nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin Doran <kdo...@apache.org>
Subject Re: Re:
Date Thu, 09 Aug 2018 16:07:28 GMT
>
> *Explaining to your end users that you should skip the first Certificate
> Prompt but accept the second but only when you haven't logged in the
> current session is really painful*


Wow, that sounds terrible. Confusing, accident prone, and frustrating to
correct mistakes (at least in my experience, forcing a browser to forget
client certificate preferences is difficult).

Thanks for sharing those details about your deployment scenario. This can
definitely be improved and I have some ideas for how to do it. I've cloned
the issue to NiFi to make sure we are tracking it for both projects [1][2]

[1] https://issues.apache.org/jira/browse/NIFIREG-189
[2] https://issues.apache.org/jira/browse/NIFI-5504

On Thu, Aug 9, 2018 at 11:54 AM, Shawn Weeks <sweeks@weeksconsulting.us>
wrote:

> The project I'm on is running into this issue as well and it gets
> particularly painful when all of your server's are signed by the same root
> ca that signs your smart card logins and your using something like KnoxSSO.
> Explaining to your end users that you should skip the first Certificate
> Prompt but accept the second but only when you haven't logged in the
> current session is really painful and shows major shortcoming between the
> back end authentication between servers and front end ui authentication.
>
>
> We can't even considering putting it behind our identify reverse proxies
> because we can't turn off two way ssl.
>
>
> Thanks
>
> Shawnk
> ------------------------------
> *From:* Kevin Doran <kdoran@apache.org>
> *Sent:* Thursday, August 9, 2018 10:47:56 AM
> *To:* users@nifi.apache.org
> *Subject:* Re:
>
> sorry forgot the link. here it is:
>
> [1] https://issues.apache.org/jira/projects/NIFIREG/issues/NIFIREG-189
>
> On Thu, Aug 9, 2018 at 11:47 AM, Kevin Doran <kdoran@apache.org> wrote:
>
> Hi Curtis,
>
> This has come up a few times. Unfortunately I don’t think there is
> currently an easy way to disable X509-based identity extraction in NiFi
> today. There is an open JIRA for the same issue in NiFi Registry [1]. NiFi
> Registry follows the same AuthN/AuthZ design (and a fair amount of code) as
> NiFi, so this ticket should apply to NiFi as well.
>
> Perhaps you could share more about your needs and use case on that ticket
> so that when it gets implemented we could take that scenario with reverse
> proxies and OIDC into account?
>
> Thanks,
> Kevin
>
> On Mon, Aug 6, 2018 at 10:23 AM, Curtis Ruck <curtis.ruck@gmail.com>
> wrote:
>
> I'm trying to setup OIDC authentication, but with Nifi service existing
> behind a reverse proxy, and for our other apps we use SSL Client
> Authentication between reverse proxy and application, Nifi is picking up
> the Reverse Proxy's SSL Certificate and falling into X509 Authentication
> instead of OIDC. Any idea how I can disable X509 authentication in Nifi?
>
> Connecting directly to nifi, it triggers the proper OIDC redirects.
>
> --
> Curtis Ruck
>
>
>
>

Mime
View raw message