Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NIFI-9849 Refactor SAML Support with Spring Security 5 #6145

Closed
wants to merge 3 commits into from
Closed

NIFI-9849 Refactor SAML Support with Spring Security 5 #6145

wants to merge 3 commits into from

Conversation

exceptionfactory
Copy link
Contributor

Summary

NIFI-9849 Refactors SAML 2.0 authentication support using Spring Security 5 libraries.

The spring-security-saml2-core library reached end of life in October 2021. Spring Security 5 introduced direct support for SAML 2.0 integration through the spring-security-saml2-service-provider library.

The refactored implementation replaces custom REST resources with Spring Security Filters and related components. The new Saml2AccessResource class has a single method for returning a Bearer Token previously set as cookie following successful SAML 2.0 authentication. The updated approach maintains support for existing SAML resource paths, and the Administrator's Guide includes an additional section for supported resources.

The new implementation retains support for existing SAML application properties, with the exception of the following removed properties:

  1. nifi.security.user.saml.message.logging.enabled
  2. nifi.security.user.saml.metadata.signing.enabled
  3. nifi.security.user.saml.signature.digest.algorithm

The message.logging.enabled property is no longer applicable to the refactored implementation, and standard logger configuration applies to various Spring Security components.

The metadata.signing.enabled and signature.digest.algorithm properties applied signing SAML metadata and do not have analogous options in Spring Security 5.

The Spring Security 5 library supports both OpenSAML 3 and OpenSAML 4, however, OpenSAML 4 requires Java 11. Spring Security has marked OpenSAML 3 components as deprecated, and these implementations will need to be replaced with OpenSAML 4 components when Apache NiFi removes support for Java 8.

Tracking

Please complete the following tracking steps prior to pull request creation.

Issue Tracking

Pull Request Tracking

  • Pull Request title starts with Apache NiFi Jira issue number, such as NIFI-00000
  • Pull Request commit message starts with Apache NiFi Jira issue number, as such NIFI-00000

Pull Request Formatting

  • Pull Request based on current revision of the main branch
  • Pull Request refers to a feature branch with one commit containing changes

Verification

Please indicate the verification steps performed prior to pull request creation.

Build

  • Build completed using mvn clean install -P contrib-check
    • JDK 8
    • JDK 11
    • JDK 17

Licensing

  • New dependencies are compatible with the Apache License 2.0 according to the License Policy
  • New dependencies are documented in applicable LICENSE and NOTICE files

Documentation

  • Documentation formatting appears as expected in rendered files

@exceptionfactory
NIFI-9849 Refactored SAML Support with Spring Security 5
5319cb7 
- Updated SAML Authentication Configuration with Spring Security SAML 2 components
- Updated Administration Guide with REST Resources
- Replaced SAMLAccessResource methods with applicable Spring Security Filters
- Removed IDP Credential Service and supporting components
- Removed message.logging.enabled, metadata.signing.enabled, and signature.digest.algorithm properties
@thenatog
Copy link
Contributor

Cool, will test this one out

@thenatog
Copy link
Contributor

One thing I'm noticing is that the logout button isn't appearing in the top right corner after login. I am able to log in so far though using a Google SAML provider.

@exceptionfactory
NIFI-9849 Added Access Token Expiration resource method
23fe441 
- Removed Saml2AccessResource and replaced with Access Token Expiration to avoid unnecessary conflicts with SAML login consumer
@exceptionfactory
Copy link
Contributor Author

One thing I'm noticing is that the logout button isn't appearing in the top right corner after login.

Thanks for the feedback and highlighting the problem @thenatog. The /access/saml/login/exchange resource was conflicting with the SAML 2 filter responsible for consuming Asserting Party messages. As a result of the conflict, the web user interface did not retrieve the access token, which prevented the logout button from appearing.

Returning the entire token to the user interface is no longer necessary for the SAML authentication process, so I pushed an update that replaces the exchange method with a simpler approach that returns the Access Token Expiration, which is what the user interface uses to determine the visibility of the logout button.

@thenatog
Copy link
Contributor

Confirmed that the logout button is now present, and I'm able to log in and out repeatedly without issue.

bbende
bbende approved these changes Jun 28, 2022
View reviewed changes
Copy link
Contributor

@bbende bbende left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work! I tested this in an environment that uses SAML with NiFi behind a reverse-proxy and was able to successfully authenticate to NiFi, everything worked as a drop-in replacement without needing to change anything in nifi.properties.

@thenatog
Copy link
Contributor

+1 will merge

@thenatog thenatog closed this Jun 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bbende bbende bbende approved these changes

@thenatog thenatog Awaiting requested review from thenatog

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@exceptionfactory @thenatog @bbende