You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@community.apache.org by "Ravikumar, Praveen Krishnamoorthy" <rp...@amazon.com.INVALID> on 2018/07/16 16:58:48 UTC
Need help in enabling SAML auth in Apache Knox
Hi,
I'm Praveen. I'm working on POC to setup Apache Knox on the master node of an EMR cluster for our client. With the help of documentations I was able to install KNOX successfully and was able to run few tests. Currently I'm facing an issue on enabling SAML authentication, which I'm kind of blocked and I don’t know, how to proceed or troubleshoot the issue. I have provided few details regarding the issue and I would love to provide more if needed.
Could anyone help me in this, would be very helpful for me to proceed further.
TASK:
-----
To enable SAML authentication for Apache Knox.
NOTE: Apache Knox is installed and running in port 8446
STEP 1: SSO request initiation.
*******************************
- Our client uses PING Federate Identity provider.
- raised a request to register the application for SSO access.
Entity ID - https://<dnsName>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client
Target URL - https://<dnsName>:8446(I'm not sure the target URL is valid, I suspect the page is getting redirected to this link after auth)
- I received a IDP metadata.xml and certificate.
STEP 2: Topology config
***********************
KnoxSSO.xml
------------
<topology>
<gateway>
<provider>
<role>federation</role>
<name>pac4j</name>
<enabled>true</enabled>
<param>
<name>pac4j.callbackUrl</name>
<value>https://<dnsName>:8446/gateway/knoxsso/api/v1/websso</value>
</param>
<param>
<name>clientName</name>
<value>SAML2Client</value>
</param>
<param>
<name>saml.identityProviderMetadataPath</name>
<value>/tmp/preprod_metadata_SP.xml</value>
</param>
<param>
<name>saml.serviceProviderMetadataPath</name>
<value>/tmp/preprod_metadata_SP.xml</value>
</param>
<param>
<name>saml.serviceProviderEntityId</name>
<value>https://<dnsName>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
</gateway>
<service>
<role>KNOXSSO</role>
<param>
<name>knoxsso.cookie.secure.only</name>
<value>true</value>
</param>
<param>
<name>knoxsso.token.ttl</name>
<value>100000</value>
</param>
<param>
<name>knoxsso.redirect.whitelist.regex</name>
<value>^https?:\/\/(emr-knox-webui-dev\.us-west-2\.elb\.amazonaws\.com|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
</param>
</service>
</topology>
gate1.xml
---------
<?xml version="1.0" encoding="utf-8"?>
<topology>
<gateway>
<provider>
<role>federation</role>
<name>SSOCookieProvider</name>
<enabled>true</enabled>
<param>
<name>sso.authentication.provider.url</name>
<value>https://<dns-name>:8446/gateway/knoxsso/api/v1/websso</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
</gateway>
<service>
<role>YARNUI</role>
<url>http://<dnsname>:8088</url>
</service>
</topology>
PROBLEM:
********
on accessing the YarnUI (firefox browser) after starting the gateway, The browser gets redirected to the Identity provider URL -> asks for the login credentials -> on submitting the user is getting authenticated but the application gets landed to https://<DNSDomain>:8446 and throws page not found error.
I'm seeing the SAML request sent and SAML response getting received but it gets landed to an invalid page after authentication. I'm unable to figure out the page to land after authentication.
Hope I have provided the required details. please do let me know if you need any additional details.
Thanks,
Praveen.
Re: Need help in enabling SAML auth in Apache Knox
Posted by Andrew Musselman <an...@gmail.com>.
Hi Praveen, you could get in touch with the Knox team using their
mailing lists instead of this one:
https://knox.apache.org/mail-lists.html
Good luck!
On Mon, Jul 16, 2018 at 9:58 AM, Ravikumar, Praveen Krishnamoorthy
<rp...@amazon.com.INVALID> wrote:
> Hi,
> I'm Praveen. I'm working on POC to setup Apache Knox on the master
> node of an EMR cluster for our client. With the help of
> documentations I was able to install KNOX successfully and was able
> to run few tests. Currently I'm facing an issue on enabling SAML
> authentication, which I'm kind of blocked and I don’t know, how to
> proceed or troubleshoot the issue. I have provided few details
> regarding the issue and I would love to provide more if needed.
>
> Could anyone help me in this, would be very helpful for me to proceed
> further.
>
> TASK:
> -----
> To enable SAML authentication for Apache Knox.
>
> NOTE: Apache Knox is installed and running in port 8446
>
> STEP 1: SSO request initiation.
> *******************************
> - Our client uses PING Federate Identity provider.
> - raised a request to register the application for SSO access.
> Entity ID -
> https://<dnsName>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client
> Target URL - https://<dnsName>:8446(I'm not sure the target
> URL is valid, I suspect the page is getting redirected to this link
> after auth)
> - I received a IDP metadata.xml and certificate.
>
> STEP 2: Topology config
> ***********************
>
> KnoxSSO.xml
> ------------
> <topology>
> <gateway>
> <provider>
> <role>federation</role>
> <name>pac4j</name>
> <enabled>true</enabled>
> <param>
> <name>pac4j.callbackUrl</name>
>
> <value>https://<dnsName>:8446/gateway/knoxsso/api/v1/websso</value>
> </param>
> <param>
> <name>clientName</name>
> <value>SAML2Client</value>
> </param>
> <param>
> <name>saml.identityProviderMetadataPath</name>
> <value>/tmp/preprod_metadata_SP.xml</value>
> </param>
> <param>
> <name>saml.serviceProviderMetadataPath</name>
> <value>/tmp/preprod_metadata_SP.xml</value>
> </param>
> <param>
> <name>saml.serviceProviderEntityId</name>
>
> <value>https://<dnsName>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client</value>
> </param>
> </provider>
> <provider>
> <role>identity-assertion</role>
> <name>Default</name>
> <enabled>true</enabled>
> </provider>
> </gateway>
> <service>
> <role>KNOXSSO</role>
> <param>
> <name>knoxsso.cookie.secure.only</name>
> <value>true</value>
> </param>
> <param>
> <name>knoxsso.token.ttl</name>
> <value>100000</value>
> </param>
> <param>
> <name>knoxsso.redirect.whitelist.regex</name>
>
> <value>^https?:\/\/(emr-knox-webui-dev\.us-west-2\.elb\.amazonaws\.com|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
> </param>
> </service>
> </topology>
>
> gate1.xml
> ---------
> <?xml version="1.0" encoding="utf-8"?>
> <topology>
> <gateway>
> <provider>
> <role>federation</role>
> <name>SSOCookieProvider</name>
> <enabled>true</enabled>
> <param>
> <name>sso.authentication.provider.url</name>
>
> <value>https://<dns-name>:8446/gateway/knoxsso/api/v1/websso</value>
> </param>
> </provider>
> <provider>
> <role>identity-assertion</role>
> <name>Default</name>
> <enabled>true</enabled>
> </provider>
> </gateway>
> <service>
> <role>YARNUI</role>
> <url>http://<dnsname>:8088</url>
> </service>
> </topology>
>
>
> PROBLEM:
> ********
> on accessing the YarnUI (firefox browser) after starting the gateway,
> The browser gets redirected to the Identity provider URL -> asks for
> the login credentials -> on submitting the user is getting
> authenticated but the application gets landed to
> https://<DNSDomain>:8446 and throws page not found error.
> I'm seeing the SAML request sent and SAML response getting received
> but it gets landed to an invalid page after authentication. I'm
> unable to figure out the page to land after authentication.
>
>
> Hope I have provided the required details. please do let me know if
> you need any additional details.
>
> Thanks,
> Praveen.