Hi guys. I solved and share my story.
I was able to check the logs that the destination information was different as shown below, but there was no problem with the settings in OKTA. 2024-03-04 12:14:33,051 DEBUG [NiFi Web Server-26] o.s.s.s.p.s.a.OpenSamlAuthenticationProvider Found 2 validation errors in SAML response [id4756651808328737370315028]: [[invalid_destination] Invalid destination [https://nifi.my-site.com/nifi-api/access/saml/login/consumer] for SAML response [id4756651808328737370315028], [invalid_assertion] Invalid assertion [id4756651808686833990238847] for SAML response [id4756651808328737370315028]: No subject confirmation methods were met for assertion with ID 'id4756651808686833990238847'] 2024-03-04 12:14:33,051 TRACE [NiFi Web Server-26] o.s.s.s.p.s.s.f.Saml2WebSsoAuthenticationFilter Failed to process authentication request org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException: Invalid destination [ https://nifi.my-site.com/nifi-api/access/saml/login/consumer] for SAML response [id4756651808328737370315028] It was so strange that I tried lowering the version of NiFi. The version of NiFi that was causing the problem was 1.25.0, but I changed it to 1.15.0 and it worked fine. I haven't figured out exactly what the problem is, but I'll put that off until later and share my story. I realize this isn't a root cause fix, but it's one of the quickest things you can try to troubleshoot. Have a great day everyone. Regards, DongCheol Gong 2024년 3월 1일 (금) 오후 11:44, DC Gong <[email protected]>님이 작성: > Thanks David, > > I know it's not going to be easy to resolve my issue. > I'll change the loglevel as you suggested and test again. > > Have a nice and happy weekend. > > Regard, > DongCheol Gong > > 2024년 3월 1일 (금) 오전 10:36, David Handermann <[email protected]>님이 > 작성: > >> Thanks for providing some background on the issue with SAML configuration. >> >> The following post describes the steps required for configuring NiFi to >> integrate with Okta, including example configuration settings: >> >> >> https://exceptionfactory.com/posts/2022/11/30/integrating-apache-nifi-with-okta-saml-authentication/ >> >> It is difficult to determine the problem based on the logs provided. As a >> next step, enabling debug logging for the org.springframework.security >> logger should provide additional details about the SAML handshake process. >> >> Regards, >> David Handermann >> >> On Wed, Feb 28, 2024 at 9:25 PM DC Gong <[email protected]> wrote: >> >>> Hi, >>> I’m trying to get an OKTA SAML integration for NiFi. >>> I set up nifi.properties using the information provided by okta. >>> The domain information is dummy for security reasons. >>> I set up the entityId and ACS information in okta correctly. >>> >>> <nifi.properties> >>> >>> nifi.security.user.saml.idp.metadata.url= >>> https://okta-site.com/nifi/okta-saml/metadata.xml >>> nifi.security.user.saml.sp.entity.id=mysite-entity-id >>> nifi.security.user.saml.identity.attribute.name= >>> nifi.security.user.saml.group.attribute.name= >>> nifi.security.user.saml.request.signing.enabled=false >>> nifi.security.user.saml.want.assertions.signed=true >>> nifi.security.user.saml.signature.algorithm= >>> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 >>> nifi.security.user.saml.authentication.expiration=12 hours >>> nifi.security.user.saml.single.logout.enabled=false >>> nifi.security.user.saml.http.client.truststore.strategy=JDK >>> nifi.security.user.saml.http.client.connect.timeout=30 secs >>> nifi.security.user.saml.http.client.read.timeout=30 secs >>> >>> >>> >>> But I’m getting a 401 error in ACS(/nifi-api/access/saml/login/consumer) >>> for processing SAML Assertion after saml authentication from okta. >>> The payload SAMLResponse delivered to ACS after OKTA login contains user >>> information as expected. >>> Is there anything else I should look at to resolve this error? >>> >>> And I received one cert file from okta, how am I supposed to use this? >>> The metadata.xml file provided by okta also contained the contents of >>> that certificate. >>> >>> I’ll also add the nifi-user.log trace information. >>> >>> 2024-02-29 01:50:52,689 DEBUG [NiFi Web Server-110] >>> o.a.n.w.s.c.StandardApplicationCookieService Added Session Cookie >>> [__Secure-Request-Token] URI [https://my-site.com:443] >>> 2024-02-29 01:50:52,689 DEBUG [NiFi Web Server-110] >>> o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null] >>> 2024-02-29 01:50:52,689 DEBUG [NiFi Web Server-110] >>> o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in >>> request. >>> 2024-02-29 01:50:52,689 TRACE [NiFi Web Server-110] >>> o.a.n.w.s.j.r.StandardBearerTokenResolver Bearer Token not found in Header >>> or Cookie >>> 2024-02-29 01:50:52,694 DEBUG [NiFi Web Server-110] >>> o.a.n.w.s.c.StandardApplicationCookieService Removed Cookie >>> [__Secure-SAML-Request-Identifier] URI [https://my-site.com:443] >>> >>> >>> >>> [image: Screenshot 2024-02-29 at 1.42.52 AM.png] >>> >>> Have a nice day :) >>> >>
