Hi Rich - Glad to hear that you are using Apache Knox!
Pac4J OAuth providers require the creation of a "client" provider - as I understand it. Whether you can leverage any of the existing clients for a Ping IdP, I do not know but wouldn't expect. I am adding Jerome here for further insights - if he has any. OpenID Connect support appears to allow for a more generic integration and others have been more successful in using that. Something to be aware of for both of those mechanisms is that you will likely need the change in KNOX-1119 in order to get a meaningful user principal from the authentication. Otherwise, you will need to get creative with the identity assertion providers and try and map the IDs returned to user accounts. KNOX-1119 will be in the upcoming 0.14.0 and 1.0.0 releases. HTH. --larry On Mon, Nov 27, 2017 at 5:35 PM, O'Connell, Richard < Richard.O'[email protected]> wrote: > Hi, > We have been using Knox a little over 2 years to protect Kafka in our HDP > implementation. However we are still relatively inexperienced with Knox > beyond the basics. > > We are currently using AD/LDAP authentication but are wanting to move > towards using OAuth which is the standard for our IDP (an implementation of > Ping Identity). I have read the documentation and found that pac4j does > support OAuth but have not found a good example of a knoxsso.xml and other > configuration files necessary for a generic OAuth implementation with Knox. > > Any examples or guidance would be much appreciated. > > Thank you, > -Rich >
