Support Questions

Find answers, ask questions, and share your expertise

Whether SSO can be used without enabling HTTPS on NIFI

avatar
Rising Star

Is there a way to use SSO without enabling HTTPS on NIFI?

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Meepoljd 
You'll want to have https enabled to prevent access to NiFi's endpoints directly.  When NiFi is not secured (HTTPS), it does not require user authentication or authorization.  Thus access is treated as anonymous.

When using Apache Knox, NIFi can not be configured with other login based authentication like a login-provider in the login-identity-providers.xml or OpenID or SAML via associated properties in the nifi.properties file.

So make sure these properties are not configured in the nifi.properties file when you have also configured the knox properties:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#saml
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#openid_connect
and following login provider property:

nifi.security.user.login.identity.provider=

 

If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.

Thank you,

Matt



View solution in original post

4 REPLIES 4

avatar
Rising Star

When I tried to turn on KnoxSSO for NIFI without https,I can access NIFI's Web UI through Knox,but I can also access the NIFI directly through port 10111 which no jump to Knox.

So I tried to enable HTTPS while using Knox, and I got this error "Apache Knox SSO support cannot be enabled if the Login Identity Provider or OpenId Connect or SAML is configured."

 

 

avatar
Master Mentor

@Meepoljd 
You'll want to have https enabled to prevent access to NiFi's endpoints directly.  When NiFi is not secured (HTTPS), it does not require user authentication or authorization.  Thus access is treated as anonymous.

When using Apache Knox, NIFi can not be configured with other login based authentication like a login-provider in the login-identity-providers.xml or OpenID or SAML via associated properties in the nifi.properties file.

So make sure these properties are not configured in the nifi.properties file when you have also configured the knox properties:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#saml
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#openid_connect
and following login provider property:

nifi.security.user.login.identity.provider=

 

If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.

Thank you,

Matt



avatar
Rising Star

Thanks.I open the https for nifi.And it works when Knox and Nifi on same server.But when I deploy NIFI and KNOX separately, I am redirected infinitely when SSO logs in to NIFI and I find Cookies have problems. Is this because of cross-domain? Knox gateway.log has "JWT cookie successfully added." but nifi-user.log have " [<anonymous>] GET https://XXX:9443/nifi-api/flow/current-user"

Meepoljd_0-1657341179686.png

 

avatar
Rising Star

I know.Need FQDN likes testhost.magg.com,Thanks

Meepoljd_0-1657347712004.png