Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Nifi + NGINX+ OneLogin Authentication issue - SAML Authentication Request Identifier Cookie not found

Labels:
avatar
author-rank rsurti
Explorer

Created ‎12-20-2024 05:13 AM

Hi 
     I have integrated Secured Nifi with NGINX and is integrated with Onelogin SAML 2.0 Custom Connector (Advanced)

After entering credentials of one login it shows user logged in on onelogin portal,
But on Browser it redirects to /nifi-api/access/saml/login/consumer this url and 
it shows 

HTTP ERROR 401 Unauthorized

URI:STATUS:MESSAGE:

/nifi-api/access/saml/login/consumer
401
Unauthorized

Few findings are- 
Recipient value in SAML payload is empty  and 
Cookie value is not matching with InResponseTo value in SAML Payload
Also not sure how to match it

from nifi.user.log file i can see error:

SAML Authentication Request Identifier Cookie not found



Can anyone please guide here?




483 Views
4 REPLIES 4

avatar
author-rank Shelton
Master Mentor

Created ‎12-22-2024 09:45 AM

@rsurti 
The issue described suggests a mismatch or misconfiguration in the SAML integration with NiFi and NGINX. The following analysis and potential solutions  should address your findings

  • SAML Payload Issues:

    • Empty Recipient Value: The Recipient in the SAML assertion should match the ACS (Assertion Consumer Service) URL configured in NiFi. If it is empty, this indicates a misconfiguration in the SAML IdP (OneLogin).
    • Cookie and InResponseTo Mismatch: The InResponseTo attribute in the SAML response should correspond to the SAML request identifier issued by NiFi. If the cookie storing the SAML request ID is missing or mismatched, authentication fails.

  • NiFi Error: SAML Authentication Request Identifier Cookie not found:

    • This suggests that the browser is not sending back the SAML request ID cookie, or NiFi cannot recognize it. This could happen if:
      • The cookie is not set or overwritten by NGINX.
      • The cookie is being blocked or dropped due to cross-domain or SameSite restrictions.
      • NGINX is misconfigured to handle or forward SAML cookies.

Probable Causes

  1. NiFi Configuration:

    • Misconfigured nifi.security.user.saml properties in nifi.properties.
    • ACS URL mismatch between NiFi and OneLogin.

  2. NGINX Configuration:

    • Improper handling of cookies, particularly the SAML request identifier cookie.
    • Incorrect forwarding of headers or paths for SAML requests and responses.

  3. OneLogin Configuration:

    • The SAML application in OneLogin is not configured to provide a valid Recipient or ACS URL.
    • Mismatched SAML settings such as entity ID, ACS URL, or signature settings.

Steps to Resolve

1. Verify and Update NiFi Configuration

Ensure the nifi.properties file has the correct SAML configurations:

Spoiler
nifi.security.user.saml.idp.metadata.url=<OneLogin SAML Metadata URL>
nifi.security.user.saml.sp.entity.id=<NiFi Entity ID>
nifi.security.user.saml.sp.base.url=https://<nifi-url> # Same as what users access
nifi.security.user.saml.authentication.expiration=12 hours
nifi.security.user.saml.request.identifier.name=nifi-request-id

The nifi.security.user.saml.sp.base.url must match the Recipient value in the SAML response.
2. Check OneLogin SAML Connector Configuration

  • Ensure the Recipient value in OneLogin matches the NiFi ACS URL:
    • ACS URL: https://<nifi-url>/nifi-api/access/saml/login/consumer
  • Verify that the SAML settings in OneLogin include:
    • Audience (Entity ID): Matches nifi.security.user.saml.sp.entity.id.
    • ACS URL: Matches nifi.security.user.saml.sp.base.url.

3. Debug and Adjust NGINX Configuration

  • Ensure NGINX is not interfering with SAML cookies
Spoiler
proxy_pass https://<nifi-host>:9444;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cookie_path / "/; SameSite=None; Secure";

Add debug logging to check if cookies are being forwarded correctly.

4. Troubleshoot Cookie Handling

  • Check the browser developer tools (under Application > Cookies) to verify that the SAML request identifier cookie is being set and returned.
  • Ensure the SameSite=None and Secure flags are set for the cookies.

5. Check SAML Logs for Errors

  • In the nifi-user.log file, look for logs that provide details on the failed SAML authentication, including:
    • Missing cookies.
    • InResponseTo mismatch.

6. Test the Flow

  • After making the adjustments, perform the following:
    1. Clear browser cookies.
    2. Initiate the SAML login process from the NiFi GUI.
    3. Check if the Recipient and InResponseTo values align in the SAML assertion and request.

Use a SAML debugging tool like SAML-tracer (browser extension) to inspect the SAML request/response flows before that enable debug

  • Enable detailed logging in NiFi for SAML authentication by modifying logback.xml
Spoiler
<logger name="org.apache.nifi.web.security.saml" level="DEBUG" />

Let me know if you need further assistance! Happy hadooping


 

 

 

448 Views

avatar
author-rank rsurti
Explorer

Created ‎01-14-2025 06:19 AM

Still not working 

314 Views
0 Kudos

avatar
author-rank rsurti
Explorer

Created on ‎01-14-2025 06:20 AM - edited ‎01-14-2025 06:21 AM

Works for few users connected to Lan , but not working for user connect to wifi  under same  network 

314 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎01-20-2025 05:41 AM

@rsurti 

If SAML authentication works for LAN users but not for users on Wi-Fi, even when both are on the same network, it suggests differences in how the network or devices are configured for each connection type.

Here’s how you can troubleshoot and resolve this issue:

DNS Resolution: Check if Wi-Fi users can resolve the identity provider (IdP) and service provider (SP) URLs correctly.

 

 

nslookup idp.example.com

 

Capture SAML requests/responses using browser developer tools (Network tab). Look for differences in:

  • Redirect URLs
  • Assertions
  • Error codes

Common issues include:

  • Misconfigured callback URLs.

Device Configuration

  • Check if device firewalls or VPNs are interfering with SAML traffic over Wi-Fi.
  • Ensure browser settings (e.g., cookie policies) do not block SAML cookies.

Connect a user to LAN and Wi-Fi simultaneously (if possible) to identify differences in routing or access.

Please revert Happy hadooping

232 Views
0 Kudos
Announcements
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
What's New @ Cloudera
Cloudera Operational Database supports assigning ODAdmin rol...
What's New @ Cloudera
Security-Enhanced Linux (SELinux) support in Cloudera Operat...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
View More Announcements