[jira] [Commented] (KNOX-1388) Enable SAML authentication in Knox

[Larry McCay (JIRA)]

    [ 
https://issues.apache.org/jira/browse/KNOX-1388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16543773#comment-16543773
 ] 

Larry McCay commented on KNOX-1388:
-----------------------------------

No worries - I just want to make sure that you get proper eyes on your 
questions.

I don't know that there is enough attached here either - you will likely need 
to send logs.

I need to see the originalUrl query param set by the SSOCookieProvider when 
redirecting to KnoxSSO for instance.

You will want to scrub the logs of any sensitive data like hostnames and the 
like as well.

> Enable SAML authentication in Knox
> ----------------------------------
>
>                 Key: KNOX-1388
>                 URL: https://issues.apache.org/jira/browse/KNOX-1388
>             Project: Apache Knox
>          Issue Type: Task
>          Components: KnoxSSO
>            Reporter: PRAVEEN K RAVIKUMAR
>            Priority: Major
>
> Hi,
>  
> I'm Praveen. I'm working to enable SAML authentication in Apache knox for our 
> client. Currently I'm facing few issues after setting up SSO related config 
> in KNOX.
>  
> on accessing the YarnUI after starting the gateway, The browser gets 
> redirected to the Identity provider URL -> asks for the login credentials -> 
> on submitting the user is getting authenticated but the application gets 
> landed to https://emr-knox-webui-dev.us-west-2.elb.amazonaws.com:8446 and 
> throws page not found error.
>  
> I'm seeing the SAML request sent and SAML response getting received but it 
> gets landed to an invalid page after authentication. I'm unable to figure out 
> the page to land after authentication.
>  
>  
> Our Client uses : Ping Federate Identity provider.
> Listed below the configurations setup and also attached screen shots for 
> better understanding.
>  
> IDP -> Config
> -------------
> Entity ID - 
> https://emr-knox-webui-dev.us-west-2.elb.amazonaws.com:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client
> TargetURL - https://emr-knox-webui-dev.us-west-2.elb.amazonaws.com:8446 (I'm 
> not sure the target URL is valid, I suspect the page is getting redirected to 
> this link after auth)
>  
> KnoxSSO.xml
> ------------
> <topology>
>    <gateway>
>      <provider>
>          <role>federation</role>
>          <name>pac4j</name>
>          <enabled>true</enabled>
>          <param>
>           <name>pac4j.callbackUrl</name>
>           
> <value>https://emr-knox-webui-dev.us-west-2.elb.amazonaws.com:8446/gateway/knoxsso/api/v1/websso</value>
>          </param>
>  
>          <param>
>            <name>clientName</name>
>            <value>SAML2Client</value>
>          </param>
>  
>          <param>
>            <name>saml.identityProviderMetadataPath</name>
>            <value>/tmp/preprod_metadata_SP.xml</value>
>          </param>
>  
>          <param>
>            <name>saml.serviceProviderMetadataPath</name>
>            <value>/tmp/preprod_metadata_SP.xml</value>
>          </param>
>  
>          <param>
>            <name>saml.serviceProviderEntityId</name>
>            
> <value>https://emr-knox-webui-dev.us-west-2.elb.amazonaws.com:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true&amp;client_name=SAML2Client</value>
>          </param>
>      </provider>
>      <provider>
>          <role>identity-assertion</role>
>          <name>Default</name>
>          <enabled>true</enabled>
>      </provider>
>    </gateway>
>  
>    <service>
>        <role>KNOXSSO</role>
>        <param>
>          <name>knoxsso.cookie.secure.only</name>
>          <value>true</value>
>       </param>
>       <param>
>         <name>knoxsso.token.ttl</name>
>         <value>100000</value>
>       </param>
>       <param>
>          <name>knoxsso.redirect.whitelist.regex</name>
>          
> <value>^https?:\/\/(emr-knox-webui-dev\.us-west-2\.elb\.amazonaws\.com|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
>       </param>
>    </service>
> </topology>
>  
>  
> gate1.xml
> ---------
> <?xml version="1.0" encoding="utf-8"?>
> <topology>
>   <gateway>
>     <provider>
>         <role>federation</role>
>         <name>SSOCookieProvider</name>
>         <enabled>true</enabled>
>         <param>
>             <name>sso.authentication.provider.url</name>
>             
> <value>https://emr-knox-webui-dev-1021294088.us-west-2.elb.amazonaws.com:8446/gateway/knoxsso/api/v1/websso</value>
>         </param>
>     </provider>
>     <provider>
>         <role>identity-assertion</role>
>         <name>Default</name>
>         <enabled>true</enabled>
>     </provider>
>   </gateway>
>   <service>
>       <role>YARNUI</role>
>       <url>http://ip-10-89-71-228.vpc.internal:8088</url>
>   </service>
> </topology>
>  
> Could you please help me in this, would be very helpful to proceed further.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)