community-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ravikumar, Praveen Krishnamoorthy" <rpkr...@amazon.com.INVALID>
Subject Need help in enabling SAML auth in Apache Knox
Date Mon, 16 Jul 2018 16:58:48 GMT
Hi,
I'm Praveen. I'm working on POC to setup Apache Knox on the master node of an EMR cluster
for our client. With the help of documentations I was able to install KNOX successfully and
was able to run few tests. Currently I'm facing an issue on enabling SAML authentication,
which I'm kind of blocked and I don’t know, how to proceed or troubleshoot the issue. I
have provided few details regarding the issue and I would love to provide more if needed.

Could anyone help me in this, would be very helpful for me to proceed further.

TASK:
-----
To enable SAML authentication for Apache Knox.

NOTE: Apache Knox is installed and running in port 8446

STEP 1: SSO request initiation.
*******************************
- Our client uses PING Federate Identity provider.
- raised a request to register the application for SSO access.
        Entity ID - https://<dnsName>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true&amp;client_name=SAML2Client
        Target URL - https://<dnsName>:8446(I'm not sure the target URL is valid, I
suspect the page is getting redirected to this link after auth)
- I received a IDP metadata.xml and certificate.

STEP 2: Topology config
***********************

KnoxSSO.xml
------------
<topology>
   <gateway>
     <provider>
         <role>federation</role>
         <name>pac4j</name>
         <enabled>true</enabled>
         <param>
          <name>pac4j.callbackUrl</name>
          <value>https://<dnsName>:8446/gateway/knoxsso/api/v1/websso</value>
         </param>
         <param>
           <name>clientName</name>
           <value>SAML2Client</value>
         </param>
         <param>
           <name>saml.identityProviderMetadataPath</name>
           <value>/tmp/preprod_metadata_SP.xml</value>
         </param>
         <param>
           <name>saml.serviceProviderMetadataPath</name>
           <value>/tmp/preprod_metadata_SP.xml</value>
         </param>
         <param>
           <name>saml.serviceProviderEntityId</name>
           <value>https://<dnsName>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true&amp;client_name=SAML2Client</value>
         </param>
     </provider>
     <provider>
         <role>identity-assertion</role>
         <name>Default</name>
         <enabled>true</enabled>
     </provider>
   </gateway>
   <service>
       <role>KNOXSSO</role>
       <param>
         <name>knoxsso.cookie.secure.only</name>
         <value>true</value>
      </param>
      <param>
        <name>knoxsso.token.ttl</name>
        <value>100000</value>
      </param>
      <param>
         <name>knoxsso.redirect.whitelist.regex</name>
         <value>^https?:\/\/(emr-knox-webui-dev\.us-west-2\.elb\.amazonaws\.com|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
      </param>
   </service>
</topology>

gate1.xml
---------
<?xml version="1.0" encoding="utf-8"?>
<topology>
  <gateway>
    <provider>
        <role>federation</role>
        <name>SSOCookieProvider</name>
        <enabled>true</enabled>
        <param>
            <name>sso.authentication.provider.url</name>
            <value>https://<dns-name>:8446/gateway/knoxsso/api/v1/websso</value>
        </param>
    </provider>
    <provider>
        <role>identity-assertion</role>
        <name>Default</name>
        <enabled>true</enabled>
    </provider>
  </gateway>
  <service>
      <role>YARNUI</role>
      <url>http://<dnsname>:8088</url>
  </service>
</topology>


PROBLEM:
********
on accessing the YarnUI (firefox browser) after starting the gateway, The browser gets redirected
to the Identity provider URL -> asks for the login credentials -> on submitting the
user is getting authenticated but the application gets landed to https://<DNSDomain>:8446
and throws page not found error.
I'm seeing the SAML request sent and SAML response getting received but it gets landed to
an invalid page after authentication. I'm unable to figure out the page to land after authentication.


Hope I have provided the required details. please do let me know if you need any additional
details.

Thanks,
Praveen.
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message