> > *Explaining to your end users that you should skip the first Certificate > Prompt but accept the second but only when you haven't logged in the > current session is really painful*
Wow, that sounds terrible. Confusing, accident prone, and frustrating to correct mistakes (at least in my experience, forcing a browser to forget client certificate preferences is difficult). Thanks for sharing those details about your deployment scenario. This can definitely be improved and I have some ideas for how to do it. I've cloned the issue to NiFi to make sure we are tracking it for both projects [1][2] [1] https://issues.apache.org/jira/browse/NIFIREG-189 [2] https://issues.apache.org/jira/browse/NIFI-5504 On Thu, Aug 9, 2018 at 11:54 AM, Shawn Weeks <swe...@weeksconsulting.us> wrote: > The project I'm on is running into this issue as well and it gets > particularly painful when all of your server's are signed by the same root > ca that signs your smart card logins and your using something like KnoxSSO. > Explaining to your end users that you should skip the first Certificate > Prompt but accept the second but only when you haven't logged in the > current session is really painful and shows major shortcoming between the > back end authentication between servers and front end ui authentication. > > > We can't even considering putting it behind our identify reverse proxies > because we can't turn off two way ssl. > > > Thanks > > Shawnk > ------------------------------ > *From:* Kevin Doran <kdo...@apache.org> > *Sent:* Thursday, August 9, 2018 10:47:56 AM > *To:* users@nifi.apache.org > *Subject:* Re: > > sorry forgot the link. here it is: > > [1] https://issues.apache.org/jira/projects/NIFIREG/issues/NIFIREG-189 > > On Thu, Aug 9, 2018 at 11:47 AM, Kevin Doran <kdo...@apache.org> wrote: > > Hi Curtis, > > This has come up a few times. Unfortunately I don’t think there is > currently an easy way to disable X509-based identity extraction in NiFi > today. There is an open JIRA for the same issue in NiFi Registry [1]. NiFi > Registry follows the same AuthN/AuthZ design (and a fair amount of code) as > NiFi, so this ticket should apply to NiFi as well. > > Perhaps you could share more about your needs and use case on that ticket > so that when it gets implemented we could take that scenario with reverse > proxies and OIDC into account? > > Thanks, > Kevin > > On Mon, Aug 6, 2018 at 10:23 AM, Curtis Ruck <curtis.r...@gmail.com> > wrote: > > I'm trying to setup OIDC authentication, but with Nifi service existing > behind a reverse proxy, and for our other apps we use SSL Client > Authentication between reverse proxy and application, Nifi is picking up > the Reverse Proxy's SSL Certificate and falling into X509 Authentication > instead of OIDC. Any idea how I can disable X509 authentication in Nifi? > > Connecting directly to nifi, it triggers the proper OIDC redirects. > > -- > Curtis Ruck > > > >
