Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Nifi-Registry OIDC + Windows ADFS

Labels:
avatar
author-rank blackboks
New Contributor

Created ‎05-16-2025 08:05 AM

Hello!

I'm trying to set up Nifi-Registry OIDC authentication with Windows ADFS as oidc provider, but have no luck. Using self-signed sertificates for SSL connection i'm able to LOGIN in web interface with initial admin and create some groups with different priveleges, for examle nifi-reg-admins with full rights. In Active Directory this group is also present and the user nifi-admin-2@blackboks.ru is member of this group. In ADFS Management a have setup template Server application accessing a web API with issuance transform rule as "Send Groupmembership as a Claim".  Respectively i choose nifi-reg-admins group as User group, Outgoing claim type - Group and  Outgoing claim value - nifi-reg-admins

I can login with  nifi-admin-2@blackboks.ru into web interface, but there is no admin priveleges at all and in logs i see this:

INFO [NiFi Registry Web Server-39] o.a.n.r.w.m.AccessDeniedExceptionMapper identity[nifi-admin-2@blackboks.ru], groups[] does not have permission to access the requested resource. Unable to view users/user groups. Returning Forbidden response.

It's like i don't have any groups but i do..

Here is OIDC sections in property file:

nifi.registry.security.user.oidc.discovery.url=https://adfs.blackboks.ru/adfs/.well-known/openid-configuration
nifi.registry.security.user.oidc.connect.timeout=5 secs
nifi.registry.security.user.oidc.read.timeout=5 secs
nifi.registry.security.user.oidc.client.id=id
nifi.registry.security.user.oidc.client.secret=secret
nifi.registry.security.user.oidc.preferred.jwsalgorithm=RS256
nifi.registry.security.user.oidc.claim.groups=group
nifi.registry.security.user.oidc.claim.identifying.user=upn
nifi.registry.security.user.oidc.additional.scopes=openid,cn,email,group,role,roles,profile,offline_access

 Please help me to accomplish this

851 Views
0 Kudos
2 ACCEPTED SOLUTIONS

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎05-16-2025 01:04 PM

@blackboks 

Authentication and Authorization happen in two steps in NiFi and NIFi-Registry.
Group association with Users is part of the Authorization step handled by the configuration in the authorizers.xml file.

Authentication is step one which you have working. At the end of authentication all that is available and passed to for authorization is the User Identity.  In yoru case " nifi-admin-2@blackboks.ru " is what is being passed to the configured authorizer.    You are most likely using the managed-authorizer which utilizes the file-access-policy-provider which in turn has a dependency on one or more configurable user-group-providers (file-user-group-provider, ldap-user-group-provider, composite-user-group-provider, composite-configurable-user-group-provider).  It is these user group provider that are responsible for establishing what groups the user identity belongs to.

What we can tell from the log output you shared is that your authorizer is unaware of any gorups that the user identity " nifi-admin-2@blackboks.ru " belongs to.   If the authorizer was aware of any groups associated to this user identity, those groups would have been in that log output instead of blank:

identity[nifi-admin-2@blackboks.ru], groups[]

So you'll need to verify the setup in your authorizers.xml and determine which user-group-provider you will use to establish these known user to group identity mappings.

The file-user-group-provider would require you to do this manually from within the NiFi UI.

Hopefully this helps clarify the why you are seeing what you are seeing.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

 

View solution in original post

836 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎05-19-2025 11:33 AM

@blackboks 
 Yes, that is correct unless you can sync user identity to group identity associations via one of the available user-group-providers available in NIFi/NiFi-Registry.

NiFi System Administrator Guide

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

 

View solution in original post

790 Views
0 Kudos
4 REPLIES 4

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎05-16-2025 01:04 PM

@blackboks 

Authentication and Authorization happen in two steps in NiFi and NIFi-Registry.
Group association with Users is part of the Authorization step handled by the configuration in the authorizers.xml file.

Authentication is step one which you have working. At the end of authentication all that is available and passed to for authorization is the User Identity.  In yoru case " nifi-admin-2@blackboks.ru " is what is being passed to the configured authorizer.    You are most likely using the managed-authorizer which utilizes the file-access-policy-provider which in turn has a dependency on one or more configurable user-group-providers (file-user-group-provider, ldap-user-group-provider, composite-user-group-provider, composite-configurable-user-group-provider).  It is these user group provider that are responsible for establishing what groups the user identity belongs to.

What we can tell from the log output you shared is that your authorizer is unaware of any gorups that the user identity " nifi-admin-2@blackboks.ru " belongs to.   If the authorizer was aware of any groups associated to this user identity, those groups would have been in that log output instead of blank:

identity[nifi-admin-2@blackboks.ru], groups[]

So you'll need to verify the setup in your authorizers.xml and determine which user-group-provider you will use to establish these known user to group identity mappings.

The file-user-group-provider would require you to do this manually from within the NiFi UI.

Hopefully this helps clarify the why you are seeing what you are seeing.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

 

837 Views
0 Kudos

avatar
author-rank blackboks
New Contributor

Created ‎05-19-2025 09:10 AM

Thank you for the answer
 
Did I understand correctly that I need to add users to a group directly in the nifi-registry web interface if i use file-user-group-provider and there is no other way to do it non manual way?
803 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎05-19-2025 11:33 AM

@blackboks 
 Yes, that is correct unless you can sync user identity to group identity associations via one of the available user-group-providers available in NIFi/NiFi-Registry.

NiFi System Administrator Guide

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

 

791 Views
0 Kudos

avatar
author-rank blackboks
New Contributor

Created ‎05-20-2025 03:05 PM

@MattWho Thanks a lot for detailed answers!

765 Views
0 Kudos
Announcements
What's New @ Cloudera
Upgrade Your Spark Experience: Introducing CDS 3.5 for Cloud...
Community Announcements
June 2021 Community Highlights
Community Announcements
August 2025 Community Highlights
Community Announcements
July 2025 Community Highlights
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
View More Announcements