Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Connecting Nifi to Keycloak

Labels:
avatar
author-rank Darryl
Explorer

Created ‎02-07-2025 06:42 AM

@MattWho 

 

Caused by: org.apache.nifi.web.client.api.WebClientServiceException: Request execution failed HTTP Method [GET] URI [http://localhost:8080/realms/master/protocol/saml/descriptor]

using these settings:

nifi.security.user.saml.idp.metadata.url=http://localhost:8080/realms/master/protocol/saml/descriptor
nifi.security.user.saml.sp.entity.id=org:apache:nifi:saml:sp
nifi.security.user.saml.identity.attribute.name=
nifi.security.user.saml.group.attribute.name=
nifi.security.user.saml.request.signing.enabled=false
nifi.security.user.saml.want.assertions.signed=true
nifi.security.user.saml.signature.algorithm=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
nifi.security.user.saml.authentication.expiration=12 hours
nifi.security.user.saml.single.logout.enabled=false
nifi.security.user.saml.http.client.truststore.strategy=JDK
nifi.security.user.saml.http.client.connect.timeout=30 secs
nifi.security.user.saml.http.client.read.timeout=30 secs

Following instructions from here, except i am using the latest version of keycloak
Apache NiFi SAML Authentication with Keycloak

Here is what the url looks like in my browser:

Darryl_0-1738939205916.png

Darryl_1-1738939295241.png

 

 

633 Views
0 Kudos
2 REPLIES 2

avatar
author-rank Darryl
Explorer

Created ‎02-07-2025 10:44 AM

@MattWho 
I have amazing news to report. I decided to try to do everything outside of docker containers, and was successfully able to get it to work. Using the exact configs as i pasted above.

Still would like to figure out why it wasn't able to work with docker.
nifi.security.user.saml.idp.metadata.url=http://localhost:8080/realms/master/protocol/saml/descriptor

Maybe localhost has to be replaced with some other hostname

616 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎02-07-2025 12:09 PM

@Darryl 

You will certainly have issues using localhost even outside docker with a multi-node NiFi cluster since only the NiFi node installed in the same server as Keycloak would have any chance of connecting with Keycloak.   Understand that a NiFi cluster can bae accessed form any node in the NiFi cluster. So first thing i would have suggested is using the hostname of the actual server that is hosting Keycloak rather then localhost.

I am not familiar with Keycloak myself and the article you reference (while i know the author) is very old. A lot has likely evolved/changes with regards to security since it was written. 

Glad to hear you had some success even if it was outside of Docker and thank you with sharing what you learned with the community.

Matt

607 Views
0 Kudos
Announcements
Community Announcements
April 2025 Cloudera Customer Advisory: Cloudera’s response t...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
View More Announcements