Support Questions

Find answers, ask questions, and share your expertise

Is there a way to allow both SSO and LDAP authentication in NiFi?

avatar
Expert Contributor

Hello,

I currently run my cluster in NiFi using LDAP authentication however I was wondering if I could configure NiFi to allow SSO in addition to LDAP authentication or if I can only specifically use one method of authentication at a time? The reason I ask is because I am trying to grant access to additional users but these users cannot access through LDAP, so I wanted to know if it was possible to allow these additional users through SSO in some way in NiFi without having to configure Kerberos authentication instead of LDAP. I know that since NiFi 1.0.0 they added the "Identity Mapping Properties ". Would these mapping properties be able to help? Or is there any other way this could be possible?

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Adda Fuentes

NiFi Authentication always defaults to TLS certificates. If the user does not present a user certificate then NiFI will fall over to the alternate configured login identifier (either LDAP or Kerberos). NiFi does not support specifying more then one of these alternate login identity providers (ldap-provider or kerberos-provider) at a time.

Current versions of NiFi have also added Spnego support for user authentication. This authentication when configured in the nifi.properties file falls between user certificates and any login-identity-providers configured in the login-identity-providers.xml file. Setting up Spnego will require configuration changes to your browser to support logging in without needing to use username an password as you would with the kerberos-provider.

See below for more details on setting up Spnego for user authentication:

http://bryanbende.com/development/2016/08/31/apache-nifi-1.0.0-kerberos-authentication

The Identity mapping patterns allow you to take the DN returned by LDAP or the users certificate and map it to a different value. This makes it easier to setup user authorizations since you will only need to provide that mapped value as the user name for the authorization instead of the full DN. The Kerberos pattern mapping has similar intent. So you may use pattern mapping to remove the @domain portion of the principal.

Matt

View solution in original post

3 REPLIES 3

avatar
Master Mentor

@Adda Fuentes

NiFi Authentication always defaults to TLS certificates. If the user does not present a user certificate then NiFI will fall over to the alternate configured login identifier (either LDAP or Kerberos). NiFi does not support specifying more then one of these alternate login identity providers (ldap-provider or kerberos-provider) at a time.

Current versions of NiFi have also added Spnego support for user authentication. This authentication when configured in the nifi.properties file falls between user certificates and any login-identity-providers configured in the login-identity-providers.xml file. Setting up Spnego will require configuration changes to your browser to support logging in without needing to use username an password as you would with the kerberos-provider.

See below for more details on setting up Spnego for user authentication:

http://bryanbende.com/development/2016/08/31/apache-nifi-1.0.0-kerberos-authentication

The Identity mapping patterns allow you to take the DN returned by LDAP or the users certificate and map it to a different value. This makes it easier to setup user authorizations since you will only need to provide that mapped value as the user name for the authorization instead of the full DN. The Kerberos pattern mapping has similar intent. So you may use pattern mapping to remove the @domain portion of the principal.

Matt

avatar
Expert Contributor

@Matt thanks for the clarification, it helps a lot!

avatar
Master Mentor

@Adda Fuentes

no problem