SAML

To enable authentication via SAML the following properties must be configured in nifi.properties.

Property Name Description

nifi.security.user.saml.idp.metadata.url

The URL for obtaining the identity provider's metadata. The metadata can be retrieved from the identity provider via http:// or https://, or a local file can be referenced using file:// .

nifi.security.user.saml.sp.entity.id

The entity id of the service provider (i.e. NiFi). This value will be used as the Issuer for SAML authentication requests and should be a valid URI. In some cases the service provider entity id must be registered ahead of time with the identity provider.

nifi.security.user.saml.identity.attribute.name

The name of a SAML assertion attribute containing the user'sidentity. This property is optional and if not specified, or if the attribute is not found, then the NameID of the Subject will be used.

nifi.security.user.saml.group.attribute.name

The name of a SAML assertion attribute containing group names the user belongs to. This property is optional, but if populated the groups will be passed along to the authorization process.

nifi.security.user.saml.metadata.signing.enabled

Enables signing of the generated service provider metadata.

nifi.security.user.saml.request.signing.enabled

Controls the value of AuthnRequestsSigned in the generated service provider metadata from nifi-api/access/saml/metadata. This indicates that the service provider (i.e. NiFi) should not sign authentication requests sent to the identity provider, but the requests may still need to be signed if the identity provider indicates WantAuthnRequestSigned=true.

nifi.security.user.saml.want.assertions.signed

Controls the value of WantAssertionsSigned in the generated service provider metadata from nifi-api/access/saml/metadata. This indictaes that the identity provider should sign assertions, but some identity providers may provide their own configuration for controlling whether assertions are signed.

nifi.security.user.saml.signature.algorithm

The algorithm to use when signing SAML messages. Reference the Open SAML Signature Constants for a list of valid values. If not specified, a default of SHA-256 will be used.

nifi.security.user.saml.signature.digest.algorithm

The digest algorithm to use when signing SAML messages. Reference the Open SAML Signature Constants for a list of valid values. If not specified, a default of SHA-256 will be used.

nifi.security.user.saml.message.logging.enabled

Enables logging of SAML messages for debugging purposes.

nifi.security.user.saml.authentication.expiration

The expiration of the NiFi JWT that will be produced from a successful SAML authentication response.

nifi.security.user.saml.single.logout.enabled

Enables SAML SingleLogout which causes a logout from NiFi to logout of the identity provider. By default, a logout of NiFi will only remove the NiFi JWT.

nifi.security.user.saml.http.client.truststore.strategy

The truststore strategy when the IDP metadata URL begins with https. A value of JDK indicates to use the JDK's default truststore. A value of`NIFI`indicates to use the truststore specified by nifi.security.truststore.

nifi.security.user.saml.http.client.connect.timeout

The connection timeout when communicating with the SAML IDP.

nifi.security.user.saml.http.client.read.timeout

The read timeout when communicating with the SAML IDP.