Configuring SSO with OpenID in NiFi

This topic describes about Configuring SSO with OpenID in NiFi.

Starting from EEP 9.4.0, NiFi supports the automatic configuration of OpenID Connect using HPE cluster-level SSO parameters. And, NiFi allows both login/password authentication, and SSO login methods.

Automatic configuration SSO with OpenID

Starting from 9.4.0, NiFi automatically maps the cluster-level SSO parameters and the corresponding OpenID configuration properties. Following OpenID properties are automatically mapped with values from the cluster-level SSO parameters:
  • nifi.security.user.oidc.discovery.url
  • nifi.security.user.oidc.client.id
  • nifi.security.user.oidc.client.secret
  • nifi.security.user.oidc.claim.identifying.user

$HadoopProvider is the default value for the above-mentioned properties that comes with NiFi out-of-box. And $HadoopProvider value causes the automatic mapping of OpenID and Cluster-level SSO properties.

Automatic configuration only works if NiFi is started by the cluster admin.

If cluster-level SSO is disabled (SSO parameters are set or reset), OpenID will be disabled in NiFi.

If you do any changes to the cluster-level SSO parameters, restart the NiFi, for the changes to take effect.

Manual configuration

To manually configure SSO with OpenID, see Apache NiFi documentation for OpenID Connect. Ensure that you provide literal values for all OIDC properties instead of using $HadoopProvider values.

Disabling NiFi SSO with OpenID

To disable SSO with OpenID in NiFi, comment out the nifi.security.user.oidc.discovery.url property, or leave its value blank.

Login Page

  • If both OpenID, and user name and password authentication methods are enabled, then user will get the options to choose an authentication method on the login page:

  • If SSO with OpenID is enabled, but user name and password authentication is not, then SSO login page appears.
  • If SSO with OpenID is disabled, the SSO button will be inactive.

Troubleshooting

SSO button is inactive with auto-configuration

Ensure that the cluster-level SSO parameters are set with cluster setssoconf , and can be retrieved with cluster getssoconf command.

Ensure NiFi is configured to launch with the cluster admin user (that is default).

To verify, check the run.as value in bootstrap.conf.