I'm using Google Chrome version 129.0.6668.90 and have no problems. Try start an incognito tab and go to your NiFi web page. When I open the browser the first time, I will be prompt to select a certificate, what ever I choose chrome will remember until I have all browser closed. I can not remember if I have setup something about deleting cookies eg. when I close the browser. But it could be something like that which gives you an issue. kind regards Jens M. Kofoed
Den tirs. 1. okt. 2024 kl. 12.41 skrev Hans Deragon <h...@deragon.biz>: > What browser and version are you using? Where I work, we use Chrome > 1.129 and Edge 129 but neither offer the chance to select a certificate. > > For Chrome, it used to behave like you mention but a few months ago, the > behavior changed and there is no selection of certificate anymore (this > behavior was useful to login into a NiFi instance without a certificate > and to the NiFi Registry with a certificate. > > On 27/09/2024 02:15, Jens M. Kofoed wrote: > > I’m using ldap instead of OpenID, but it is the same things going on. > When I go to the NiFi website my browser prompts me with the option to > select my installed X.509 certificate, but I can just cancel using the > certificate and I gets to the login page. > > > > For me it’s not a big problem and I use it as a backup option. All users > are handled by AD, via groups but I have two admins which also have a local > user so they can login with certificates. This is a backup if connections > to AD/ldap is down for some reason. > > > > Kind regards > > Jens > > > >> Den 26. sep. 2024 kl. 21.53 skrev Hans Deragon <h...@deragon.biz>: > >> > >> Greetings, > >> > >> We discovered with NiFi 2.0.0-M4 that if a personal X.509 certificate > is set in user accounts under Windows, that certificate is getting used by > NiFi for authorization instead of the normal OpenID/SSO headers. The user > id in the X.509 certificate is not the same as the one in OpenID/SSO (Okta) > and thus, the person is denied access to NiFi. > >> > >> This particular certificate is not meant to be used by NiFi to > authenticate and authorize users in NiFi even though it is recognized by > our Identity Provider. We desire that NiFi only authenticate and authorize > users with OpenID/SSO (which works when I remove the personal certificate > from user's Windows workstations). > >> > >> Seams that there is no option available in nifi.properties to prevent > this behaviour. Thus, my following questions/remarks: > >> > >> - Is there a way to disable this behaviour? > >> > >> - If not, would it be acceptable to add a parameter in nifi.properties > to disable the X.509 certificate extraction? What name this parameter > should have and how should it be implemented? I could submit a pull > request, but would be nice to have some guidance from a NiFi developer. > >> > >> - Or... is there a way to change the program so that authorization does > not fail as soon as one method tested fails, but succeeds if any other > method succeed? > >> > >> Technicalities: > >> > >> Changing the code in X509AuthenticationFilter.attemptAuthentication() > to return always 'null' fixes our problem by making NiFi believe that no > X.509 certificate is available and leaves the others filters to be tested, > including the one handling OpenID/SSO. > >> > >> For my tests, I recompiled NiFi's code at Git tag 'rel/nifi-2.0.0-M4'. > >> > >> Best regards, > >> Hans Deragon > >> > >> <OpenPGP_signature.asc> > >
