Hello Sandeep, Sorry, that was an incomplete post earlier.
*myCluster.topology:* 1. <topology> 2. <gateway> 3. <provider> 4. <role>webappsec</role> 5. <name>WebAppSec</name> 6. <enabled>true</enabled> 7. <param> <name>cors.enabled</name> <value>true</value> </param> 8. </provider> 9. <provider> 10. <role>federation</role> 11. <name>SSOCookieProvider</name> <enabled>true</enabled> <param> <name>sso.authentication.provider.url</name> <value>https://x.x.2.3:8442/gateway/knoxsso/api/v1/websso <https://52.169.143.168:8442/gateway/knoxsso/api/v1/websso></value> </param> 12. </provider> 13. <provider> 14. <role>identity-assertion</role> 15. <name>Default</name> 16. <enabled>true</enabled> 17. </provider> 18. </gateway> 19. <service> <role>NAMENODE</role> <url>hdfs://myHostname:8020 <http://dap-m1.2mwungiz1ezu3cgpxipb55z2fh.fx.internal.cloudapp.net:8020/></url> </service> <service> <role>JOBTRACKER</role> <url>rpc://myHostname:8050 <http://dap-m1.2mwungiz1ezu3cgpxipb55z2fh.fx.internal.cloudapp.net:8050/></url> </service> <service> <role>WEBHDFS</role> <url>http://myHostname:50070/webhdfs <http://dap-m1.2mwungiz1ezu3cgpxipb55z2fh.fx.internal.cloudapp.net:50070/webhdfs></url> </service> 20. </topology> *Logs: * gateway.log: Nothing appears when the call starts. The last message is: 2018-02-19 06:28:11,040 INFO hadoop.gateway (GatewayServer.java:internalActivateTopology(566)) - Activating topology knoxsso 2018-02-19 06:28:11,040 INFO hadoop.gateway (GatewayServer.java:internalActivateArchive(576)) - Activating topology knoxsso archive %2F gateway-audit.log: Same as shared earlier: 18/02/19 06:30:01 ||477ab97f-884b-4421-90f9-70b7925c01b9|audit|WEBHDFS||||access|uri|/gateway/myCluster/webhdfs/v1/user?op=LISTSTATUS|unavailable|Request method: GET 18/02/19 06:30:01 ||477ab97f-884b-4421-90f9-70b7925c01b9|audit|WEBHDFS||||access|uri|/gateway/ myCluster/webhdfs/v1/user?op=LISTSTATUS|success|Response status: 302 18/02/19 06:30:02 ||61b0dff1-ca1a-4fc2-868b-2e7b5d771ed0|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl= https://52.169.143.168:8442/gateway/myCluster/webhdfs/v1/user?op=LISTSTATUS|unavailable|Request method: GET 18/02/19 06:30:02 ||61b0dff1-ca1a-4fc2-868b-2e7b5d771ed0|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl= https://52.169.143.168:8442/gateway/myCluster/webhdfs/v1/user?op=LISTSTATUS|success|Response status: 302 18/02/19 06:31:03 ||ea79e31f-00a6-4404-94d6-ddc22d7ab5dd|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4kmS_aKT5XrjzxRAtHzViBkITGagTwTx0uHenFkQaq-6glGCQqPd7qX0buT_7n0nNCrT1Sv3f8dwcv6OzoMFlU-LBynYYhbkxGUX82WndCl3nalcZMsL-PB8TNGjqYx6aJ0k634C6_-1LGdIGsVkTK3urUSozifWRQ8H5o_vfTp-94TMQEVhjIi8VznQaM5jyCXPckolSV8_-ux_tRJG4KDLUy7tSbPTDKSnZUt7uyr_xrwzohscct-_HLACuAUpdz6pl1x-ap6b_dbNTHrrurcDHrFCM5YtJzfxnUTtVzqq-EH1irGrAG7G0DI-cbUETF2RG9B_QaE7nZDpS02LFmKB7Smkyr3KzYaRbCOzYn8e3qxZ2AuXbCNt1s6VSL1lEs2CJgzPB6U39UC93XMxX-9Bm1JfUNs4G8JxUnMblu0yhLfEHNeDeDkg5GMKHA_1CnvudKYyWqR6Jcj4UaJb7bSosM6CK0NO7jGoy1ZGqi_CKc84gKOsGYOTnzC5uLH5vMPWVTNiChCeBrURq339ZwcA01ArcQZmBztEksibU-A_RzZ1ZqqnLxcnByAWhPMjXyF8GwdLkfcGg_qkMEicNIkE4gEdW06TAInh0pZr71V5BvzW2f3qDDN6L_0IAk-aItcsCFs1q8EADk1rdtMbcEyl-ZgLJQuVk7izwn7T2p1p1thL2wpbHQ3ahh_Re5wAnn_0HOCKFXoTZeWSJ3SMq-_Wq9ill8g01ySI2bzbZAuFQhGrodKPCxkYfKO2TcgAA&state=IagOJAVbIKeAQyXMIDjBWJGduIGzCUUPM4RxPVjiHoA&session_state=5bb1f616-d21c-4e70-bbfe-b4458c97f5f8|unavailable|Request method: GET 18/02/19 06:31:03 ||ea79e31f-00a6-4404-94d6-ddc22d7ab5dd|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4kmS_aKT5XrjzxRAtHzViBkITGagTwTx0uHenFkQaq-6glGCQqPd7qX0buT_7n0nNCrT1Sv3f8dwcv6OzoMFlU-LBynYYhbkxGUX82WndCl3nalcZMsL-PB8TNGjqYx6aJ0k634C6_-1LGdIGsVkTK3urUSozifWRQ8H5o_vfTp-94TMQEVhjIi8VznQaM5jyCXPckolSV8_-ux_tRJG4KDLUy7tSbPTDKSnZUt7uyr_xrwzohscct-_HLACuAUpdz6pl1x-ap6b_dbNTHrrurcDHrFCM5YtJzfxnUTtVzqq-EH1irGrAG7G0DI-cbUETF2RG9B_QaE7nZDpS02LFmKB7Smkyr3KzYaRbCOzYn8e3qxZ2AuXbCNt1s6VSL1lEs2CJgzPB6U39UC93XMxX-9Bm1JfUNs4G8JxUnMblu0yhLfEHNeDeDkg5GMKHA_1CnvudKYyWqR6Jcj4UaJb7bSosM6CK0NO7jGoy1ZGqi_CKc84gKOsGYOTnzC5uLH5vMPWVTNiChCeBrURq339ZwcA01ArcQZmBztEksibU-A_RzZ1ZqqnLxcnByAWhPMjXyF8GwdLkfcGg_qkMEicNIkE4gEdW06TAInh0pZr71V5BvzW2f3qDDN6L_0IAk-aItcsCFs1q8EADk1rdtMbcEyl-ZgLJQuVk7izwn7T2p1p1thL2wpbHQ3ahh_Re5wAnn_0HOCKFXoTZeWSJ3SMq-_Wq9ill8g01ySI2bzbZAuFQhGrodKPCxkYfKO2TcgAA&state=IagOJAVbIKeAQyXMIDjBWJGduIGzCUUPM4RxPVjiHoA&session_state=5bb1f616-d21c-4e70-bbfe-b4458c97f5f8|success|Response status: 302 18/02/19 06:31:04 ||a1359a64-b95e-4ba2-b7da-b034e7a5aaef|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4kmS_aKT5XrjzxRAtHzNeoHuSgOIUpFOWWu5xR4oKQv5EMmCyrpR7TqamIS_pvoLeIJyZ3TUZQ09MuUzsyfhu2edGE4kZGdeFApDzU9rkB9548qwrsC4uNeK33suYdcBxMCf8V_T5jTE3vwrfL6XLASVYqCFpvdh8E73F6OmIvPY1CZIuhpoys0hZ_ENcifFW_k1heBkJ7RQEsWPos6r0ySGDrYb6K8FU--MPGCCCGEXyUsqA8winTLoUOFKKSqU5KPpUTeBNiUM5NfaKQ4tfk3WAsVbMhB-ylwctwd36-MzvFVXSPS6oRyc4Qzif2EJucFk34v2Uk8lO1WCa3vCKMzHI_gwPFNB7WqIfguGxgVHx714bWIGh86LxWstVxyX9g5MI2t0kp1VmT06sxy_TRKNNuveUuaNRa65NVSuxNoSCfJR846Ot5mWZfOVGeWPtSZZTgYpSaIAXduoNJ2kdz8rfoGRvJJCLMEJzYto7LcNIAYdu44FNunSa85mPpJmMqGM82OTmHLCNiruuVMYb4i4mULmRbP_HfrCW6CEuQTSKgWl157ntdf_dTfH9BqdMMF3oDBDFJ9_0BlfLB7Ca8a9Nxuf42iW1IZGjYHRg38IshGKza6Bx-aIbCmQafYwvu2qJglA4zv8FavBPWBaQBOAbXUiG5YeKO0iZjVqfcjYs4DhjFC5NXrMVuAvgc5mYWe7tgVr9MuXHpBgLAKFTyJzxh3KHZauNBCTn_l5nnbNLLWZX6gCeQiXaNme8IgAA&state=37Fkr9XwLsNs2cIs3FrFnqt1tnX2FYAks2PWT9QsUiw&session_state=5bb1f616-d21c-4e70-bbfe-b4458c97f5f8|unavailable|Request method: GET 18/02/19 06:31:04 ||a1359a64-b95e-4ba2-b7da-b034e7a5aaef|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4kmS_aKT5XrjzxRAtHzNeoHuSgOIUpFOWWu5xR4oKQv5EMmCyrpR7TqamIS_pvoLeIJyZ3TUZQ09MuUzsyfhu2edGE4kZGdeFApDzU9rkB9548qwrsC4uNeK33suYdcBxMCf8V_T5jTE3vwrfL6XLASVYqCFpvdh8E73F6OmIvPY1CZIuhpoys0hZ_ENcifFW_k1heBkJ7RQEsWPos6r0ySGDrYb6K8FU--MPGCCCGEXyUsqA8winTLoUOFKKSqU5KPpUTeBNiUM5NfaKQ4tfk3WAsVbMhB-ylwctwd36-MzvFVXSPS6oRyc4Qzif2EJucFk34v2Uk8lO1WCa3vCKMzHI_gwPFNB7WqIfguGxgVHx714bWIGh86LxWstVxyX9g5MI2t0kp1VmT06sxy_TRKNNuveUuaNRa65NVSuxNoSCfJR846Ot5mWZfOVGeWPtSZZTgYpSaIAXduoNJ2kdz8rfoGRvJJCLMEJzYto7LcNIAYdu44FNunSa85mPpJmMqGM82OTmHLCNiruuVMYb4i4mULmRbP_HfrCW6CEuQTSKgWl157ntdf_dTfH9BqdMMF3oDBDFJ9_0BlfLB7Ca8a9Nxuf42iW1IZGjYHRg38IshGKza6Bx-aIbCmQafYwvu2qJglA4zv8FavBPWBaQBOAbXUiG5YeKO0iZjVqfcjYs4DhjFC5NXrMVuAvgc5mYWe7tgVr9MuXHpBgLAKFTyJzxh3KHZauNBCTn_l5nnbNLLWZX6gCeQiXaNme8IgAA&state=37Fkr9XwLsNs2cIs3FrFnqt1tnX2FYAks2PWT9QsUiw&session_state=5bb1f616-d21c-4e70-bbfe-b4458c97f5f8|success|Response status: 302 This keeps continuing till the page loads error on browser. Regards, Nisha On Fri, Feb 16, 2018 at 7:25 PM, Sandeep Moré <moresand...@gmail.com> wrote: > Hello Nisha, > Can you share details of "mycluster" topology ? also, can you turn up the > logs to debug and share them along with the audit log that would help us to > understand the problem better. > > Best, > Sandeep > > On Fri, Feb 16, 2018 at 3:16 AM, Nisha Menon <nisha.meno...@gmail.com> > wrote: > >> Hello, >> >> I have setup KNOX to connect with Azure AD using pac4j. >> >> However, after the authentication at Azure login page, it gets into an >> infinite loop and does not give back the original REST call response. >> >> *Details:* >> >> 1. I try to access the original URL eg: >> *https://x.x.2.3:8442/gateway/mycluster/webhdfs/v1/user?op=LISTSTATUS >> <https://x.x.2.3:8442/gateway/mycluster/webhdfs/v1/user?op=LISTSTATUS>* >> >> 2. It redirects to *https://**login.microsoftonline.com >> <http://login.microsoftonline.com/>* and asks for credentials. >> >> 3. After successful login at Azure login page, it redirects to >> *http://x.x.2.3:8442/gateway/knoxsso/api/v1/websso >> <http://x.x.2.3:8442/gateway/knoxsso/api/v1/websso>* with code, session >> and state variables passed as below: >> >> *https://x.x.2.3:8442/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4k***********************LFFm7C9cIShE7nggAA&state=5dzTZBYhEVDBrA*****************GZRNfANGb5ls&session_state=42f2447b-621***********790eaa2d18 >> <https://x.x.2.3:8442/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4k***********************LFFm7C9cIShE7nggAA&state=5dzTZBYhEVDBrA*****************GZRNfANGb5ls&session_state=42f2447b-621***********790eaa2d18>* >> >> 2. Following this call, it *again *calls the *login.microsoftonline.com >> <http://login.microsoftonline.com/>* like below: >> >> *https://login.microsoftonline.com/f82969ba-b***********c1d0557a/oauth2/authorize?response_type=code&client_id=385*******3-a4bdceaa34&redirect_uri=https%3A%2F%2Fx.x.2.3%3A8442%2Fgateway%2Fknoxsso%2Fapi%2Fv1%2Fwebsso%3Fpac4jCallback%3Dtrue%26client_name%3DOidcClient≻ope=openid+profile+email&state=5dzTZBYhEVDBrAInao9VHDRd33uiRp-GZRNfANGb5ls&nonce=BvCUroM7_aKFjmbLYxaxbS0Mq9SJ8If0CUpITEGB-bw >> <https://login.microsoftonline.com/f82969ba-b***********c1d0557a/oauth2/authorize?response_type=code&client_id=385*******3-a4bdceaa34&redirect_uri=https%3A%2F%2Fx.x.2.3%3A8442%2Fgateway%2Fknoxsso%2Fapi%2Fv1%2Fwebsso%3Fpac4jCallback%3Dtrue%26client_name%3DOidcClient%E2%89%BBope=openid+profile+email&state=5dzTZBYhEVDBrAInao9VHDRd33uiRp-GZRNfANGb5ls&nonce=BvCUroM7_aKFjmbLYxaxbS0Mq9SJ8If0CUpITEGB-bw>* >> >> After this, step 1 and 2 alternate several times and finally lands up in >> "ERR_TOO_MANY_REDIRECTS"!!! >> >> This is my knoxsso.xml: >> >> >> 1. <topology> >> 2. <gateway> >> 3. <provider> >> 4. <role>webappsec</role> >> 5. <name>WebAppSec</name> >> 6. <enabled>true</enabled> >> 7. >> <param><name>xframe.options.enabled</name><value>true</value></param> >> 8. </provider> >> 9. <provider> >> 10. <role>federation</role> >> 11. <name>pac4j</name> >> 12. <enabled>true</enabled> >> 13. <param> >> 14. <name>pac4j.callbackUrl</name> >> 15. >> <value>https://x.x.2.3:8442/gateway/knoxsso/api/v1/websso</value> >> 16. </param> >> 17. <param> >> 18. <name>clientName</name> >> 19. <value>OidcClient</value> >> 20. </param> >> 21. <param> >> 22. <name>oidc.id</name> >> 23. <value>385c2bc*****************2695eaa34</value> >> 24. </param> >> 25. <param> >> 26. <name>oidc.secret</name> >> 27. >> <value>Y30wOwM88BY************vYmPp8KMyDY2W+o=</value> >> 28. </param> >> 29. <param> >> 30. <name>oidc.discoveryUri</name> >> 31. >> <value>https://login.microsoftonline.com/f82969***********1d0557a/.well-known/openid-configuration</value> >> 32. </param> >> 33. </provider> >> 34. <provider> >> 35. <role>identity-assertion</role> >> 36. <name>Default</name> >> 37. <enabled>true</enabled> >> 38. </provider> >> 39. </gateway> >> 40. <application> >> 41. <name>knoxauth</name> >> 42. </application> >> 43. <service> >> 44. <role>KNOXSSO</role> >> 45. <param> >> 46. <name>knoxsso.cookie.secure.only</name> >> 47. <value>false</value> >> 48. </param> >> 49. <param> >> 50. <name>knoxsso.token.ttl</name> >> 51. <value>30000</value> >> 52. </param> >> 53. <param> >> 54. <name>knoxsso.redirect.whitelist.regex</name> >> 55. >> <value>^https?:\/\/(dap-e0|x\.x\.2\.3|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$/value> >> 56. </param> >> 57. </service> >> 58. </topology> >> >> I tried using response_type "id_token", enabling nonces, knoxsso.secure >> to true, preferredJwsAlgorithm as RS256 etc. Nothing helps. >> >> gateway-audit.log when redirection error starts: >> >> >> 1. 18/02/15 12:38:02 >> ||7a66725e-6d9d-4ef5-9017-2b52d7d15ccf|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4kmS_a**********************_WuZRkgVKneLpp83HnSlcntEbAmAgAA&state=0n7h1Y2LTz_**************99P92pZonRN-c&session_state=f0ac55a1-4***********-53e3e126b40e|success|Response >> status: 302 >> >> It clearly shows Response status as "302" and not "200". This leads to >> redirection! >> >> What could I be missing here? Any pointers will be greatly appreciated. >> Regards >> Nisha >> >>