I’m using ldap instead of OpenID, but it is the same things going on. When I go to the NiFi website my browser prompts me with the option to select my installed X.509 certificate, but I can just cancel using the certificate and I gets to the login page.
For me it’s not a big problem and I use it as a backup option. All users are handled by AD, via groups but I have two admins which also have a local user so they can login with certificates. This is a backup if connections to AD/ldap is down for some reason. Kind regards Jens > Den 26. sep. 2024 kl. 21.53 skrev Hans Deragon <[email protected]>: > > Greetings, > > We discovered with NiFi 2.0.0-M4 that if a personal X.509 certificate is set > in user accounts under Windows, that certificate is getting used by NiFi for > authorization instead of the normal OpenID/SSO headers. The user id in the > X.509 certificate is not the same as the one in OpenID/SSO (Okta) and thus, > the person is denied access to NiFi. > > This particular certificate is not meant to be used by NiFi to authenticate > and authorize users in NiFi even though it is recognized by our Identity > Provider. We desire that NiFi only authenticate and authorize users with > OpenID/SSO (which works when I remove the personal certificate from user's > Windows workstations). > > Seams that there is no option available in nifi.properties to prevent this > behaviour. Thus, my following questions/remarks: > > - Is there a way to disable this behaviour? > > - If not, would it be acceptable to add a parameter in nifi.properties to > disable the X.509 certificate extraction? What name this parameter should > have and how should it be implemented? I could submit a pull request, but > would be nice to have some guidance from a NiFi developer. > > - Or... is there a way to change the program so that authorization does not > fail as soon as one method tested fails, but succeeds if any other method > succeed? > > Technicalities: > > Changing the code in X509AuthenticationFilter.attemptAuthentication() to > return always 'null' fixes our problem by making NiFi believe that no X.509 > certificate is available and leaves the others filters to be tested, > including the one handling OpenID/SSO. > > For my tests, I recompiled NiFi's code at Git tag 'rel/nifi-2.0.0-M4'. > > Best regards, > Hans Deragon > > <OpenPGP_signature.asc>
