question Re: Nifi-Registry OIDC + Windows ADFS in Support Questions

Nifi-Registry OIDC + Windows ADFS

blackboks — Fri, 16 May 2025 15:05:23 GMT

Hello!

I'm trying to set up Nifi-Registry OIDC authentication with Windows ADFS as oidc provider, but have no luck. Using self-signed sertificates for SSL connection i'm able to LOGIN in web interface with initial admin and create some groups with different priveleges, for examle nifi-reg-admins with full rights. In Active Directory this group is also present and the user nifi-admin-2@blackboks.ru is member of this group. In ADFS Management a have setup template Server application accessing a web API with issuance transform rule as "Send Groupmembership as a Claim". Respectively i choose nifi-reg-admins group as User group, Outgoing claim type - Group and Outgoing claim value - nifi-reg-admins.

I can login with nifi-admin-2@blackboks.ru into web interface, but there is no admin priveleges at all and in logs i see this:

INFO [NiFi Registry Web Server-39] o.a.n.r.w.m.AccessDeniedExceptionMapper identity[nifi-admin-2@blackboks.ru], groups[] does not have permission to access the requested resource. Unable to view users/user groups. Returning Forbidden response.

It's like i don't have any groups but i do..

Here is OIDC sections in property file:

nifi.registry.security.user.oidc.discovery.url=https://adfs.blackboks.ru/adfs/.well-known/openid-configuration nifi.registry.security.user.oidc.connect.timeout=5 secs nifi.registry.security.user.oidc.read.timeout=5 secs nifi.registry.security.user.oidc.client.id=id nifi.registry.security.user.oidc.client.secret=secret nifi.registry.security.user.oidc.preferred.jwsalgorithm=RS256 nifi.registry.security.user.oidc.claim.groups=group nifi.registry.security.user.oidc.claim.identifying.user=upn nifi.registry.security.user.oidc.additional.scopes=openid,cn,email,group,role,roles,profile,offline_access

Please help me to accomplish this

Re: Nifi-Registry OIDC + Windows ADFS

MattWho — Fri, 16 May 2025 20:04:59 GMT

@blackboks

Authentication and Authorization happen in two steps in NiFi and NIFi-Registry.
Group association with Users is part of the Authorization step handled by the configuration in the authorizers.xml file.

Authentication is step one which you have working. At the end of authentication all that is available and passed to for authorization is the User Identity. In yoru case " nifi-admin-2@blackboks.ru " is what is being passed to the configured authorizer. You are most likely using the managed-authorizer which utilizes the file-access-policy-provider which in turn has a dependency on one or more configurable user-group-providers (file-user-group-provider, ldap-user-group-provider, composite-user-group-provider, composite-configurable-user-group-provider). It is these user group provider that are responsible for establishing what groups the user identity belongs to.

What we can tell from the log output you shared is that your authorizer is unaware of any gorups that the user identity " nifi-admin-2@blackboks.ru " belongs to. If the authorizer was aware of any groups associated to this user identity, those groups would have been in that log output instead of blank:

identity[nifi-admin-2@blackboks.ru], groups[]

So you'll need to verify the setup in your authorizers.xml and determine which user-group-provider you will use to establish these known user to group identity mappings.

The file-user-group-provider would require you to do this manually from within the NiFi UI.

Hopefully this helps clarify the why you are seeing what you are seeing.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

Re: Nifi-Registry OIDC + Windows ADFS

blackboks — Mon, 19 May 2025 16:10:51 GMT

@MattWho

Thank you for the answer

Did I understand correctly that I need to add users to a group directly in the nifi-registry web interface if i use file-user-group-provider and there is no other way to do it non manual way?

Re: Nifi-Registry OIDC + Windows ADFS

MattWho — Mon, 19 May 2025 18:33:24 GMT

@blackboks
Yes, that is correct unless you can sync user identity to group identity associations via one of the available user-group-providers available in NIFi/NiFi-Registry.

NiFi System Administrator Guide

Thank you,
Matt

Re: Nifi-Registry OIDC + Windows ADFS

blackboks — Tue, 20 May 2025 22:05:31 GMT

@MattWho Thanks a lot for detailed answers!