For Chrome, it used to behave like you mention but a few months ago, the behavior changed and there is no selection of certificate anymore (this behavior was useful to login into a NiFi instance without a certificate and to the NiFi Registry with a certificate.
On 27/09/2024 02:15, Jens M. Kofoed wrote:
I’m using ldap instead of OpenID, but it is the same things going on. When I go to the NiFi website my browser prompts me with the option to select my installed X.509 certificate, but I can just cancel using the certificate and I gets to the login page. For me it’s not a big problem and I use it as a backup option. All users are handled by AD, via groups but I have two admins which also have a local user so they can login with certificates. This is a backup if connections to AD/ldap is down for some reason. Kind regards JensDen 26. sep. 2024 kl. 21.53 skrev Hans Deragon <h...@deragon.biz>: Greetings, We discovered with NiFi 2.0.0-M4 that if a personal X.509 certificate is set in user accounts under Windows, that certificate is getting used by NiFi for authorization instead of the normal OpenID/SSO headers. The user id in the X.509 certificate is not the same as the one in OpenID/SSO (Okta) and thus, the person is denied access to NiFi. This particular certificate is not meant to be used by NiFi to authenticate and authorize users in NiFi even though it is recognized by our Identity Provider. We desire that NiFi only authenticate and authorize users with OpenID/SSO (which works when I remove the personal certificate from user's Windows workstations). Seams that there is no option available in nifi.properties to prevent this behaviour. Thus, my following questions/remarks: - Is there a way to disable this behaviour? - If not, would it be acceptable to add a parameter in nifi.properties to disable the X.509 certificate extraction? What name this parameter should have and how should it be implemented? I could submit a pull request, but would be nice to have some guidance from a NiFi developer. - Or... is there a way to change the program so that authorization does not fail as soon as one method tested fails, but succeeds if any other method succeed? Technicalities: Changing the code in X509AuthenticationFilter.attemptAuthentication() to return always 'null' fixes our problem by making NiFi believe that no X.509 certificate is available and leaves the others filters to be tested, including the one handling OpenID/SSO. For my tests, I recompiled NiFi's code at Git tag 'rel/nifi-2.0.0-M4'. Best regards, Hans Deragon <OpenPGP_signature.asc>
OpenPGP_signature.asc
Description: OpenPGP digital signature
