nifi-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [nifi] bbende opened a new pull request #4614: NIFI-7888 Add support for SAML authentication
Date Wed, 21 Oct 2020 18:04:34 GMT

bbende opened a new pull request #4614:
URL: https://github.com/apache/nifi/pull/4614


   This PR adds the ability to authenticate to NiFi via a SAML identity provider, similar
to how OIDC authentication works.
   
   In addition, there is an option to obtain group membership info from the authorizations
in a successful SAML AuthN response from the IDP. These groups are then passed along in the
NiFiUser instance in order to be leveraged during authorization. Currently if using the file-based
policy provider, then these groups would also have to exist in the configured user-group-provider
in order to have created policies against them.
   
   The integration with spring-security-saml is heavily based on the primary example application
here:
   https://github.com/vdenotaris/spring-boot-security-saml-sample
   
   I've primarily tested against KeyCloak and the SSOCirlce IDP which is used by the example
app above (https://www.ssocircle.com/en/). 
   
   High-level changes:
   - Add dependency on spring-security-saml2-core
   - Updated AccessResource with new SAML end-points
   - Updated Login/Logout filters to handle SAML scenario
   - Updated logout process to track a logout request using a cookie
   - Added database storage for cached SAML credential and user groups
   - Updated proxied requests when clustered to send IDP groups in a header
   - Updated X509 filter to process the IDP groups from the header if present
   - Updated admin guide
   - Fixed logout action on error page
   - Updated StandardManagedAuthorizer to combine groups from request with groups from lookup
   - Updated UserGroupProvider implementations with more efficient impl of getGroupByName
   - Added/updated unit tests


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



Mime
View raw message