Hi,
I'm Praveen. I'm working on POC to setup Apache Knox on the master node of an
EMR cluster for our client. With the help of documentations I was able to
install KNOX successfully and was able to run few tests. Currently I'm facing
an issue on enabling SAML authentication, which I'm kind of blocked and I don’t
know, how to proceed or troubleshoot the issue. I have provided few details
regarding the issue and I would love to provide more if needed.
Could anyone help me in this, would be very helpful for me to proceed further.
TASK:
-----
To enable SAML authentication for Apache Knox.
NOTE: Apache Knox is installed and running in port 8446
STEP 1: SSO request initiation.
*******************************
- Our client uses PING Federate Identity provider.
- raised a request to register the application for SSO access.
Entity ID -
https://<dnsName>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client
Target URL - https://<dnsName>:8446(I'm not sure the target URL is
valid, I suspect the page is getting redirected to this link after auth)
- I received a IDP metadata.xml and certificate.
STEP 2: Topology config
***********************
KnoxSSO.xml
------------
<topology>
<gateway>
<provider>
<role>federation</role>
<name>pac4j</name>
<enabled>true</enabled>
<param>
<name>pac4j.callbackUrl</name>
<value>https://<dnsName>:8446/gateway/knoxsso/api/v1/websso</value>
</param>
<param>
<name>clientName</name>
<value>SAML2Client</value>
</param>
<param>
<name>saml.identityProviderMetadataPath</name>
<value>/tmp/preprod_metadata_SP.xml</value>
</param>
<param>
<name>saml.serviceProviderMetadataPath</name>
<value>/tmp/preprod_metadata_SP.xml</value>
</param>
<param>
<name>saml.serviceProviderEntityId</name>
<value>https://<dnsName>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
</gateway>
<service>
<role>KNOXSSO</role>
<param>
<name>knoxsso.cookie.secure.only</name>
<value>true</value>
</param>
<param>
<name>knoxsso.token.ttl</name>
<value>100000</value>
</param>
<param>
<name>knoxsso.redirect.whitelist.regex</name>
<value>^https?:\/\/(emr-knox-webui-dev\.us-west-2\.elb\.amazonaws\.com|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
</param>
</service>
</topology>
gate1.xml
---------
<?xml version="1.0" encoding="utf-8"?>
<topology>
<gateway>
<provider>
<role>federation</role>
<name>SSOCookieProvider</name>
<enabled>true</enabled>
<param>
<name>sso.authentication.provider.url</name>
<value>https://<dns-name>:8446/gateway/knoxsso/api/v1/websso</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
</gateway>
<service>
<role>YARNUI</role>
<url>http://<dnsname>:8088</url>
</service>
</topology>
PROBLEM:
********
on accessing the YarnUI (firefox browser) after starting the gateway, The
browser gets redirected to the Identity provider URL -> asks for the login
credentials -> on submitting the user is getting authenticated but the
application gets landed to https://<DNSDomain>:8446 and throws page not found
error.
I'm seeing the SAML request sent and SAML response getting received but it gets
landed to an invalid page after authentication. I'm unable to figure out the
page to land after authentication.
Hope I have provided the required details. please do let me know if you need
any additional details.
Thanks,
Praveen.
