question Nifi + NGINX+ OneLogin Authentication issue - SAML Authentication Request Identifier Cookie not found in Support Questions

Nifi + NGINX+ OneLogin Authentication issue - SAML Authentication Request Identifier Cookie not found

rsurti — Fri, 20 Dec 2024 13:13:12 GMT

Hi
I have integrated Secured Nifi with NGINX and is integrated with Onelogin SAML 2.0 Custom Connector (Advanced)

After entering credentials of one login it shows user logged in on onelogin portal,
But on Browser it redirects to /nifi-api/access/saml/login/consumer this url and
it shows

HTTP ERROR 401 Unauthorized

URI:STATUS:MESSAGE:

/nifi-api/access/saml/login/consumer

401

Unauthorized

Few findings are-
Recipient value in SAML payload is empty and
Cookie value is not matching with InResponseTo value in SAML Payload
Also not sure how to match it

from nifi.user.log file i can see error:

SAML Authentication Request Identifier Cookie not found

Can anyone please guide here?

Re: Nifi + NGINX+ OneLogin Authentication issue - SAML Authentication Request Identifier Cookie not found

Shelton — Sun, 22 Dec 2024 17:45:57 GMT

@rsurti
The issue described suggests a mismatch or misconfiguration in the SAML integration with NiFi and NGINX. The following analysis and potential solutions should address your findings

SAML Payload Issues:
- Empty Recipient Value: The Recipient in the SAML assertion should match the ACS (Assertion Consumer Service) URL configured in NiFi. If it is empty, this indicates a misconfiguration in the SAML IdP (OneLogin).
- Cookie and InResponseTo Mismatch: The InResponseTo attribute in the SAML response should correspond to the SAML request identifier issued by NiFi. If the cookie storing the SAML request ID is missing or mismatched, authentication fails.
NiFi Error: SAML Authentication Request Identifier Cookie not found:
- This suggests that the browser is not sending back the SAML request ID cookie, or NiFi cannot recognize it. This could happen if:
  - The cookie is not set or overwritten by NGINX.
  - The cookie is being blocked or dropped due to cross-domain or SameSite restrictions.
  - NGINX is misconfigured to handle or forward SAML cookies.

Probable Causes

NiFi Configuration:
- Misconfigured nifi.security.user.saml properties in nifi.properties.
- ACS URL mismatch between NiFi and OneLogin.
NGINX Configuration:
- Improper handling of cookies, particularly the SAML request identifier cookie.
- Incorrect forwarding of headers or paths for SAML requests and responses.
OneLogin Configuration:
- The SAML application in OneLogin is not configured to provide a valid Recipient or ACS URL.
- Mismatched SAML settings such as entity ID, ACS URL, or signature settings.

Steps to Resolve

1. Verify and Update NiFi Configuration

Ensure the nifi.properties file has the correct SAML configurations:

nifi.security.user.saml.idp.metadata.url=<OneLogin SAML Metadata URL>
nifi.security.user.saml.sp.entity.id=<NiFi Entity ID>
nifi.security.user.saml.sp.base.url=https://<nifi-url> # Same as what users access
nifi.security.user.saml.authentication.expiration=12 hours
nifi.security.user.saml.request.identifier.name=nifi-request-id

The nifi.security.user.saml.sp.base.url must match the Recipient value in the SAML response.
2. Check OneLogin SAML Connector Configuration

Ensure the Recipient value in OneLogin matches the NiFi ACS URL:
- ACS URL: https://<nifi-url>/nifi-api/access/saml/login/consumer
Verify that the SAML settings in OneLogin include:
- Audience (Entity ID): Matches nifi.security.user.saml.sp.entity.id.
- ACS URL: Matches nifi.security.user.saml.sp.base.url.

3. Debug and Adjust NGINX Configuration

Ensure NGINX is not interfering with SAML cookies

proxy_pass https://<nifi-host>:9444;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cookie_path / "/; SameSite=None; Secure";

Add debug logging to check if cookies are being forwarded correctly.

4. Troubleshoot Cookie Handling

Check the browser developer tools (under Application > Cookies) to verify that the SAML request identifier cookie is being set and returned.
Ensure the SameSite=None and Secure flags are set for the cookies.

5. Check SAML Logs for Errors

In the nifi-user.log file, look for logs that provide details on the failed SAML authentication, including:
- Missing cookies.
- InResponseTo mismatch.

6. Test the Flow

After making the adjustments, perform the following:
1. Clear browser cookies.
2. Initiate the SAML login process from the NiFi GUI.
3. Check if the Recipient and InResponseTo values align in the SAML assertion and request.

Use a SAML debugging tool like SAML-tracer (browser extension) to inspect the SAML request/response flows before that enable debug

Enable detailed logging in NiFi for SAML authentication by modifying logback.xml

Let me know if you need further assistance! Happy hadooping

Re: Nifi + NGINX+ OneLogin Authentication issue - SAML Authentication Request Identifier Cookie not found

rsurti — Tue, 14 Jan 2025 14:19:44 GMT

Still not working

Re: Nifi + NGINX+ OneLogin Authentication issue - SAML Authentication Request Identifier Cookie not found

rsurti — Tue, 14 Jan 2025 14:21:07 GMT

Works for few users connected to Lan , but not working for user connect to wifi under same network

Re: Nifi + NGINX+ OneLogin Authentication issue - SAML Authentication Request Identifier Cookie not found

Shelton — Mon, 20 Jan 2025 13:41:21 GMT

@rsurti

If SAML authentication works for LAN users but not for users on Wi-Fi, even when both are on the same network, it suggests differences in how the network or devices are configured for each connection type.

Here’s how you can troubleshoot and resolve this issue:

DNS Resolution: Check if Wi-Fi users can resolve the identity provider (IdP) and service provider (SP) URLs correctly.

nslookup idp.example.com

Capture SAML requests/responses using browser developer tools (Network tab). Look for differences in:

Redirect URLs
Assertions
Error codes

Common issues include:

Misconfigured callback URLs.

Device Configuration

Check if device firewalls or VPNs are interfering with SAML traffic over Wi-Fi.
Ensure browser settings (e.g., cookie policies) do not block SAML cookies.

Connect a user to LAN and Wi-Fi simultaneously (if possible) to identify differences in routing or access.

Please revert Happy hadooping