Thanks David. I will try then share it again. :)
Regards, DongCheol Gong 2024년 3월 5일 (화) 오후 10:38, David Handermann <[email protected]>님이 작성: > Thanks for following up on this issue, the additional logging is helpful. > > The example URL provided does not include the port number ( > https://nifi.my-site.com) which seems to imply the presence of a gateway > or reverse proxy server in front of NiFi. This configuration is supported, > but in some cases, it can require including the port number in the URL, the > default value being 443. > > For reference, here is the Spring Security code that is producing the > error shown in the log: > > > https://github.com/spring-projects/spring-security/blob/69527f9a9c6ded890763d67d992cbcbb3a393162/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java#L388 > > If you are using a reverse proxy server, it is important that all of the > applicable X-Proxy headers are configured so that NiFi can generate the > correct URL for comparison. > > See the Proxy Configuration section of the Admin Guide for more details: > > > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#proxy_configuration > > Regards, > David Handermann > > On Mon, Mar 4, 2024 at 7:14 PM DC Gong <[email protected]> wrote: > >> Hi guys. >> >> I solved and share my story. >> >> I was able to check the logs that the destination information was >> different as shown below, but there was no problem with the settings in >> OKTA. >> >> >> 2024-03-04 12:14:33,051 DEBUG [NiFi Web Server-26] >> o.s.s.s.p.s.a.OpenSamlAuthenticationProvider Found 2 validation errors in >> SAML response [id4756651808328737370315028]: [[invalid_destination] Invalid >> destination [https://nifi.my-site.com/nifi-api/access/saml/login/consumer] >> for SAML response [id4756651808328737370315028], [invalid_assertion] >> Invalid assertion [id4756651808686833990238847] for SAML response >> [id4756651808328737370315028]: No subject confirmation methods were met for >> assertion with ID 'id4756651808686833990238847'] >> 2024-03-04 12:14:33,051 TRACE [NiFi Web Server-26] >> o.s.s.s.p.s.s.f.Saml2WebSsoAuthenticationFilter Failed to process >> authentication request >> org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException: >> Invalid destination [ >> https://nifi.my-site.com/nifi-api/access/saml/login/consumer] for SAML >> response [id4756651808328737370315028] >> >> >> >> It was so strange that I tried lowering the version of NiFi. >> The version of NiFi that was causing the problem was 1.25.0, but I >> changed it to 1.15.0 and it worked fine. >> >> I haven't figured out exactly what the problem is, but I'll put that off >> until later and share my story. >> I realize this isn't a root cause fix, but it's one of the quickest >> things you can try to troubleshoot. >> >> Have a great day everyone. >> >> Regards, >> DongCheol Gong >> >> 2024년 3월 1일 (금) 오후 11:44, DC Gong <[email protected]>님이 작성: >> >>> Thanks David, >>> >>> I know it's not going to be easy to resolve my issue. >>> I'll change the loglevel as you suggested and test again. >>> >>> Have a nice and happy weekend. >>> >>> Regard, >>> DongCheol Gong >>> >>> 2024년 3월 1일 (금) 오전 10:36, David Handermann <[email protected]>님이 >>> 작성: >>> >>>> Thanks for providing some background on the issue with SAML >>>> configuration. >>>> >>>> The following post describes the steps required for configuring NiFi to >>>> integrate with Okta, including example configuration settings: >>>> >>>> >>>> https://exceptionfactory.com/posts/2022/11/30/integrating-apache-nifi-with-okta-saml-authentication/ >>>> >>>> It is difficult to determine the problem based on the logs provided. As >>>> a next step, enabling debug logging for the org.springframework.security >>>> logger should provide additional details about the SAML handshake process. >>>> >>>> Regards, >>>> David Handermann >>>> >>>> On Wed, Feb 28, 2024 at 9:25 PM DC Gong <[email protected]> wrote: >>>> >>>>> Hi, >>>>> I’m trying to get an OKTA SAML integration for NiFi. >>>>> I set up nifi.properties using the information provided by okta. >>>>> The domain information is dummy for security reasons. >>>>> I set up the entityId and ACS information in okta correctly. >>>>> >>>>> <nifi.properties> >>>>> >>>>> nifi.security.user.saml.idp.metadata.url= >>>>> https://okta-site.com/nifi/okta-saml/metadata.xml >>>>> nifi.security.user.saml.sp.entity.id=mysite-entity-id >>>>> nifi.security.user.saml.identity.attribute.name= >>>>> nifi.security.user.saml.group.attribute.name= >>>>> nifi.security.user.saml.request.signing.enabled=false >>>>> nifi.security.user.saml.want.assertions.signed=true >>>>> nifi.security.user.saml.signature.algorithm= >>>>> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 >>>>> nifi.security.user.saml.authentication.expiration=12 hours >>>>> nifi.security.user.saml.single.logout.enabled=false >>>>> nifi.security.user.saml.http.client.truststore.strategy=JDK >>>>> nifi.security.user.saml.http.client.connect.timeout=30 secs >>>>> nifi.security.user.saml.http.client.read.timeout=30 secs >>>>> >>>>> >>>>> >>>>> But I’m getting a 401 error in >>>>> ACS(/nifi-api/access/saml/login/consumer) for processing SAML Assertion >>>>> after saml authentication from okta. >>>>> The payload SAMLResponse delivered to ACS after OKTA login contains >>>>> user information as expected. >>>>> Is there anything else I should look at to resolve this error? >>>>> >>>>> And I received one cert file from okta, how am I supposed to use this? >>>>> The metadata.xml file provided by okta also contained the contents of >>>>> that certificate. >>>>> >>>>> I’ll also add the nifi-user.log trace information. >>>>> >>>>> 2024-02-29 01:50:52,689 DEBUG [NiFi Web Server-110] >>>>> o.a.n.w.s.c.StandardApplicationCookieService Added Session Cookie >>>>> [__Secure-Request-Token] URI [https://my-site.com:443] >>>>> 2024-02-29 01:50:52,689 DEBUG [NiFi Web Server-110] >>>>> o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null] >>>>> 2024-02-29 01:50:52,689 DEBUG [NiFi Web Server-110] >>>>> o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in >>>>> request. >>>>> 2024-02-29 01:50:52,689 TRACE [NiFi Web Server-110] >>>>> o.a.n.w.s.j.r.StandardBearerTokenResolver Bearer Token not found in Header >>>>> or Cookie >>>>> 2024-02-29 01:50:52,694 DEBUG [NiFi Web Server-110] >>>>> o.a.n.w.s.c.StandardApplicationCookieService Removed Cookie >>>>> [__Secure-SAML-Request-Identifier] URI [https://my-site.com:443] >>>>> >>>>> >>>>> >>>>> [image: Screenshot 2024-02-29 at 1.42.52 AM.png] >>>>> >>>>> Have a nice day :) >>>>> >>>>
