Created 09-21-2023 11:04 PM
Hi,
I am trying to implement OIDC authentication with Azure AD in NIFI, I am able to enable it and user is able to login but now I want to use App Roles created in Azure App Registration instead of AD groups, how can I do that.
Created on 09-22-2023 07:33 AM - edited 09-22-2023 07:33 AM
@sid_21m
Within NiFi, authentication and authorization are handled as separate processes. Upon successful authentication, NiFi has a user identity (In your case that user identity is your Azure AD username. That user identity is passed to the authorizer to make determination as to what NiFi authorization that user has been granted. At this point nothing more is known about the authenticated user other than the user identity.
The Authorizer is configured in the authorizers.xml NiFi configuration file. In here you have multiple choices available to you, but none of them are capable of collecting App Roles from Azure. You can use the ldap-user-group-provider to collect ldap user to group associations from Azure AD.
If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.
Thank you,
Matt
Created 09-22-2023 01:46 AM
@sid_21m, Welcome to our community! To help you get the best possible answer, I have tagged in our NiFi experts @MattWho @cotopaul @SAMSAL who may be able to assist you further.
Please feel free to provide any additional information or details about your query, and we hope that you will find a satisfactory solution to your question.
Regards,
Vidya Sargur,Created on 09-22-2023 07:33 AM - edited 09-22-2023 07:33 AM
@sid_21m
Within NiFi, authentication and authorization are handled as separate processes. Upon successful authentication, NiFi has a user identity (In your case that user identity is your Azure AD username. That user identity is passed to the authorizer to make determination as to what NiFi authorization that user has been granted. At this point nothing more is known about the authenticated user other than the user identity.
The Authorizer is configured in the authorizers.xml NiFi configuration file. In here you have multiple choices available to you, but none of them are capable of collecting App Roles from Azure. You can use the ldap-user-group-provider to collect ldap user to group associations from Azure AD.
If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.
Thank you,
Matt
Created 09-26-2023 04:09 AM
Thanks @MattWho for clarifying this, so to use OIDC and fetch the groups I need to give User.Read.All and Group.Read.All permission, I think there should be a way to use App roles if I don't want to give these permissions. Anyways I will try to use AD groups in place of App Roles.
Thanks for your response.