Thanks for providing some background on the issue with SAML configuration. The following post describes the steps required for configuring NiFi to integrate with Okta, including example configuration settings:
https://exceptionfactory.com/posts/2022/11/30/integrating-apache-nifi-with-okta-saml-authentication/ It is difficult to determine the problem based on the logs provided. As a next step, enabling debug logging for the org.springframework.security logger should provide additional details about the SAML handshake process. Regards, David Handermann On Wed, Feb 28, 2024 at 9:25 PM DC Gong <[email protected]> wrote: > Hi, > I’m trying to get an OKTA SAML integration for NiFi. > I set up nifi.properties using the information provided by okta. > The domain information is dummy for security reasons. > I set up the entityId and ACS information in okta correctly. > > <nifi.properties> > > nifi.security.user.saml.idp.metadata.url= > https://okta-site.com/nifi/okta-saml/metadata.xml > nifi.security.user.saml.sp.entity.id=mysite-entity-id > nifi.security.user.saml.identity.attribute.name= > nifi.security.user.saml.group.attribute.name= > nifi.security.user.saml.request.signing.enabled=false > nifi.security.user.saml.want.assertions.signed=true > nifi.security.user.saml.signature.algorithm= > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 > nifi.security.user.saml.authentication.expiration=12 hours > nifi.security.user.saml.single.logout.enabled=false > nifi.security.user.saml.http.client.truststore.strategy=JDK > nifi.security.user.saml.http.client.connect.timeout=30 secs > nifi.security.user.saml.http.client.read.timeout=30 secs > > > > But I’m getting a 401 error in ACS(/nifi-api/access/saml/login/consumer) > for processing SAML Assertion after saml authentication from okta. > The payload SAMLResponse delivered to ACS after OKTA login contains user > information as expected. > Is there anything else I should look at to resolve this error? > > And I received one cert file from okta, how am I supposed to use this? > The metadata.xml file provided by okta also contained the contents of that > certificate. > > I’ll also add the nifi-user.log trace information. > > 2024-02-29 01:50:52,689 DEBUG [NiFi Web Server-110] > o.a.n.w.s.c.StandardApplicationCookieService Added Session Cookie > [__Secure-Request-Token] URI [https://my-site.com:443] > 2024-02-29 01:50:52,689 DEBUG [NiFi Web Server-110] > o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null] > 2024-02-29 01:50:52,689 DEBUG [NiFi Web Server-110] > o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in > request. > 2024-02-29 01:50:52,689 TRACE [NiFi Web Server-110] > o.a.n.w.s.j.r.StandardBearerTokenResolver Bearer Token not found in Header > or Cookie > 2024-02-29 01:50:52,694 DEBUG [NiFi Web Server-110] > o.a.n.w.s.c.StandardApplicationCookieService Removed Cookie > [__Secure-SAML-Request-Identifier] URI [https://my-site.com:443] > > > > [image: Screenshot 2024-02-29 at 1.42.52 AM.png] > > Have a nice day :) >
