SAML authentication
After you install NiFi, you can enable authentication through a Security Assertion Markup Language (SAML) identity provider.
With SAML authentication, when a user attempts to access NiFi, NiFi redirects the user to the corresponding identity provider to log in. After the user logs into the identity provider, the identity provider sends NiFi a response that contains the user's credentials. With knowledge of the user's identity, NiFi can now authenticate the user.
To enable authentication through a SAML identity provider, set the following SAML related properties in the nifi.properties file. Then, restart NiFi for the changes in the nifi.properties file to take effect. If NiFi is clustered, configuration files must be the same on all nodes.
| Property | Description |
|---|---|
nifi.security.user.saml.idp.metadata.url |
The URL for obtaining the identity provider’s
metadata. The metadata can be retrieved from the identity provider through
|
nifi.security.user.saml.sp.entity.id |
The entity ID of the service provider (i.e. NiFi). This value will be used as
the |
nifi.security.user.saml.identity.attribute.name |
The name of a SAML assertion attribute containing the user's identity. This property is optional and if not specified, or if the attribute is not found, then the NameID of the Subject will be used. |
nifi.security.user.saml.group.attribute.name |
The name of a SAML assertion attribute containing group names the user belongs
to. This property is optional, but if populated the groups will be passed along to the authorization process. |
nifi.security.user.saml.metadata.signing.enabled |
Enables signing of the generated service provider metadata. |
nifi.security.user.saml.request.signing.enabled |
Controls the value of AuthnRequestsSigned in the generated
service provider metadata from nifi-api/access/saml/metadata. This
indicates that the service provider (i.e. NiFi) should not sign authentication
requests sent to the identity provider, but the requests may still need to be signed
if the identity provider indicates
|
nifi.security.user.saml.want.assertions.signed |
Controls the value of WantAssertionsSigned in the generated
service provider metadata from nifi-api/access/saml/metadata. This indicates that the identity provider should sign assertions, but some identity providers may provide their own configuration for controlling whether assertions are signed. |
nifi.security.user.saml.signature.algorithm |
The algorithm to use when signing SAML messages. See the Open SAML
Signature Constants for a list of valid values. If not specified, a default of SHA-256 will be used. |
nifi.security.user.saml.signature.digest.algorithm |
The digest algorithm to use when signing SAML messages. See the Open SAML
Signature Constants for a list of valid values. If not specified, a default of SHA-256 will be used. |
nifi.security.user.saml.message.logging.enabled |
Enables logging of SAML messages for debugging purposes. |
nifi.security.user.saml.authentication.expiration |
The expiration of the NiFi JWT that will be produced from a successful SAML authentication response. |
nifi.security.user.saml.single.logout.enabled |
Enables SAML SingleLogout which causes a logout from NiFi to logout of the
identity provider. By default, a logout of NiFi will only remove the NiFi JWT. |
nifi.security.user.saml.http.client.truststore.strategy |
The truststore strategy when the IDP metadata URL begins with
https. A value of A value of`NIFI`indicates to use the truststore
specified by |
nifi.security.user.saml.http.client.connect.timeout |
The connection timeout when communicating with the SAML IDP. |
nifi.security.user.saml.http.client.read.timeout |
The read timeout when communicating with the SAML IDP. |
