at the 
> time) and just tried now 1.23.2 I see that SAML authentication takes place 
> but I am infinitely redirected and eventually land on a nifi-api address. I 
> havent got it deployed in this bad state anymore but I feel like there is an 
> issue with SAML and it would be great if someone could look into it



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (NIFI-12202) SAML Infinitely Redirects

2023-10-10 Thread David Handermann (Jira) 


[ 
https://issues.apache.org/jira/browse/NIFI-12202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17773752#comment-17773752
 ] 

David Handermann commented on NIFI-12202:
-

Thanks for filing this issue [~uxapj]. Can you provide any additional details 
on the SAML Identity Provider you are using? It would also be helpful to know 
if see any errors or warnings in nifi-app.log or nifi-user.log

> SAML Infinitely Redirects
> -
>
> Key: NIFI-12202
> URL: https://issues.apache.org/jira/browse/NIFI-12202
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.23.1, 1.23.2
>Reporter: Alex Jackson
>Priority: Major
>
> We have SAML configured and when I updated from 1.20.0 to 1.23.1 (at the 
> time) and just tried now 1.23.2 I see that SAML authentication takes place 
> but I am infinitely redirected and eventually land on a nifi-api address. I 
> havent got it deployed in this bad state anymore but I feel like there is an 
> issue with SAML and it would be great if someone could look into it



--
This message was sent by Atlassian Jira
(v8.20.10#820010)