Created on 02-27-2022 05:48 PM - edited 02-27-2022 05:52 PM
Hi ,
We are seeing the below error message in nifi-app.log
apache.nifi.web.api.SAMLAccessResource The RelayState value returned by the SAML IDP does not match the stored state
and on the UI we are seeing the below error.
Purposed RelayState does not match the stored state. Unable to continue login process.
in nifi-user.log , we see below error :
[Anonymous authentication has not been configured.]
Any idea?
Created 02-27-2022 06:21 PM
Would you be able to share your authorizers.xml configuration and the full stack trace from nifi-app.log or nifi-user.log?
Cheers,
André
Created 02-28-2022 02:52 AM
HI @araujo,
In our authorizers.xml, we have below mentioned entry:
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">xxxx@xxx.com</property>
<property name="Initial User Identity 2">servernode1 XXXXXX</property>
<property name="Initial User Identity 3">servernode2 XXXXXX</property>
<property name="Initial User Identity 4">servernode3 XXXXXX</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">xxxxxxxx@xxx.com</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1">servernode1 XXXXXX</property>
<property name="Node Identity 2">servernode2 xxxxxx</property>
<property name="Node Identity 3">servernode3 xxxxx</property>
<property name="Node Group"></property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
###############################################################
nifi-app.log
###########################
Server node 1:
2022-02-28 10:42:37,897 ERROR [NiFi Web Server-162] o.apache.nifi.web.api.SAMLAccessResource The RelayState value returned by the SAML IDP does not match the stored state. Unable to continue login process.
##########################
Server node 2:
2022-02-28 10:42:27,550 WARN [NiFi Web Server-151] o.apache.nifi.web.api.SAMLAccessResource The login request identifier was not found in the request. Unable to continue.
########################
Server node 3: This is the node where we see the SAML request Logs:
2022-02-28 10:42:28,269 DEBUG [NiFi Web Server-217] org.apache.velocity.loader ResourceManager: found /templates/saml2-post-binding.vm with loader org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader
2022-02-28 10:42:28,270 DEBUG [NiFi Web Server-217] org.apache.velocity.loader ResourceManager: found /templates/add-html-head-content.vm with loader org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader
2022-02-28 10:42:28,271 DEBUG [NiFi Web Server-217] org.apache.velocity.loader ResourceManager: found /templates/add-html-body-content.vm with loader org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader
2022-02-28 10:42:28,273 DEBUG [NiFi Web Server-217] PROTOCOL_MESSAGE
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest
AssertionConsumerServiceURL="https://xxxxxxxx/nifi-api/access/saml/login/consumer"
Destination="xxxxxxxxx"
ForceAuthn="false" ID="xxxxx"
IsPassive="false" IssueInstant="2022-02-28T10:42:28.261Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">xxxxxxx</saml2:Issuer>
</saml2p:AuthnRequest>
Created 02-28-2022 03:56 PM
Could you also please share the SAML properties in your nifi.properties file?
André
Created 03-01-2022 10:19 PM
@araujo ,
# SAML Properties #
nifi.security.user.saml.idp.metadata.url=file:///pathtoIPDMetaDataFile/
nifi.security.user.saml.sp.entity.id=xxxxx
nifi.security.user.saml.identity.attribute.name=email
nifi.security.user.saml.group.attribute.name=
nifi.security.user.saml.metadata.signing.enabled=false
nifi.security.user.saml.request.signing.enabled=false
nifi.security.user.saml.want.assertions.signed=true
nifi.security.user.saml.signature.algorithm=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
nifi.security.user.saml.signature.digest.algorithm=http://www.w3.org/2001/04/xmlenc#sha256
nifi.security.user.saml.message.logging.enabled=true
nifi.security.user.saml.authentication.expiration=8 hours
nifi.security.user.saml.single.logout.enabled=false
nifi.security.user.saml.http.client.truststore.strategy=JDK
nifi.security.user.saml.http.client.connect.timeout=30 secs
nifi.security.user.saml.http.client.read.timeout=30 secs
Abhishek