SAML Authentication

After you install NiFi, you can enable authentication through a Security Assertion Markup Language (SAML) identity provider.

With SAML authentication, when a user attempts to access NiFi, NiFi redirects the user to the corresponding identity provider to log in. After the user logs into the identity provider, the identity provider sends NiFi a response that contains the user's credentials. With knowledge of the user's identity, NiFi can now authenticate the user.

To enable authentication through a SAML identity provider, set the following SAML related properties in the nifi.properties file. Then, restart NiFi for the changes in the nifi.properties file to take effect. If NiFi is clustered, configuration files must be the same on all nodes.

Property Description
nifi.security.user.saml.idp.metadata.url The URL for obtaining the identity provider’s metadata.

The metadata can be retrieved from the identity provider through http:// or https://, or a local file can be referenced using file://.

nifi.security.user.saml.sp.entity.id The entity ID of the service provider (i.e. NiFi).

This value will be used as the Issuer for SAML authentication requests and should be a valid URI. In some cases the service provider entity ID must be registered ahead of time with the identity provider.

nifi.security.user.saml.identity.attribute.name The name of a SAML assertion attribute containing the user's identity.

This property is optional and if not specified, or if the attribute is not found, then the NameID of the Subject will be used.

nifi.security.user.saml.group.attribute.name The name of a SAML assertion attribute containing group names the user belongs to.

This property is optional, but if populated the groups will be passed along to the authorization process.

nifi.security.user.saml.metadata.signing.enabled Enables signing of the generated service provider metadata.
nifi.security.user.saml.request.signing.enabled Controls the value of AuthnRequestsSigned in the generated service provider metadata from nifi-api/access/saml/metadata.

This indicates that the service provider (i.e. NiFi) should not sign authentication requests sent to the identity provider, but the requests may still need to be signed if the identity provider indicates WantAuthnRequestSigned=true.

nifi.security.user.saml.want.assertions.signed Controls the value of WantAssertionsSigned in the generated service provider metadata from nifi-api/access/saml/metadata.

This indicates that the identity provider should sign assertions, but some identity providers may provide their own configuration for controlling whether assertions are signed.

nifi.security.user.saml.signature.algorithm The algorithm to use when signing SAML messages. See the Open SAML Signature Constants for a list of valid values.

If not specified, a default of SHA-256 will be used.

nifi.security.user.saml.signature.digest.algorithm The digest algorithm to use when signing SAML messages. See the Open SAML Signature Constants for a list of valid values.

If not specified, a default of SHA-256 will be used.

nifi.security.user.saml.message.logging.enabled Enables logging of SAML messages for debugging purposes.
nifi.security.user.saml.authentication.expiration The expiration of the NiFi JWT that will be produced from a successful SAML authentication response.
nifi.security.user.saml.single.logout.enabled Enables SAML SingleLogout which causes a logout from NiFi to logout of the identity provider.

By default, a logout of NiFi will only remove the NiFi JWT.

nifi.security.user.saml.http.client.truststore.strategy The truststore strategy when the IDP metadata URL begins with https.

A value of JDK indicates to use the JDK’s default truststore.

A value of`NIFI`indicates to use the truststore specified by nifi.security.truststore.

nifi.security.user.saml.http.client.connect.timeout The connection timeout when communicating with the SAML IDP.
nifi.security.user.saml.http.client.read.timeout The read timeout when communicating with the SAML IDP.