moresandeep opened a new pull request #509:
URL: https://github.com/apache/knox/pull/509
## What changes were proposed in this pull request?
This PR tries to address the issue where Knox SSO goes in a redirect loop
when the authenticated user is part of too many groups. This happens because
Pac4J tries to save all the user entitlements in a profile object that Knox
saves as a cookie (for HA deployments). The unfortunate side effect of which is
that we are now bound by the cookie size.
This PR introduces the following parameter that can be controlled from
knoxsso.xml topology
| Property Name | Default Value | Description |
| ---------------- | ------------- | ------------|
| `pac4j.session.store.exclude.groups` | `true` | Exclude group
entitlements from pac4j profile cookie |
| `pac4j.session.store.exclude.roles` | `true` | Exclude roles
entitlements from pac4j profile cookie |
| `pac4j.session.store.exclude.permissions` | `true` | Exclude roles
permissions from pac4j profile cookie |
Example config from knoxsso.xml
```
<param>
<name>pac4j.session.store.exclude.groups</name>
<value>false</value>
</param>
<param>
<name>pac4j.session.store.exclude.roles</name>
<value>true</value>
</param>
<param>
<name>pac4j.session.store.exclude.permissions</name>
<value>false</value>
</param>
```
## How was this patch tested?
This patch was tested on local Apache Knox instance with Okta
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
