Support Questions

tyler_gregory · ‎08-27-2018

I've deployed a secured NiFi cluster on Kubernetes in Azure, and am attempting to configure OIDC against Azure AD for auth. I've created an app registration in AAD and configured the OIDC settings in nifi.properties as follows:

nifi.security.user.oidc.discovery.url=https://login.microsoftonline.com/dvn.onmicrosoft.com/.well-known/openid-configuration
nifi.security.user.oidc.connect.timeout=5 secs
nifi.security.user.oidc.read.timeout=5 secs
nifi.security.user.oidc.client.id=a8d7d98f-588a-4e30-b93c-1730de5512b1
nifi.security.user.oidc.client.secret=*********************************
nifi.security.user.oidc.preferred.jwsalgorithm=

However, the login sequence always fails with:

 Purposed state does not match the stored state. Unable to continue login process.

Can anyone shed some light on what I might be doing wrong? Thanks

tyler_gregory · ‎08-28-2018

Turns out I'd misconfigured the proxy settings on the nginx ingress. The bearer token, and all state values for the OIDC login statemachine, are not replicated to the other cluster members. This means one must configure sticky sessions on the ingress.

View solution in original post

tyler_gregory · ‎08-28-2018

Turns out I'd misconfigured the proxy settings on the nginx ingress. The bearer token, and all state values for the OIDC login statemachine, are not replicated to the other cluster members. This means one must configure sticky sessions on the ingress.

Cloudera Community

Support Questions

OIDC With Azure AD