Support Questions

Find answers, ask questions, and share your expertise

NIFI SAML Error

avatar
Explorer

Hi ,

 

We are seeing the below error message in nifi-app.log 

apache.nifi.web.api.SAMLAccessResource The RelayState value returned by the SAML IDP does not match the stored state

and on the UI we are seeing the below error.

Purposed RelayState does not match the stored state. Unable to continue login process.

 

in nifi-user.log , we see below error : 

[Anonymous authentication has not been configured.]

Any idea?

4 REPLIES 4

avatar
Super Guru

@SamarApple ,

 

Would you be able to share your authorizers.xml configuration and the full stack trace from nifi-app.log or nifi-user.log?

 

Cheers,

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar

HI @araujo,
In our authorizers.xml, we have below mentioned entry: 

<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">xxxx@xxx.com</property>
<property name="Initial User Identity 2">servernode1 XXXXXX</property>
<property name="Initial User Identity 3">servernode2 XXXXXX</property>
<property name="Initial User Identity 4">servernode3 XXXXXX</property>
</userGroupProvider>

<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">xxxxxxxx@xxx.com</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1">servernode1 XXXXXX</property>
<property name="Node Identity 2">servernode2 xxxxxx</property>
<property name="Node Identity 3">servernode3 xxxxx</property>
<property name="Node Group"></property>

</accessPolicyProvider>

<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
###############################################################
nifi-app.log
###########################
Server node 1: 

2022-02-28 10:42:37,897 ERROR [NiFi Web Server-162] o.apache.nifi.web.api.SAMLAccessResource The RelayState value returned by the SAML IDP does not match the stored state. Unable to continue login process.

##########################
Server node 2:

2022-02-28 10:42:27,550 WARN [NiFi Web Server-151] o.apache.nifi.web.api.SAMLAccessResource The login request identifier was not found in the request. Unable to continue.

########################
Server node 3: This is the node where we see the SAML request Logs:

2022-02-28 10:42:28,269 DEBUG [NiFi Web Server-217] org.apache.velocity.loader ResourceManager: found /templates/saml2-post-binding.vm with loader org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader

2022-02-28 10:42:28,270 DEBUG [NiFi Web Server-217] org.apache.velocity.loader ResourceManager: found /templates/add-html-head-content.vm with loader org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader

2022-02-28 10:42:28,271 DEBUG [NiFi Web Server-217] org.apache.velocity.loader ResourceManager: found /templates/add-html-body-content.vm with loader org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader

2022-02-28 10:42:28,273 DEBUG [NiFi Web Server-217] PROTOCOL_MESSAGE 

<?xml version="1.0" encoding="UTF-8"?>

<saml2p:AuthnRequest

    AssertionConsumerServiceURL="https://xxxxxxxx/nifi-api/access/saml/login/consumer"

    Destination="xxxxxxxxx"

    ForceAuthn="false" ID="xxxxx"

    IsPassive="false" IssueInstant="2022-02-28T10:42:28.261Z"

    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

    Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">

    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">xxxxxxx</saml2:Issuer>

</saml2p:AuthnRequest>

 




 

avatar
Super Guru

@Abhishek27Apple ,

 

Could you also please share the SAML properties in your nifi.properties file?

 

André

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar

@araujo ,

# SAML Properties #

nifi.security.user.saml.idp.metadata.url=file:///pathtoIPDMetaDataFile/

nifi.security.user.saml.sp.entity.id=xxxxx

nifi.security.user.saml.identity.attribute.name=email

nifi.security.user.saml.group.attribute.name=

nifi.security.user.saml.metadata.signing.enabled=false

nifi.security.user.saml.request.signing.enabled=false

nifi.security.user.saml.want.assertions.signed=true

nifi.security.user.saml.signature.algorithm=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

nifi.security.user.saml.signature.digest.algorithm=http://www.w3.org/2001/04/xmlenc#sha256

nifi.security.user.saml.message.logging.enabled=true

nifi.security.user.saml.authentication.expiration=8 hours

nifi.security.user.saml.single.logout.enabled=false

nifi.security.user.saml.http.client.truststore.strategy=JDK

nifi.security.user.saml.http.client.connect.timeout=30 secs

nifi.security.user.saml.http.client.read.timeout=30 secs

Abhishek