[
https://issues.apache.org/jira/browse/NIFI-1274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15194835#comment-15194835
]
Andy LoPresto commented on NIFI-1274:
-------------------------------------
With help from [~mcgilman] I was able to integrate Kerberos single sign-on to
the {{nifi-web-security module}}. NiFi now responds with the
{{WWW-Authentication: Negotiation}} response header and HTTP status {{403}} on
the initial request, the browser requests a service ticket from the KDC and
then encodes and passes it as the {{Authentication: Negotiate xxxxx}} header in
the subsequent request, and NiFi decodes and validates the ticket, passing the
username as the user principal to {{authorized-users.xml}}
I am working on documentation for both users and admins to make this
(relatively) easy to configure.
Should have a PR by EOD 03/15/16.
Additional resources:
* [Spring Security Kerberos/SPNEGO Extension (good
diagram)](https://spring.io/blog/2009/09/28/spring-security-kerberos-spnego-extension)
* [Configuring Browsers for Spnego
Negotiation](http://docs.spring.io/autorepo/docs/spring-security-kerberos/1.0.2.BUILD-SNAPSHOT/reference/htmlsingle/#browserspnegoconfig)
* [Spring Security Kerberos Samples - Security Server Spnego and Form Auth
Sample](http://docs.spring.io/autorepo/docs/spring-security-kerberos/1.0.2.BUILD-SNAPSHOT/reference/htmlsingle/#samples-sec-server-client-auth)
* [About Kerberos Principals and Keys](https://ssimo.org/blog/id_016.html)
> Kerberos based authentication
> -----------------------------
>
> Key: NIFI-1274
> URL: https://issues.apache.org/jira/browse/NIFI-1274
> Project: Apache NiFi
> Issue Type: New Feature
> Components: Extensions
> Reporter: Matt Gilman
> Assignee: Andy LoPresto
> Labels: authentication, security
> Fix For: 0.6.0
>
>
> Add support for Kerberos based authentication.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
