bbende opened a new pull request #4614: URL: https://github.com/apache/nifi/pull/4614
This PR adds the ability to authenticate to NiFi via a SAML identity provider, similar to how OIDC authentication works. In addition, there is an option to obtain group membership info from the authorizations in a successful SAML AuthN response from the IDP. These groups are then passed along in the NiFiUser instance in order to be leveraged during authorization. Currently if using the file-based policy provider, then these groups would also have to exist in the configured user-group-provider in order to have created policies against them. The integration with spring-security-saml is heavily based on the primary example application here: https://github.com/vdenotaris/spring-boot-security-saml-sample I've primarily tested against KeyCloak and the SSOCirlce IDP which is used by the example app above (https://www.ssocircle.com/en/). High-level changes: - Add dependency on spring-security-saml2-core - Updated AccessResource with new SAML end-points - Updated Login/Logout filters to handle SAML scenario - Updated logout process to track a logout request using a cookie - Added database storage for cached SAML credential and user groups - Updated proxied requests when clustered to send IDP groups in a header - Updated X509 filter to process the IDP groups from the header if present - Updated admin guide - Fixed logout action on error page - Updated StandardManagedAuthorizer to combine groups from request with groups from lookup - Updated UserGroupProvider implementations with more efficient impl of getGroupByName - Added/updated unit tests ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org