I’m using ldap instead of OpenID, but it is the same things going on. When I go 
to the NiFi website my browser prompts me with the option to select my 
installed X.509 certificate, but I can just cancel using the certificate and I 
gets to the login page. 

For me it’s not a big problem and I use it as a backup option. All users are 
handled by AD, via groups but I have two admins which also have a local user so 
they can login with certificates. This is a backup if connections to AD/ldap is 
down for some reason. 

Kind regards 
Jens 

> Den 26. sep. 2024 kl. 21.53 skrev Hans Deragon <[email protected]>:
> 
> Greetings,
> 
> We discovered with NiFi 2.0.0-M4 that if a personal X.509 certificate is set 
> in user accounts under Windows, that certificate is getting used by NiFi for 
> authorization instead of the normal OpenID/SSO headers.  The user id in the 
> X.509 certificate is not the same as the one in OpenID/SSO (Okta) and thus, 
> the person is denied access to NiFi.
> 
> This particular certificate is not meant to be used by NiFi to authenticate 
> and authorize users in NiFi even though it is recognized by our Identity 
> Provider.  We desire that NiFi only authenticate and authorize users with 
> OpenID/SSO (which works when I remove the personal certificate from user's 
> Windows workstations).
> 
> Seams that there is no option available in nifi.properties to prevent this 
> behaviour.  Thus, my following questions/remarks:
> 
> - Is there a way to disable this behaviour?
> 
> - If not, would it be acceptable to add a parameter in nifi.properties to 
> disable the X.509 certificate extraction?  What name this parameter should 
> have and how should it be implemented?  I could submit a pull request, but 
> would be nice to have some guidance from a NiFi developer.
> 
> - Or... is there a way to change the program so that authorization does not 
> fail as soon as one method tested fails, but succeeds if any other method 
> succeed?
> 
> Technicalities:
> 
> Changing the code in X509AuthenticationFilter.attemptAuthentication() to 
> return always 'null' fixes our problem by making NiFi believe that no X.509 
> certificate is available and leaves the others filters to be tested, 
> including the one handling OpenID/SSO.
> 
> For my tests, I recompiled NiFi's code at Git tag 'rel/nifi-2.0.0-M4'.
> 
> Best regards,
> Hans Deragon
> 
> <OpenPGP_signature.asc>

Reply via email to