[jira] [Updated] (NIFI-12202) SAML Infinitely Redirects
[ https://issues.apache.org/jira/browse/NIFI-12202?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alex Jackson updated NIFI-12202: Affects Version/s: 1.25.0 > SAML Infinitely Redirects > - > > Key: NIFI-12202 > URL: https://issues.apache.org/jira/browse/NIFI-12202 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.24.0, 1.23.1, 1.23.2, 1.25.0 >Reporter: Alex Jackson >Priority: Major > Attachments: image-2024-02-21-14-41-53-054.png > > > We have SAML configured and when I updated from 1.20.0 to 1.23.1 (at the > time) and just tried now 1.23.2 I see that SAML authentication takes place > but I am infinitely redirected and eventually land on a nifi-api address. I > havent got it deployed in this bad state anymore but I feel like there is an > issue with SAML and it would be great if someone could look into it -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (NIFI-12202) SAML Infinitely Redirects
[
https://issues.apache.org/jira/browse/NIFI-12202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17819259#comment-17819259
]
Alex Jackson commented on NIFI-12202:
-
[~exceptionfactory] sorry again for being late on this - it was somehow
related to the cookie (this helped us direct our attention to what was going
on) but we had to remove the line single-user-provider from here:
{{nifi.security.user.login.identity.provider}}
strangely this always worked even though we have managed-authorizer set:
{{nifi.security.user.authorizer=managed-authorizer}}
now we have another problem though - before we had to put the user and the
group in nifi users in order for them to login. The user name would let them
login but the groups were where we gave them their policy access etc.
It seems now though that unless we physically add the user to the member of the
group it will not give them their policies - do I need to create a separate
ticket for this or is this somehow expected behavior??
!image-2024-02-21-14-41-53-054.png!
We tested the fact that the username does now no longer need to be in NiFi
users but the policies with the groups no longer work and only work when we add
the user to be a member of said group. But the group is definitely coming
through from the saml token/cookie
> SAML Infinitely Redirects
> -
>
> Key: NIFI-12202
> URL: https://issues.apache.org/jira/browse/NIFI-12202
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
>Affects Versions: 1.24.0, 1.23.1, 1.23.2
>Reporter: Alex Jackson
>Priority: Major
> Attachments: image-2024-02-21-14-41-53-054.png
>
>
> We have SAML configured and when I updated from 1.20.0 to 1.23.1 (at the
> time) and just tried now 1.23.2 I see that SAML authentication takes place
> but I am infinitely redirected and eventually land on a nifi-api address. I
> havent got it deployed in this bad state anymore but I feel like there is an
> issue with SAML and it would be great if someone could look into it
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (NIFI-12202) SAML Infinitely Redirects
[ https://issues.apache.org/jira/browse/NIFI-12202?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alex Jackson updated NIFI-12202: Attachment: image-2024-02-21-14-41-53-054.png > SAML Infinitely Redirects > - > > Key: NIFI-12202 > URL: https://issues.apache.org/jira/browse/NIFI-12202 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.24.0, 1.23.1, 1.23.2 >Reporter: Alex Jackson >Priority: Major > Attachments: image-2024-02-21-14-41-53-054.png > > > We have SAML configured and when I updated from 1.20.0 to 1.23.1 (at the > time) and just tried now 1.23.2 I see that SAML authentication takes place > but I am infinitely redirected and eventually land on a nifi-api address. I > havent got it deployed in this bad state anymore but I feel like there is an > issue with SAML and it would be great if someone could look into it -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (NIFI-12202) SAML Infinitely Redirects
[ https://issues.apache.org/jira/browse/NIFI-12202?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alex Jackson updated NIFI-12202: Affects Version/s: 1.24.0 > SAML Infinitely Redirects > - > > Key: NIFI-12202 > URL: https://issues.apache.org/jira/browse/NIFI-12202 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.24.0, 1.23.1, 1.23.2 >Reporter: Alex Jackson >Priority: Major > > We have SAML configured and when I updated from 1.20.0 to 1.23.1 (at the > time) and just tried now 1.23.2 I see that SAML authentication takes place > but I am infinitely redirected and eventually land on a nifi-api address. I > havent got it deployed in this bad state anymore but I feel like there is an > issue with SAML and it would be great if someone could look into it -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (NIFI-12202) SAML Infinitely Redirects
[ https://issues.apache.org/jira/browse/NIFI-12202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17800983#comment-17800983 ] Alex Jackson commented on NIFI-12202: - Hi, apologies for the delay in update. I didn't get notified and I am revisiting this topic again on my end... Our SAML is done via ADFS. What I notice when I monitor the network tab is that I initially get 401 for current-user (this is expected as we do not know the user yet) then I am sent to the login page nifi login page /nifi/login which is found and following this I get consumer /nifi-api/saml2/authenticate/consumer which is also found, after this i see my saml request adfs/ls/?SAMLRequest=... which is 200 and then I am again at consumer 302 and then finally nifi with 200. It then lodas all the elements it should css wise etc. and gets the regular 409 for kerberos (makes sense as this is not configured) but on both expiration nifi-api/access/token/expiration and current-user nifi-api/flow/current-user I get a 401. So what I see is the whole loop again to saml happens, same game, to then again get 401 on current user... I cannot load any screenshots for you as my company is very strict with external internet access, this browser is in an isolated virtual machine that I cannot copy data to or from. I do not have this problem in 1.22 but as soon as I try 1.23.2 or 1.24 this problem exists. I believe this is related to this change: https://issues.apache.org/jira/browse/NIFI-11492 I cannot find anything else in the release notes that talks about SAML otherwise... I also do not see anything in nifi-app or nifi-user logs, not even me attempting to make my request, the only requests are my technical user that goes to the nifi-api/flow/metrics/prometheus endpoint. > SAML Infinitely Redirects > - > > Key: NIFI-12202 > URL: https://issues.apache.org/jira/browse/NIFI-12202 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.24.0, 1.23.1, 1.23.2 >Reporter: Alex Jackson >Priority: Major > > We have SAML configured and when I updated from 1.20.0 to 1.23.1 (at the > time) and just tried now 1.23.2 I see that SAML authentication takes place > but I am infinitely redirected and eventually land on a nifi-api address. I > havent got it deployed in this bad state anymore but I feel like there is an > issue with SAML and it would be great if someone could look into it -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (NIFI-12202) SAML Infinitely Redirects
Alex Jackson created NIFI-12202: --- Summary: SAML Infinitely Redirects Key: NIFI-12202 URL: https://issues.apache.org/jira/browse/NIFI-12202 Project: Apache NiFi Issue Type: Bug Components: Core Framework Affects Versions: 1.23.2, 1.23.1 Reporter: Alex Jackson We have SAML configured and when I updated from 1.20.0 to 1.23.1 (at the time) and just tried now 1.23.2 I see that SAML authentication takes place but I am infinitely redirected and eventually land on a nifi-api address. I havent got it deployed in this bad state anymore but I feel like there is an issue with SAML and it would be great if someone could look into it -- This message was sent by Atlassian Jira (v8.20.10#820010)
