Support Questions

Find answers, ask questions, and share your expertise

OIDC App Role Configuration in NIFI

avatar
New Contributor

Hi,

I am trying to implement OIDC authentication with Azure AD in NIFI, I am able to enable it and user is able to login but now I want to use App Roles created in Azure App Registration instead of AD groups, how can I do that. 

1 ACCEPTED SOLUTION

avatar
Master Mentor

@sid_21m 

Within NiFi, authentication and authorization are handled as separate processes.  Upon successful authentication, NiFi has a user identity (In your case that user identity is your Azure AD username. That user identity is passed to the authorizer to make determination as to what NiFi authorization that user has been granted. At this point nothing more is known about the authenticated user other than the user identity.

The Authorizer is configured in the authorizers.xml NiFi configuration file. In here you have multiple choices available to you, but none of them are capable of collecting App Roles from Azure.  You can use the ldap-user-group-provider to collect ldap user to group associations from Azure AD.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt




View solution in original post

3 REPLIES 3

avatar
Community Manager

@sid_21m, Welcome to our community! To help you get the best possible answer, I have tagged in our NiFi experts @MattWho @cotopaul @SAMSAL  who may be able to assist you further.

Please feel free to provide any additional information or details about your query, and we hope that you will find a satisfactory solution to your question.



Regards,

Vidya Sargur,
Community Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:

avatar
Master Mentor

@sid_21m 

Within NiFi, authentication and authorization are handled as separate processes.  Upon successful authentication, NiFi has a user identity (In your case that user identity is your Azure AD username. That user identity is passed to the authorizer to make determination as to what NiFi authorization that user has been granted. At this point nothing more is known about the authenticated user other than the user identity.

The Authorizer is configured in the authorizers.xml NiFi configuration file. In here you have multiple choices available to you, but none of them are capable of collecting App Roles from Azure.  You can use the ldap-user-group-provider to collect ldap user to group associations from Azure AD.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt




avatar
New Contributor

Thanks @MattWho  for clarifying this, so to use OIDC and fetch the groups I need to give User.Read.All and Group.Read.All permission, I think there should be a way to use App roles if I don't want to give these permissions. Anyways I will try to use AD groups in place of App Roles.

Thanks for your response.