nifiazureoidcauthenticationdevops

NiFi Authentication with Azure Active Directory

A step-by-step guide to configuring Apache NiFi to authenticate users via Azure Active Directory (AAD) using OIDC.

3 min readView source ↗

This guide walks through configuring Apache NiFi to authenticate users via Azure Active Directory using OpenID Connect (OIDC). Tested on NiFi 1.18.x.

Prerequisites

  • Apache NiFi installed and running (with HTTPS configured — OIDC requires TLS)
  • An Azure Active Directory tenant with admin access
  • A publicly accessible NiFi callback URL (e.g. https://nifi.example.com/nifi-api/access/oidc/callback)

Step 1 — Register an App in Azure AD

  1. Go to Azure PortalAzure Active DirectoryApp registrations
  2. Click New registration
  3. Set:
    • Name: NiFi OIDC
    • Supported account types: Accounts in this organizational directory only
    • Redirect URI: Web → https://your-nifi-host/nifi-api/access/oidc/callback
  4. Click Register

Azure AD: registering a new application for NiFi OIDC
Azure AD: registering a new application for NiFi OIDC

After registration, note:

  • Application (client) ID — you'll need this
  • Directory (tenant) ID — you'll need this

Create a client secret

  1. In your app registration, go to Certificates & secretsNew client secret
  2. Set an expiry and click Add
  3. Copy the value immediately — it won't be shown again

Step 2 — Configure NiFi

Edit $NIFI_HOME/conf/nifi.properties:

# Enable HTTPS (required for OIDC)
nifi.web.https.host=0.0.0.0
nifi.web.https.port=8443
 
# Keystore/truststore (configure for your certs)
nifi.security.keystore=/opt/nifi/certs/keystore.jks
nifi.security.keystoreType=JKS
nifi.security.keystorePasswd=your-keystore-password
nifi.security.keyPasswd=your-key-password
nifi.security.truststore=/opt/nifi/certs/truststore.jks
nifi.security.truststoreType=JKS
nifi.security.truststorePasswd=your-truststore-password
 
# OIDC settings
nifi.security.user.login.identity.provider=
nifi.security.user.oidc.discovery.url=https://login.microsoftonline.com/<TENANT_ID>/v2.0/.well-known/openid-configuration
nifi.security.user.oidc.connect.timeout=5 secs
nifi.security.user.oidc.read.timeout=5 secs
nifi.security.user.oidc.client.id=<APPLICATION_CLIENT_ID>
nifi.security.user.oidc.client.secret=<CLIENT_SECRET>
nifi.security.user.oidc.preferred.jwsalgorithm=
nifi.security.user.oidc.additional.scopes=profile email
nifi.security.user.oidc.claim.identifying.user=email
nifi.security.user.oidc.fallback.claims.identifying.user=

Replace <TENANT_ID>, <APPLICATION_CLIENT_ID>, and <CLIENT_SECRET> with the values from Step 1.

Step 3 — Configure authorizers.xml

Edit $NIFI_HOME/conf/authorizers.xml. Find the UserGroupProvider and AccessPolicyProvider sections.

For a simple setup with a single initial admin (yourself):

<userGroupProvider>
    <identifier>file-user-group-provider</identifier>
    <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
    <property name="Users File">./conf/users.xml</property>
    <property name="Initial User Identity 1">your-email@yourdomain.com</property>
</userGroupProvider>
 
<accessPolicyProvider>
    <identifier>file-access-policy-provider</identifier>
    <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
    <property name="User Group Provider">file-user-group-provider</property>
    <property name="Authorizations File">./conf/authorizations.xml</property>
    <property name="Initial Admin Identity">your-email@yourdomain.com</property>
    <property name="Legacy Authorized Users File"></property>
    <property name="Node Identity 1"></property>
    <property name="Node Group"></property>
</accessPolicyProvider>

The Initial Admin Identity must match the email claim returned by Azure AD for your account.

Step 4 — Configure login-identity-providers.xml

Ensure the OIDC provider is not configured in login-identity-providers.xml (leave it at its default empty state). OIDC in NiFi is configured entirely through nifi.properties.

Step 5 — Restart NiFi and verify

$NIFI_HOME/bin/nifi.sh restart
# Watch the logs
tail -f $NIFI_HOME/logs/nifi-app.log

Browse to https://your-nifi-host:8443/nifi. You should be redirected to the Microsoft login page. After signing in with an AAD account, NiFi redirects you back. If the identity matches an authorized user, you'll land on the canvas.

On first login, Azure AD will prompt you to consent to the app accessing your profile:

Azure AD consent prompt shown on first login to the NiFi app
Azure AD consent prompt shown on first login to the NiFi app

Troubleshooting

SymptomLikely cause
Redirect loop on loginCallback URL mismatch in Azure app registration
"Unknown user" after loginInitial Admin Identity doesn't match email claim
SSL handshake errorsKeystore/truststore misconfigured or expired certs
403 after loginUser exists but has no policy grants — check authorizations.xml

Adding more users

Once you're logged in as the initial admin:

  1. Go to the hamburger menu → Users
  2. Add users by their Azure AD email address
  3. Grant them the appropriate access policies

NiFi Users screen listing AAD-authenticated identities
NiFi Users screen listing AAD-authenticated identities

To grant permissions, open Policies and add the user (or group) to the policy that covers the action they need:

NiFi access policies dialog, adding a user to a policy
NiFi access policies dialog, adding a user to a policy

Users don't need to exist in advance — NiFi will accept any valid AAD login, but they need a policy grant to do anything useful.

Originally published as a GitHub guide. Reproduced here with minor formatting updates.

Comments