[jira] [Commented] (NIFI-12202) SAML Infinitely Redirects
[ https://issues.apache.org/jira/browse/NIFI-12202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17819746#comment-17819746 ] David Handermann commented on NIFI-12202: - Thanks for following up [~uxapj], glad to hear you were able to get past the SAML login issues. The group membership sounds like it could be a configuration issue, related to the {{group.attribute.name}} setting in nifi.properties, and the name of groups defined in NiFi. I will proceed with closing this particular issue related to SAML redirection, and I recommend starting a new thread for the troubleshooting the group membership question. > SAML Infinitely Redirects > - > > Key: NIFI-12202 > URL: https://issues.apache.org/jira/browse/NIFI-12202 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.24.0, 1.23.1, 1.23.2, 1.25.0 >Reporter: Alex Jackson >Priority: Major > Attachments: image-2024-02-21-14-41-53-054.png > > > We have SAML configured and when I updated from 1.20.0 to 1.23.1 (at the > time) and just tried now 1.23.2 I see that SAML authentication takes place > but I am infinitely redirected and eventually land on a nifi-api address. I > havent got it deployed in this bad state anymore but I feel like there is an > issue with SAML and it would be great if someone could look into it -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (NIFI-12202) SAML Infinitely Redirects
[ https://issues.apache.org/jira/browse/NIFI-12202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17819259#comment-17819259 ] Alex Jackson commented on NIFI-12202: - [~exceptionfactory] sorry again for being late on this - it was somehow related to the cookie (this helped us direct our attention to what was going on) but we had to remove the line single-user-provider from here: {{nifi.security.user.login.identity.provider}} strangely this always worked even though we have managed-authorizer set: {{nifi.security.user.authorizer=managed-authorizer}} now we have another problem though - before we had to put the user and the group in nifi users in order for them to login. The user name would let them login but the groups were where we gave them their policy access etc. It seems now though that unless we physically add the user to the member of the group it will not give them their policies - do I need to create a separate ticket for this or is this somehow expected behavior?? !image-2024-02-21-14-41-53-054.png! We tested the fact that the username does now no longer need to be in NiFi users but the policies with the groups no longer work and only work when we add the user to be a member of said group. But the group is definitely coming through from the saml token/cookie > SAML Infinitely Redirects > - > > Key: NIFI-12202 > URL: https://issues.apache.org/jira/browse/NIFI-12202 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.24.0, 1.23.1, 1.23.2 >Reporter: Alex Jackson >Priority: Major > Attachments: image-2024-02-21-14-41-53-054.png > > > We have SAML configured and when I updated from 1.20.0 to 1.23.1 (at the > time) and just tried now 1.23.2 I see that SAML authentication takes place > but I am infinitely redirected and eventually land on a nifi-api address. I > havent got it deployed in this bad state anymore but I feel like there is an > issue with SAML and it would be great if someone could look into it -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (NIFI-12202) SAML Infinitely Redirects
[ https://issues.apache.org/jira/browse/NIFI-12202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17803842#comment-17803842 ] David Handermann commented on NIFI-12202: - Thanks for the additional details [~uxapj]. Does the NiFi deployment have a reverse proxy or load balancer in front? This can be impact the properties of the Authorization Bearer Cookie if not configured correctly. The referenced Jira issue does not appear to relate to this issue, but there could be other changes related to strict cookie handling that might apply to your situation. In particular, if you look at the Set-Cookie response header from the NiFi API, it should include several attributes, including path and domain. These values must match in order for the browser to send the token back in a request Cookie header for subsequent authentication. When this works, there should be a Cookie request header containing __Secure-Authorization-Bearer on the request to nifi-api/flow/current-user. The fact that NiFi API returns an HTTP 401 makes it sound like the browser is not sending the cookie, resulting in the authentication loop. > SAML Infinitely Redirects > - > > Key: NIFI-12202 > URL: https://issues.apache.org/jira/browse/NIFI-12202 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.24.0, 1.23.1, 1.23.2 >Reporter: Alex Jackson >Priority: Major > > We have SAML configured and when I updated from 1.20.0 to 1.23.1 (at the > time) and just tried now 1.23.2 I see that SAML authentication takes place > but I am infinitely redirected and eventually land on a nifi-api address. I > havent got it deployed in this bad state anymore but I feel like there is an > issue with SAML and it would be great if someone could look into it -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (NIFI-12202) SAML Infinitely Redirects
[ https://issues.apache.org/jira/browse/NIFI-12202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17800983#comment-17800983 ] Alex Jackson commented on NIFI-12202: - Hi, apologies for the delay in update. I didn't get notified and I am revisiting this topic again on my end... Our SAML is done via ADFS. What I notice when I monitor the network tab is that I initially get 401 for current-user (this is expected as we do not know the user yet) then I am sent to the login page nifi login page /nifi/login which is found and following this I get consumer /nifi-api/saml2/authenticate/consumer which is also found, after this i see my saml request adfs/ls/?SAMLRequest=... which is 200 and then I am again at consumer 302 and then finally nifi with 200. It then lodas all the elements it should css wise etc. and gets the regular 409 for kerberos (makes sense as this is not configured) but on both expiration nifi-api/access/token/expiration and current-user nifi-api/flow/current-user I get a 401. So what I see is the whole loop again to saml happens, same game, to then again get 401 on current user... I cannot load any screenshots for you as my company is very strict with external internet access, this browser is in an isolated virtual machine that I cannot copy data to or from. I do not have this problem in 1.22 but as soon as I try 1.23.2 or 1.24 this problem exists. I believe this is related to this change: https://issues.apache.org/jira/browse/NIFI-11492 I cannot find anything else in the release notes that talks about SAML otherwise... I also do not see anything in nifi-app or nifi-user logs, not even me attempting to make my request, the only requests are my technical user that goes to the nifi-api/flow/metrics/prometheus endpoint. > SAML Infinitely Redirects > - > > Key: NIFI-12202 > URL: https://issues.apache.org/jira/browse/NIFI-12202 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.24.0, 1.23.1, 1.23.2 >Reporter: Alex Jackson >Priority: Major > > We have SAML configured and when I updated from 1.20.0 to 1.23.1 (at the > time) and just tried now 1.23.2 I see that SAML authentication takes place > but I am infinitely redirected and eventually land on a nifi-api address. I > havent got it deployed in this bad state anymore but I feel like there is an > issue with SAML and it would be great if someone could look into it -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (NIFI-12202) SAML Infinitely Redirects
[ https://issues.apache.org/jira/browse/NIFI-12202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17773752#comment-17773752 ] David Handermann commented on NIFI-12202: - Thanks for filing this issue [~uxapj]. Can you provide any additional details on the SAML Identity Provider you are using? It would also be helpful to know if see any errors or warnings in nifi-app.log or nifi-user.log > SAML Infinitely Redirects > - > > Key: NIFI-12202 > URL: https://issues.apache.org/jira/browse/NIFI-12202 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.23.1, 1.23.2 >Reporter: Alex Jackson >Priority: Major > > We have SAML configured and when I updated from 1.20.0 to 1.23.1 (at the > time) and just tried now 1.23.2 I see that SAML authentication takes place > but I am infinitely redirected and eventually land on a nifi-api address. I > havent got it deployed in this bad state anymore but I feel like there is an > issue with SAML and it would be great if someone could look into it -- This message was sent by Atlassian Jira (v8.20.10#820010)