Hello Praveen, I am not familiar with PING Federate Identity provider but looks like your target url could be wrong. Can you try using https://%3Cdnsname%3E:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client as Target Url (basically entity id as target url), I am assuming this is where the SAML Assertion is sent.
You can use the SAML-tracer addon for firefox to check see SAML requests and responses, it helped me a lot. Best, Sandeep On Mon, Jul 16, 2018 at 1:36 PM Ravikumar, Praveen Krishnamoorthy < rpkr...@amazon.com> wrote: > Hi, > > I'm Praveen. I'm working on POC to setup Apache Knox on the master node of > an EMR cluster for our client. With the help of documentations I was able > to install KNOX successfully and was able to run few tests. Currently I'm > facing an issue on enabling SAML authentication, which I'm kind of blocked > and I don’t know, how to proceed or troubleshoot the issue. I have provided > few details regarding the issue and I would love to provide more if needed. > > > > Could anyone help me in this, would be very helpful for me to proceed > further. > > > > TASK: > > ----- > > To enable SAML authentication for Apache Knox. > > > > NOTE: Apache Knox is installed and running in port 8446 > > > > STEP 1: SSO request initiation. > > ******************************* > > - Our client uses PING Federate Identity provider. > > - raised a request to register the application for SSO access. > > Entity ID - > https://<dnsName>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client > > Target URL - https://<dnsName>:8446(I'm not sure the target URL > is valid, I suspect the page is getting redirected to this link after auth) > > - I received a IDP metadata.xml and certificate. > > > > STEP 2: Topology config > > *********************** > > > > KnoxSSO.xml > > ------------ > > <topology> > > <gateway> > > <provider> > > <role>federation</role> > > <name>pac4j</name> > > <enabled>true</enabled> > > <param> > > <name>pac4j.callbackUrl</name> > > <value> > https://<dnsName>:8446/gateway/knoxsso/api/v1/websso</value> > > </param> > > <param> > > <name>clientName</name> > > <value>SAML2Client</value> > > </param> > > <param> > > <name>saml.identityProviderMetadataPath</name> > > <value>/tmp/preprod_metadata_SP.xml</value> > > </param> > > <param> > > <name>saml.serviceProviderMetadataPath</name> > > <value>/tmp/preprod_metadata_SP.xml</value> > > </param> > > <param> > > <name>saml.serviceProviderEntityId</name> > > <value> > https://<dnsName>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client</value> > > </param> > > </provider> > > <provider> > > <role>identity-assertion</role> > > <name>Default</name> > > <enabled>true</enabled> > > </provider> > > </gateway> > > <service> > > <role>KNOXSSO</role> > > <param> > > <name>knoxsso.cookie.secure.only</name> > > <value>true</value> > > </param> > > <param> > > <name>knoxsso.token.ttl</name> > > <value>100000</value> > > </param> > > <param> > > <name>knoxsso.redirect.whitelist.regex</name> > > > <value>^https?:\/\/(emr-knox-webui-dev\.us-west-2\.elb\.amazonaws\.com|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value> > > </param> > > </service> > > </topology> > > > > gate1.xml > > --------- > > <?xml version="1.0" encoding="utf-8"?> > > <topology> > > <gateway> > > <provider> > > <role>federation</role> > > <name>SSOCookieProvider</name> > > <enabled>true</enabled> > > <param> > > <name>sso.authentication.provider.url</name> > > <value> > https://<dns-name>:8446/gateway/knoxsso/api/v1/websso</value> > > </param> > > </provider> > > <provider> > > <role>identity-assertion</role> > > <name>Default</name> > > <enabled>true</enabled> > > </provider> > > </gateway> > > <service> > > <role>YARNUI</role> > > <url>http://<dnsname>:8088</url> > > </service> > > </topology> > > > > > > PROBLEM: > > ******** > > on accessing the YarnUI (firefox browser) after starting the gateway, The > browser gets redirected to the Identity provider URL -> asks for the login > credentials -> on submitting the user is getting authenticated but the > application gets landed to https://<DNSDomain>:8446 and throws page not > found error. > > I'm seeing the SAML request sent and SAML response getting received but it > gets landed to an invalid page after authentication. I'm unable to figure > out the page to land after authentication. > > > > > > Hope I have provided the required details. please do let me know if you > need any additional details. > > > > Thanks, > > Praveen. > > >