Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
1.16.0, 1.15.3
-
None
-
None
Description
Prolog:
In SSO i set roles that give the user access to the company's systems or logical areas.
Case:
Using saml i can set nifi.security.user.saml.group.attribute.name and link SSO roles to groups in NIFI, then i don't have to add users to groups in NiFi.
But what if user in NiFi doesn't exist, even if have NiFi group set up in SSO? Then he receiving "Unknown user with identity..." alert. So before a user with aproperiate roles in SSO logs in to NiFi, you have toadd him separatly.
This lack is confirmed in comment:
The real issue is "Unknown user with identity 'user2'"... all of the users and groups still need to be known to NiFi's authorization, the only part that does not need to be known is the actual group membership since that is coming from the SAML response.
Workaroung:
I can create one user without privileges, and map user name to the new one in nifi.security.identity.mapping.value.dn, but i will lost user names in flow history what gives me user accountability..
Expected behavior:
There should be an option in nifi.properties, nifi.security.user.saml.create.user which, when is set to true, will add "empty" (without privileges or groups) user. Then, if the user has the right samla group, he will have access to the platform.
or..
In this situation give user access and privileges even without creating user in users.xml file.
Extra value:
There may be extra option nifi.security.user.saml.new.user.default.group which allowed to link new user to existing ( ! ) group, one or more.