Hi Vijay, Currently there are no community-supported SAML login identity providers. You can use the existing LDAP [1], Kerberos [2], and OIDC [3] implementations as examples on which to base your implementation. The LIP are not currently exposed as a first-class extension point, but you can certainly build a custom one and use it locally, even without submitting it for inclusion in the core project. Of course, this sounds like a valuable feature for the community, and we encourage contribution if possible.
We are open to rearchitecting the authentication and authorization mechanisms in NiFi, but cannot make breaking changes that would change backward compatibility on minor version releases because we follow semantic versioning [4]. Changes which alter the fundamental authentication story NiFi presents need to go in a major release (i.e. 2.0.0). NiFi strongly adheres to stable releases which follow the principle of least surprise. If you have specific questions or need help with integrating the code, please feel free to reach out to the community here or on GitHub. You may also be interested in the developer mailing list at d...@nifi.apache.org <mailto:d...@nifi.apache.org> for more code-related questions and discussion. Thanks. [1] https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java#L65 <https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java#L65> [2] https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-kerberos-iaa-providers-bundle/nifi-kerberos-iaa-providers/src/main/java/org/apache/nifi/kerberos/KerberosProvider.java <https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-kerberos-iaa-providers-bundle/nifi-kerberos-iaa-providers/src/main/java/org/apache/nifi/kerberos/KerberosProvider.java> [3] https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java#L76 <https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java#L76> [4] https://semver.org/ <https://semver.org/> Andy LoPresto alopre...@apache.org alopresto.apa...@gmail.com PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Aug 31, 2018, at 3:40 PM, Curtis Ruck <curtis.r...@gmail.com> wrote: > > I've been trying to figure out how to improve this area of NiFi. They > support OpenID Direct Connect (OIDC), but when you combine it with a reverse > proxy or their default/hardcoded PKI configuration, it's near impossible to > use. > > Ideally the entire authn/z stack needs rearchitecting for better modularity > for any decent SSO integration. The current APIs were built around having a > writable authn/z store like LDAP/RDBMS. They are not designed for common SSO > workflows where users connect to NiFi and inherit NiFi permissions based on > their assertion/attributes. > > On Fri, Aug 31, 2018, 6:14 PM Vijay Chhipa <vchh...@apple.com > <mailto:vchh...@apple.com>> wrote: > Hello, > > I am setting up NiFi in the company, but the out-of-the-box authentication > modules are not an option for me. > I would like to write a SAML based login identity provider, > Is there one out there already ? > > I am on NiFi 1.7.1, with Java 8, SAML 2.0, > > What do I need to get started with writing a new login identity provider? > Any examples, sample, or pointers are highly appreciated > > Vijay >
signature.asc
Description: Message signed with OpenPGP using GPGMail