You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@knox.apache.org by "Rutland, Nathan A CTR DISA BD (US)" <na...@mail.mil> on 2018/07/26 21:45:18 UTC

Knox connection to Active Directory Federation Services?

I have been looking all over for an example of connecting to Active Directory Federation Services.  Has anyone successfully implemented this with SAML 2.0?

Our ADFS has a Common Access Card PKI tie-in, so I'm trying to leverage it to have Knox pointed to ADFS and Ambari set up as SSO to Knox.  Ultimately, when someone tries to connect to Ambari, it will request the PIN from the CAC certificate, do an ADFS lookup in Active Directory, and send back a SAML token of success or failure.  Possibly some other pieces of information to help tie that AD username into the Hadoop cluster.

VR, N

Re: Knox connection to Active Directory Federation Services?

Posted by larry mccay <lm...@apache.org>.

I don't recall seeing anyone using ADFS yet.
This would certainly be of interest and if you get it to work - it would be
great to get a wiki tutorial for doing so!

I have seen deployments with CAC cards where the challenge is done via
proxy like WebGate or something like that and then Header based Preauth is
used in KnoxSSO to establish the session via HTTP Headers.
This would require a combination of network controls that require access
can only be gained through the authenticating proxy and some form of trust
relationship between Knox and the proxy like mutual authentication.

On Thu, Jul 26, 2018 at 5:45 PM, Rutland, Nathan A CTR DISA BD (US) <
nathan.a.rutland2.ctr@mail.mil> wrote:

> I have been looking all over for an example of connecting to Active
> Directory Federation Services.  Has anyone successfully implemented this
> with SAML 2.0?
>
> Our ADFS has a Common Access Card PKI tie-in, so I'm trying to leverage it
> to have Knox pointed to ADFS and Ambari set up as SSO to Knox.  Ultimately,
> when someone tries to connect to Ambari, it will request the PIN from the
> CAC certificate, do an ADFS lookup in Active Directory, and send back a
> SAML token of success or failure.  Possibly some other pieces of
> information to help tie that AD username into the Hadoop cluster.
>
> VR, N
>
>
>