SAML

To enable authentication via SAML the following properties must be configured in nifi.properties.


Property Name	Description
`nifi.security.user.saml.idp.metadata.url`	The URL for obtaining the identity provider's metadata. The metadata can be retrieved from the identity provider via `http://` or `https://`, or a local file can be referenced using `file://` .
`nifi.security.user.saml.sp.entity.id`	The entity id of the service provider (i.e. NiFi). This value will be used as the `Issuer` for SAML authentication requests and should be a valid URI. In some cases the service provider entity id must be registered ahead of time with the identity provider.
`nifi.security.user.saml.identity.attribute.name`	The name of a SAML assertion attribute containing the user'sidentity. This property is optional and if not specified, or if the attribute is not found, then the NameID of the Subject will be used.
`nifi.security.user.saml.group.attribute.name`	The name of a SAML assertion attribute containing group names the user belongs to. This property is optional, but if populated the groups will be passed along to the authorization process.
`nifi.security.user.saml.metadata.signing.enabled`	Enables signing of the generated service provider metadata.
`nifi.security.user.saml.request.signing.enabled`	Controls the value of `AuthnRequestsSigned` in the generated service provider metadata from `nifi-api/access/saml/metadata`. This indicates that the service provider (i.e. NiFi) should not sign authentication requests sent to the identity provider, but the requests may still need to be signed if the identity provider indicates `WantAuthnRequestSigned=true`.
`nifi.security.user.saml.want.assertions.signed`	Controls the value of `WantAssertionsSigned` in the generated service provider metadata from `nifi-api/access/saml/metadata`. This indicates that the identity provider should sign assertions, but some identity providers may provide their own configuration for controlling whether assertions are signed.
`nifi.security.user.saml.signature.algorithm`	The algorithm to use when signing SAML messages. Reference the https://git.shibboleth.net/view/?p=java-xmltooling.git;a=blob;f=src/main/java/org/opensaml/xml/signature/SignatureConstants.java for a list of valid values. If not specified, a default of SHA-256 will be used.
`nifi.security.user.saml.signature.digest.algorithm`	The digest algorithm to use when signing SAML messages. Reference the https://git.shibboleth.net/view/?p=java-xmltooling.git;a=blob;f=src/main/java/org/opensaml/xml/signature/SignatureConstants.java for a list of valid values. If not specified, a default of SHA-256 will be used.
`nifi.security.user.saml.message.logging.enabled`	Enables logging of SAML messages for debugging purposes.
`nifi.security.user.saml.authentication.expiration`	The expiration of the NiFi JWT that will be produced from a successful SAML authentication response.
`nifi.security.user.saml.single.logout.enabled`	Enables SAML SingleLogout which causes a logout from NiFi to logout of the identity provider. By default, a logout of NiFi will only remove the NiFi JWT.
`nifi.security.user.saml.http.client.truststore.strategy`	The truststore strategy when the IDP metadata URL begins with https. A value of `JDK` indicates to use the JDK's default truststore. A value of`NIFI`indicates to use the truststore specified by `nifi.security.truststore`.
`nifi.security.user.saml.http.client.connect.timeout`	The connection timeout when communicating with the SAML IDP.
`nifi.security.user.saml.http.client.read.timeout`	The read timeout when communicating with the SAML IDP.