[
https://issues.apache.org/jira/browse/NIFI-7888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17234865#comment-17234865
]
ASF subversion and git services commented on NIFI-7888:
-------------------------------------------------------
Commit dcc4fb00a51ac4f5798a39a43d8033bb1b65a306 in nifi's branch
refs/heads/main from Bryan Bende
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=dcc4fb0 ]
NIFI-7888 Added support for authenticating via SAML
- Add dependency on spring-security-saml2-core
- Updated AccessResource with new SAML end-points
- Updated Login/Logout filters to handle SAML scenario
- Updated logout process to track a logout request using a cookie
- Added database storage for cached SAML credential and user groups
- Updated proxied requests when clustered to send IDP groups in a header
- Updated X509 filter to process the IDP groups from the header if present
- Updated admin guide
- Fixed logout action on error page
- Updated UserGroupProvider with a default method for getGroupByName
- Updated StandardManagedAuthorizer to combine groups from request with groups
from lookup
- Updated UserGroupProvider implementations with more efficient impl of
getGroupByName
- Added/updated unit tests
- Ensure signing algorithm is applied to all signatures and not just metadata
signatures
- Added property to specify signature digest algorithm
- Added option to specify whether JDK truststore or NiFi's truststore should be
used when connecting to IDP over https
- Added properties to configure connect and read timeouts for http client
- Added URL encoding of issuer when generating JWT to prevent potential issue
with the frontend performing base64 decoding
- Made atomic replace methods for storing groups and saml credential in database
- Added properties to control AuthnRequestsSigned and WantAssertionsSigned in
the generated service provider metadata
- Dynamically determine the private key alias from the keystore and remove the
property for specifying the signing key alias
- Fixed unit test
- Added property to specify an optional identity attribute which would be used
instead of NameID
- Cleaned up logging
- Fallback to keystore password when key password is blank
- Make signature and digest default to SHA-256 when no value provided in
nifi.properties
This closes #4614
> Support authentication via SAML
> -------------------------------
>
> Key: NIFI-7888
> URL: https://issues.apache.org/jira/browse/NIFI-7888
> Project: Apache NiFi
> Issue Type: Improvement
> Reporter: Bryan Bende
> Assignee: Bryan Bende
> Priority: Major
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> We should support configuring NiFi to authenticate against a SAML identity
> provider, similar to the current OIDC integration.
> Ideally we should also be able to obtain group information from the SAML
> assertions and make these groups available later during the authorization
> process.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
