Hi Praveen, you could get in touch with the Knox team using their
mailing lists instead of this one:
https://knox.apache.org/mail-lists.html
Good luck!
On Mon, Jul 16, 2018 at 9:58 AM, Ravikumar, Praveen Krishnamoorthy
<rpkr...@amazon.com.INVALID> wrote:
Hi,
I'm Praveen. I'm working on POC to setup Apache Knox on the master
node of an EMR cluster for our client. With the help of
documentations I was able to install KNOX successfully and was able
to run few tests. Currently I'm facing an issue on enabling SAML
authentication, which I'm kind of blocked and I don’t know, how to
proceed or troubleshoot the issue. I have provided few details
regarding the issue and I would love to provide more if needed.
Could anyone help me in this, would be very helpful for me to proceed
further.
TASK:
-----
To enable SAML authentication for Apache Knox.
NOTE: Apache Knox is installed and running in port 8446
STEP 1: SSO request initiation.
*******************************
- Our client uses PING Federate Identity provider.
- raised a request to register the application for SSO access.
Entity ID -
https://<dnsName>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client
Target URL - https://<dnsName>:8446(I'm not sure the target
URL is valid, I suspect the page is getting redirected to this link
after auth)
- I received a IDP metadata.xml and certificate.
STEP 2: Topology config
***********************
KnoxSSO.xml
------------
<topology>
<gateway>
<provider>
<role>federation</role>
<name>pac4j</name>
<enabled>true</enabled>
<param>
<name>pac4j.callbackUrl</name>
<value>https://<dnsName>:8446/gateway/knoxsso/api/v1/websso</value>
</param>
<param>
<name>clientName</name>
<value>SAML2Client</value>
</param>
<param>
<name>saml.identityProviderMetadataPath</name>
<value>/tmp/preprod_metadata_SP.xml</value>
</param>
<param>
<name>saml.serviceProviderMetadataPath</name>
<value>/tmp/preprod_metadata_SP.xml</value>
</param>
<param>
<name>saml.serviceProviderEntityId</name>
<value>https://<dnsName>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
</gateway>
<service>
<role>KNOXSSO</role>
<param>
<name>knoxsso.cookie.secure.only</name>
<value>true</value>
</param>
<param>
<name>knoxsso.token.ttl</name>
<value>100000</value>
</param>
<param>
<name>knoxsso.redirect.whitelist.regex</name>
<value>^https?:\/\/(emr-knox-webui-dev\.us-west-2\.elb\.amazonaws\.com|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
</param>
</service>
</topology>
gate1.xml
---------
<?xml version="1.0" encoding="utf-8"?>
<topology>
<gateway>
<provider>
<role>federation</role>
<name>SSOCookieProvider</name>
<enabled>true</enabled>
<param>
<name>sso.authentication.provider.url</name>
<value>https://<dns-name>:8446/gateway/knoxsso/api/v1/websso</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
</gateway>
<service>
<role>YARNUI</role>
<url>http://<dnsname>:8088</url>
</service>
</topology>
PROBLEM:
********
on accessing the YarnUI (firefox browser) after starting the gateway,
The browser gets redirected to the Identity provider URL -> asks for
the login credentials -> on submitting the user is getting
authenticated but the application gets landed to
https://<DNSDomain>:8446 and throws page not found error.
I'm seeing the SAML request sent and SAML response getting received
but it gets landed to an invalid page after authentication. I'm
unable to figure out the page to land after authentication.
Hope I have provided the required details. please do let me know if
you need any additional details.
Thanks,
Praveen.
