[jira] [Updated] (NIFI-9819) SAML should have option to autocreate users.

Tue, 19 Apr 2022 23:49:07 -0700 


     [ 
https://issues.apache.org/jira/browse/NIFI-9819?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Wiktor Kubicki updated NIFI-9819:
---------------------------------
    Affects Version/s: 1.16.0

> SAML should have option to autocreate users.
> --------------------------------------------
>
>                 Key: NIFI-9819
>                 URL: https://issues.apache.org/jira/browse/NIFI-9819
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework, Security
>    Affects Versions: 1.16.0, 1.15.3
>            Reporter: Wiktor Kubicki
>            Priority: Major
>
> *Prolog:*
> In SSO i set roles that give the user access to the company's systems or 
> logical areas.
> *Case:*
> Using saml i can set nifi.security.user.saml.group.attribute.name and link 
> SSO roles to groups in NIFI, then i don't have to add users to groups in NiFi.
> But what if user in NiFi doesn't exist, even if have NiFi group set up in 
> SSO? Then he receiving "Unknown user with identity..." alert. So before a 
> user with aproperiate roles in SSO logs in to NiFi, you have toadd him 
> separatly.
> This lack is confirmed in comment:
> {code:java}
> The real issue is "Unknown user with identity 'user2'"... all of the users 
> and groups still need to be known to NiFi's authorization, the only part that 
> does not need to be known is the actual group membership since that is coming 
> from the SAML response.{code}
> ~[http://disq.us/p/2g2fdie]
> *Workaroung:*
> I can create one user without privileges, and map user name to the new one in 
> {_}nifi.security.identity.mapping.value.dn{_}, but i will lost user names in 
> flow history what gives me user accountability..
> *Expected behavior:*
> There should be an option in nifi.properties, 
> nifi.security.user.saml.create.user which, when is set to true, will add 
> "empty" (without privileges or groups) user. Then, if the user has the right 
> samla group, he will have access to the platform.
> or..
> In this situation give user access and privileges even without creating user 
> in users.xml file.
> {*}Extra value{*}: 
> There may be extra option _nifi.security.user.saml.new.user.default.group_ 
> which allowed to link new user to existing ( ! ) group, one or more.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to