community-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Musselman <andrew.mussel...@gmail.com>
Subject Re: Need help in enabling SAML auth in Apache Knox
Date Mon, 16 Jul 2018 17:16:39 GMT
Hi Praveen, you could get in touch with the Knox team using their 
mailing lists instead of this one:

https://knox.apache.org/mail-lists.html

Good luck!

On Mon, Jul 16, 2018 at 9:58 AM, Ravikumar, Praveen Krishnamoorthy 
<rpkrish@amazon.com.INVALID> wrote:
> Hi,
> I'm Praveen. I'm working on POC to setup Apache Knox on the master 
> node of an EMR cluster for our client. With the help of 
> documentations I was able to install KNOX successfully and was able 
> to run few tests. Currently I'm facing an issue on enabling SAML 
> authentication, which I'm kind of blocked and I don’t know, how to 
> proceed or troubleshoot the issue. I have provided few details 
> regarding the issue and I would love to provide more if needed.
> 
> Could anyone help me in this, would be very helpful for me to proceed 
> further.
> 
> TASK:
> -----
> To enable SAML authentication for Apache Knox.
> 
> NOTE: Apache Knox is installed and running in port 8446
> 
> STEP 1: SSO request initiation.
> *******************************
> - Our client uses PING Federate Identity provider.
> - raised a request to register the application for SSO access.
>         Entity ID - 
> https://<dnsName>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true&amp;client_name=SAML2Client
>         Target URL - https://<dnsName>:8446(I'm not sure the target 
> URL is valid, I suspect the page is getting redirected to this link 
> after auth)
> - I received a IDP metadata.xml and certificate.
> 
> STEP 2: Topology config
> ***********************
> 
> KnoxSSO.xml
> ------------
> <topology>
>    <gateway>
>      <provider>
>          <role>federation</role>
>          <name>pac4j</name>
>          <enabled>true</enabled>
>          <param>
>           <name>pac4j.callbackUrl</name>
>           
> <value>https://<dnsName>:8446/gateway/knoxsso/api/v1/websso</value>
>          </param>
>          <param>
>            <name>clientName</name>
>            <value>SAML2Client</value>
>          </param>
>          <param>
>            <name>saml.identityProviderMetadataPath</name>
>            <value>/tmp/preprod_metadata_SP.xml</value>
>          </param>
>          <param>
>            <name>saml.serviceProviderMetadataPath</name>
>            <value>/tmp/preprod_metadata_SP.xml</value>
>          </param>
>          <param>
>            <name>saml.serviceProviderEntityId</name>
>            
> <value>https://<dnsName>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true&amp;client_name=SAML2Client</value>
>          </param>
>      </provider>
>      <provider>
>          <role>identity-assertion</role>
>          <name>Default</name>
>          <enabled>true</enabled>
>      </provider>
>    </gateway>
>    <service>
>        <role>KNOXSSO</role>
>        <param>
>          <name>knoxsso.cookie.secure.only</name>
>          <value>true</value>
>       </param>
>       <param>
>         <name>knoxsso.token.ttl</name>
>         <value>100000</value>
>       </param>
>       <param>
>          <name>knoxsso.redirect.whitelist.regex</name>
>          
> <value>^https?:\/\/(emr-knox-webui-dev\.us-west-2\.elb\.amazonaws\.com|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
>       </param>
>    </service>
> </topology>
> 
> gate1.xml
> ---------
> <?xml version="1.0" encoding="utf-8"?>
> <topology>
>   <gateway>
>     <provider>
>         <role>federation</role>
>         <name>SSOCookieProvider</name>
>         <enabled>true</enabled>
>         <param>
>             <name>sso.authentication.provider.url</name>
>             
> <value>https://<dns-name>:8446/gateway/knoxsso/api/v1/websso</value>
>         </param>
>     </provider>
>     <provider>
>         <role>identity-assertion</role>
>         <name>Default</name>
>         <enabled>true</enabled>
>     </provider>
>   </gateway>
>   <service>
>       <role>YARNUI</role>
>       <url>http://<dnsname>:8088</url>
>   </service>
> </topology>
> 
> 
> PROBLEM:
> ********
> on accessing the YarnUI (firefox browser) after starting the gateway, 
> The browser gets redirected to the Identity provider URL -> asks for 
> the login credentials -> on submitting the user is getting 
> authenticated but the application gets landed to 
> https://<DNSDomain>:8446 and throws page not found error.
> I'm seeing the SAML request sent and SAML response getting received 
> but it gets landed to an invalid page after authentication. I'm 
> unable to figure out the page to land after authentication.
> 
> 
> Hope I have provided the required details. please do let me know if 
> you need any additional details.
> 
> Thanks,
> Praveen.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message