nifi-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nathan Gough (Jira)" <j...@apache.org>
Subject [jira] [Comment Edited] (NIFI-6837) Test and document 2FA using an external OIDC provider
Date Tue, 05 Nov 2019 16:48:00 GMT

    [ https://issues.apache.org/jira/browse/NIFI-6837?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16967643#comment-16967643
] 

Nathan Gough edited comment on NIFI-6837 at 11/5/19 4:47 PM:
-------------------------------------------------------------

Using Google's G Suite as identity management and OIDC provider I was able to enable 2FA with
NiFi. The steps are given in the attached PDF to allow for clearer formatting.


was (Author: thenatog):
Using Google's G Suite as identity management and OIDC provider I was able to enable 2FA with
NiFi. The steps were:
 # Set up a G Suite account. This requires owning your own domain. I got a free trial for
a paid version, but I think there's a free version as well
 # Verified ownership of the domain by adding a TXT entry at your domain host which will be
detected by Google
 # Change your domain host (mine was namecheap) mail server to Google's mail server
 # Add an admin and a normal user
 # The Security tab in G Suite allows enabling and enforcing 2FA/2SV
 # All users should have this set up before it is enforced, otherwise they will not be able
to authenticate for G Suite or NiFi
 # Various 2FA mechanisms available including SMS, phone call, Google prompt, Google authenticator
etc
 # In Google Console ([https://console.cloud.google.com/]), log in as your admin user, go
to ‘APIs & Services’ and create a 'NiFi' project 
 # In ‘APIs & Services’, create an OAuth Consent screen for the 'NiFi' project
 # Application type: Internal
 # Application name: NiFi
 # Logo: I added a NiFi Logo
 # Support email: Users attempting to log in will see this email for support questions
 # Authorized domains: The domain where NiFi is hosted (yourdomain.com)


 # In 'APIs & Services', under Credentials, click 'Create credentials' > 'OAuth Client
ID' (this generates ${nifi.oauth.client.id} and ${nifi.oauth.client.secret})
 # Type: Web application
 # Name: NiFi
 # Redirect URL:[ [https://${nifi.hostname}:${nifi.port}/nifi-api/access/oidc/callback|https://natog0.com:9550/nifi-api/access/oidc/callback|about:blank]]


 # Set the NiFi properties ([https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect])
 # nifi.security.user.oidc.discovery.url=[https://accounts.google.com/.well-known/openid-configuration]
 # nifi.security.user.oidc.client.id=${nifi.oauth.client.id}
 # nifi.security.user.oidc.client.secret=${nifi.oauth.client.secret}


 # Set the NiFi authorizers.xml
 # <property name="Initial User Identity 4">gsuiteuser@yourdomain.com</property>
 # <property name="Initial Admin Identity">gsuiteuser@yourdomain.com</property>

You should now be able to visit the NiFi UI, it will redirect to the OAuth consent screen
you created, you can log in as your created user, Google will request the 2FA step you configured,
and once authenticated it will redirect you to the NiFi UI logged in as the gsuiteuser@yourdomain.com

> Test and document 2FA using an external OIDC provider 
> ------------------------------------------------------
>
>                 Key: NIFI-6837
>                 URL: https://issues.apache.org/jira/browse/NIFI-6837
>             Project: Apache NiFi
>          Issue Type: Sub-task
>          Components: Security
>            Reporter: Nathan Gough
>            Assignee: Nathan Gough
>            Priority: Major
>         Attachments: Google OIDC and 2FA with NiFi.pdf
>
>
> * Enable 2FA for an OIDC provider and enforce that users must require 2FA to authenticate
before they can access NiFi



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message