New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NIFI-9849 Refactor SAML Support with Spring Security 5 #6145
Conversation
- Updated SAML Authentication Configuration with Spring Security SAML 2 components - Updated Administration Guide with REST Resources - Replaced SAMLAccessResource methods with applicable Spring Security Filters - Removed IDP Credential Service and supporting components - Removed message.logging.enabled, metadata.signing.enabled, and signature.digest.algorithm properties
Cool, will test this one out |
One thing I'm noticing is that the logout button isn't appearing in the top right corner after login. I am able to log in so far though using a Google SAML provider. |
- Removed Saml2AccessResource and replaced with Access Token Expiration to avoid unnecessary conflicts with SAML login consumer
Thanks for the feedback and highlighting the problem @thenatog. The Returning the entire token to the user interface is no longer necessary for the SAML authentication process, so I pushed an update that replaces the exchange method with a simpler approach that returns the Access Token Expiration, which is what the user interface uses to determine the visibility of the logout button. |
8c3e77f
to
d18a6e1
Compare
Confirmed that the logout button is now present, and I'm able to log in and out repeatedly without issue. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work! I tested this in an environment that uses SAML with NiFi behind a reverse-proxy and was able to successfully authenticate to NiFi, everything worked as a drop-in replacement without needing to change anything in nifi.properties.
+1 will merge |
Summary
NIFI-9849 Refactors SAML 2.0 authentication support using Spring Security 5 libraries.
The
spring-security-saml2-core
library reached end of life in October 2021. Spring Security 5 introduced direct support for SAML 2.0 integration through thespring-security-saml2-service-provider
library.The refactored implementation replaces custom REST resources with Spring Security Filters and related components. The new
Saml2AccessResource
class has a single method for returning a Bearer Token previously set as cookie following successful SAML 2.0 authentication. The updated approach maintains support for existing SAML resource paths, and the Administrator's Guide includes an additional section for supported resources.The new implementation retains support for existing SAML application properties, with the exception of the following removed properties:
nifi.security.user.saml.message.logging.enabled
nifi.security.user.saml.metadata.signing.enabled
nifi.security.user.saml.signature.digest.algorithm
The
message.logging.enabled
property is no longer applicable to the refactored implementation, and standard logger configuration applies to various Spring Security components.The
metadata.signing.enabled
andsignature.digest.algorithm
properties applied signing SAML metadata and do not have analogous options in Spring Security 5.The Spring Security 5 library supports both OpenSAML 3 and OpenSAML 4, however, OpenSAML 4 requires Java 11. Spring Security has marked OpenSAML 3 components as deprecated, and these implementations will need to be replaced with OpenSAML 4 components when Apache NiFi removes support for Java 8.
Tracking
Please complete the following tracking steps prior to pull request creation.
Issue Tracking
Pull Request Tracking
NIFI-00000
NIFI-00000
Pull Request Formatting
main
branchVerification
Please indicate the verification steps performed prior to pull request creation.
Build
mvn clean install -P contrib-check
Licensing
LICENSE
andNOTICE
filesDocumentation