[
https://issues.apache.org/jira/browse/NIFI-6837?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16967643#comment-16967643
]
Nathan Gough edited comment on NIFI-6837 at 11/5/19 4:24 PM:
-------------------------------------------------------------
Using Google's G Suite as identity management and OIDC provider I was able to
enable 2FA with NiFi. The steps were:
# Set up a G Suite account. This requires owning your own domain. I got a free
trial for a paid version, but I think there's a free version as well
# Verified ownership of the domain by adding a TXT entry at your domain host
which will be detected by Google
# Change your domain host (mine was namecheap) mail server to Google's mail
server
# Add an admin and a normal user
# The Security tab in G Suite allows enabling and enforcing 2FA/2SV
# All users should have this set up before it is enforced, otherwise they will
not be able to authenticate for G Suite or NiFi
# Various 2FA mechanisms available including SMS, phone call, Google prompt,
Google authenticator etc
# In Google Console ([https://console.cloud.google.com/]), log in as your
admin user, go to ‘APIs & Services’ and create a 'NiFi' project
# In ‘APIs & Services’, create an OAuth Consent screen for the 'NiFi' project
# Application type: Internal
# Application name: NiFi
# Logo: I added a NiFi Logo
# Support email: Users attempting to log in will see this email for support
questions
# Authorized domains: The domain where NiFi is hosted (yourdomain.com)
# In 'APIs & Services', under Credentials, click 'Create credentials' > 'OAuth
Client ID' (this generates ${nifi.oauth.client.id} and
${nifi.oauth.client.secret})
# Type: Web application
# Name: NiFi
# Redirect URL:[
[https://${nifi.hostname}:${nifi.port}/nifi-api/access/oidc/callback|https://natog0.com:9550/nifi-api/access/oidc/callback|about:blank]]
# Set the NiFi properties
([https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect])
#
nifi.security.user.oidc.discovery.url=[https://accounts.google.com/.well-known/openid-configuration]
# nifi.security.user.oidc.client.id=${nifi.oauth.client.id}
# nifi.security.user.oidc.client.secret=${nifi.oauth.client.secret}
# Set the NiFi authorizers.xml
# <property name="Initial User Identity 4">[email protected]</property>
# <property name="Initial Admin Identity">[email protected]</property>
You should now be able to visit the NiFi UI, it will redirect to the OAuth
consent screen you created, you can log in as your created user, Google will
request the 2FA step you configured, and once authenticated it will redirect
you to the NiFi UI logged in as the [email protected]
was (Author: thenatog):
Using Google's G Suite as identity management and OIDC provider I was able to
enable 2FA with NiFi. The steps were:
# Set up a G Suite account. This requires owning your own domain. I got a free
trial for a paid version, but I think there's a free version as well
# Verified ownership of the domain by adding a TXT entry at your domain host
which will be detected by Google
# Change your domain host (mine was namecheap) mail server to Google's mail
server
# Add an admin and a normal user
# The Security tab in G Suite allows enabling and enforcing 2FA/2SV
# All users should have this set up before it is enforced, otherwise they will
not be able to authenticate for G Suite or NiFi
# Various 2FA mechanisms available including SMS, phone call, Google prompt,
Google authenticator etc
# In Google Console ([https://console.cloud.google.com/]), log in as your
admin user, go to ‘APIs & Services’ and create a 'NiFi' project
# In ‘APIs & Services’, create an OAuth Consent screen for the 'NiFi' project
# Application type: Internal
# Application name: NiFi
# Logo: I added a NiFi Logo
# Support email: Users attempting to log in will see this email for support
questions
# Authorized domains: The domain where NiFi is hosted (yourdomain.com)
# In 'APIs & Services', under Credentials, click 'Create credentials' > 'OAuth
Client ID' (this generates ${nifi.oauth.client.id} and
${nifi.oauth.client.secret})
# Type: Web application
# Name: NiFi
# Redirect URL:[
https://${nifi.hostname}:${nifi.port}/nifi-api/access/oidc/callback|https://natog0.com:9550/nifi-api/access/oidc/callback]
# Set the NiFi properties
([https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect])
#
nifi.security.user.oidc.discovery.url=[https://accounts.google.com/.well-known/openid-configuration]
# nifi.security.user.oidc.client.id=${nifi.oauth.client.id}
# nifi.security.user.oidc.client.secret=${nifi.oauth.client.secret}
# Set the NiFi authorizers.xml
# <property name="Initial User Identity 4">[email protected]</property>
# <property name="Initial Admin Identity">[email protected]</property>
You should now be able to visit the NiFi UI, it will redirect to the OAuth
consent screen you created, you can log in as your created user, Google will
request the 2FA step you configured, and once authenticated it will redirect
you to the NiFi UI logged in as the [email protected]
> Test and document 2FA using an external OIDC provider
> ------------------------------------------------------
>
> Key: NIFI-6837
> URL: https://issues.apache.org/jira/browse/NIFI-6837
> Project: Apache NiFi
> Issue Type: Sub-task
> Components: Security
> Reporter: Nathan Gough
> Assignee: Nathan Gough
> Priority: Major
>
> * Enable 2FA for an OIDC provider and enforce that users must require 2FA to
> authenticate before they can access NiFi
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
