Configuring SSO with OpenID in NiFi
This topic describes about Configuring SSO with OpenID in NiFi.
Starting from EEP 9.4.0, NiFi supports the automatic configuration of OpenID Connect using HPE cluster-level SSO parameters. And, NiFi allows both login/password authentication, and SSO login methods.
Automatic configuration SSO with OpenID
nifi.security.user.oidc.discovery.url
nifi.security.user.oidc.client.id
nifi.security.user.oidc.client.secret
nifi.security.user.oidc.claim.identifying.user
$HadoopProvider
is the default value for the above-mentioned
properties that comes with NiFi out-of-box. And $HadoopProvider
value causes the automatic mapping of OpenID and Cluster-level SSO properties.
Automatic configuration only works if NiFi is started by the cluster
admin
.
If cluster-level SSO is disabled (SSO parameters are set or reset), OpenID will be disabled in NiFi.
If you do any changes to the cluster-level SSO parameters, restart the NiFi, for the changes to take effect.
Manual configuration
To manually configure SSO with OpenID, see Apache NiFi documentation for OpenID
Connect. Ensure that you provide literal
values for all
OIDC properties instead of using $HadoopProvider
values.
Disabling NiFi SSO with OpenID
To disable SSO with OpenID in NiFi, comment out the
nifi.security.user.oidc.discovery.url
property, or leave its
value blank.
Login Page
- If both OpenID, and user name and password authentication methods are enabled,
then user will get the options to choose an authentication method on the login
page:
- If SSO with OpenID is enabled, but user name and password authentication is not, then SSO login page appears.
- If SSO with OpenID is disabled, the SSO button will be inactive.
Troubleshooting
SSO button is inactive with auto-configuration
Ensure that the cluster-level SSO parameters are set with cluster setssoconf , and can be retrieved with cluster getssoconf command.
Ensure NiFi is configured to launch with the cluster admin user (that is default).
To verify, check the run.as
value in
bootstrap.conf
.