Support Questions

@rsurti 
The issue described suggests a mismatch or misconfiguration in the SAML integration with NiFi and NGINX. The following analysis and potential solutions  should address your findings

• SAML Payload Issues:

  • Empty Recipient Value: The Recipient in the SAML assertion should match the ACS (Assertion Consumer Service) URL configured in NiFi. If it is empty, this indicates a misconfiguration in the SAML IdP (OneLogin).
  • Cookie and InResponseTo Mismatch: The InResponseTo attribute in the SAML response should correspond to the SAML request identifier issued by NiFi. If the cookie storing the SAML request ID is missing or mismatched, authentication fails.

• NiFi Error: SAML Authentication Request Identifier Cookie not found:

  • This suggests that the browser is not sending back the SAML request ID cookie, or NiFi cannot recognize it. This could happen if:
    • The cookie is not set or overwritten by NGINX.
    • The cookie is being blocked or dropped due to cross-domain or SameSite restrictions.
    • NGINX is misconfigured to handle or forward SAML cookies.

Probable Causes

1. NiFi Configuration:

   • Misconfigured nifi.security.user.saml properties in nifi.properties.
   • ACS URL mismatch between NiFi and OneLogin.

2. NGINX Configuration:

   • Improper handling of cookies, particularly the SAML request identifier cookie.
   • Incorrect forwarding of headers or paths for SAML requests and responses.

3. OneLogin Configuration:

   • The SAML application in OneLogin is not configured to provide a valid Recipient or ACS URL.
   • Mismatched SAML settings such as entity ID, ACS URL, or signature settings.

Steps to Resolve

1. Verify and Update NiFi Configuration

Ensure the nifi.properties file has the correct SAML configurations:

The nifi.security.user.saml.sp.base.url must match the Recipient value in the SAML response.
2. Check OneLogin SAML Connector Configuration

• Ensure the Recipient value in OneLogin matches the NiFi ACS URL:
  • ACS URL: https://<nifi-url>/nifi-api/access/saml/login/consumer
• Verify that the SAML settings in OneLogin include:
  • Audience (Entity ID): Matches nifi.security.user.saml.sp.entity.id.
  • ACS URL: Matches nifi.security.user.saml.sp.base.url.

3. Debug and Adjust NGINX Configuration

• Ensure NGINX is not interfering with SAML cookies

Add debug logging to check if cookies are being forwarded correctly.

4. Troubleshoot Cookie Handling

• Check the browser developer tools (under Application > Cookies) to verify that the SAML request identifier cookie is being set and returned.
• Ensure the SameSite=None and Secure flags are set for the cookies.

5. Check SAML Logs for Errors

• In the nifi-user.log file, look for logs that provide details on the failed SAML authentication, including:
  • Missing cookies.
  • InResponseTo mismatch.

6. Test the Flow

• After making the adjustments, perform the following:
  1. Clear browser cookies.
  2. Initiate the SAML login process from the NiFi GUI.
  3. Check if the Recipient and InResponseTo values align in the SAML assertion and request.

Use a SAML debugging tool like SAML-tracer (browser extension) to inspect the SAML request/response flows before that enable debug

• Enable detailed logging in NiFi for SAML authentication by modifying logback.xml

Let me know if you need further assistance! Happy hadooping