Thanks for following up on this issue, the additional logging is helpful. The example URL provided does not include the port number ( https://nifi.my-site.com) which seems to imply the presence of a gateway or reverse proxy server in front of NiFi. This configuration is supported, but in some cases, it can require including the port number in the URL, the default value being 443.
For reference, here is the Spring Security code that is producing the error shown in the log: https://github.com/spring-projects/spring-security/blob/69527f9a9c6ded890763d67d992cbcbb3a393162/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java#L388 If you are using a reverse proxy server, it is important that all of the applicable X-Proxy headers are configured so that NiFi can generate the correct URL for comparison. See the Proxy Configuration section of the Admin Guide for more details: https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#proxy_configuration Regards, David Handermann On Mon, Mar 4, 2024 at 7:14 PM DC Gong <[email protected]> wrote: > Hi guys. > > I solved and share my story. > > I was able to check the logs that the destination information was > different as shown below, but there was no problem with the settings in > OKTA. > > > 2024-03-04 12:14:33,051 DEBUG [NiFi Web Server-26] > o.s.s.s.p.s.a.OpenSamlAuthenticationProvider Found 2 validation errors in > SAML response [id4756651808328737370315028]: [[invalid_destination] Invalid > destination [https://nifi.my-site.com/nifi-api/access/saml/login/consumer] > for SAML response [id4756651808328737370315028], [invalid_assertion] > Invalid assertion [id4756651808686833990238847] for SAML response > [id4756651808328737370315028]: No subject confirmation methods were met for > assertion with ID 'id4756651808686833990238847'] > 2024-03-04 12:14:33,051 TRACE [NiFi Web Server-26] > o.s.s.s.p.s.s.f.Saml2WebSsoAuthenticationFilter Failed to process > authentication request > org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException: > Invalid destination [ > https://nifi.my-site.com/nifi-api/access/saml/login/consumer] for SAML > response [id4756651808328737370315028] > > > > It was so strange that I tried lowering the version of NiFi. > The version of NiFi that was causing the problem was 1.25.0, but I changed > it to 1.15.0 and it worked fine. > > I haven't figured out exactly what the problem is, but I'll put that off > until later and share my story. > I realize this isn't a root cause fix, but it's one of the quickest things > you can try to troubleshoot. > > Have a great day everyone. > > Regards, > DongCheol Gong > > 2024년 3월 1일 (금) 오후 11:44, DC Gong <[email protected]>님이 작성: > >> Thanks David, >> >> I know it's not going to be easy to resolve my issue. >> I'll change the loglevel as you suggested and test again. >> >> Have a nice and happy weekend. >> >> Regard, >> DongCheol Gong >> >> 2024년 3월 1일 (금) 오전 10:36, David Handermann <[email protected]>님이 >> 작성: >> >>> Thanks for providing some background on the issue with SAML >>> configuration. >>> >>> The following post describes the steps required for configuring NiFi to >>> integrate with Okta, including example configuration settings: >>> >>> >>> https://exceptionfactory.com/posts/2022/11/30/integrating-apache-nifi-with-okta-saml-authentication/ >>> >>> It is difficult to determine the problem based on the logs provided. As >>> a next step, enabling debug logging for the org.springframework.security >>> logger should provide additional details about the SAML handshake process. >>> >>> Regards, >>> David Handermann >>> >>> On Wed, Feb 28, 2024 at 9:25 PM DC Gong <[email protected]> wrote: >>> >>>> Hi, >>>> I’m trying to get an OKTA SAML integration for NiFi. >>>> I set up nifi.properties using the information provided by okta. >>>> The domain information is dummy for security reasons. >>>> I set up the entityId and ACS information in okta correctly. >>>> >>>> <nifi.properties> >>>> >>>> nifi.security.user.saml.idp.metadata.url= >>>> https://okta-site.com/nifi/okta-saml/metadata.xml >>>> nifi.security.user.saml.sp.entity.id=mysite-entity-id >>>> nifi.security.user.saml.identity.attribute.name= >>>> nifi.security.user.saml.group.attribute.name= >>>> nifi.security.user.saml.request.signing.enabled=false >>>> nifi.security.user.saml.want.assertions.signed=true >>>> nifi.security.user.saml.signature.algorithm= >>>> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 >>>> nifi.security.user.saml.authentication.expiration=12 hours >>>> nifi.security.user.saml.single.logout.enabled=false >>>> nifi.security.user.saml.http.client.truststore.strategy=JDK >>>> nifi.security.user.saml.http.client.connect.timeout=30 secs >>>> nifi.security.user.saml.http.client.read.timeout=30 secs >>>> >>>> >>>> >>>> But I’m getting a 401 error in >>>> ACS(/nifi-api/access/saml/login/consumer) for processing SAML Assertion >>>> after saml authentication from okta. >>>> The payload SAMLResponse delivered to ACS after OKTA login contains >>>> user information as expected. >>>> Is there anything else I should look at to resolve this error? >>>> >>>> And I received one cert file from okta, how am I supposed to use this? >>>> The metadata.xml file provided by okta also contained the contents of >>>> that certificate. >>>> >>>> I’ll also add the nifi-user.log trace information. >>>> >>>> 2024-02-29 01:50:52,689 DEBUG [NiFi Web Server-110] >>>> o.a.n.w.s.c.StandardApplicationCookieService Added Session Cookie >>>> [__Secure-Request-Token] URI [https://my-site.com:443] >>>> 2024-02-29 01:50:52,689 DEBUG [NiFi Web Server-110] >>>> o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null] >>>> 2024-02-29 01:50:52,689 DEBUG [NiFi Web Server-110] >>>> o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in >>>> request. >>>> 2024-02-29 01:50:52,689 TRACE [NiFi Web Server-110] >>>> o.a.n.w.s.j.r.StandardBearerTokenResolver Bearer Token not found in Header >>>> or Cookie >>>> 2024-02-29 01:50:52,694 DEBUG [NiFi Web Server-110] >>>> o.a.n.w.s.c.StandardApplicationCookieService Removed Cookie >>>> [__Secure-SAML-Request-Identifier] URI [https://my-site.com:443] >>>> >>>> >>>> >>>> [image: Screenshot 2024-02-29 at 1.42.52 AM.png] >>>> >>>> Have a nice day :) >>>> >>>
