Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Error while configuring HUE with SAML

Labels:
avatar
author-rank sudhakarv
Explorer

Created on ‎10-03-2017 11:29 AM - edited ‎09-16-2022 05:20 AM

Hi

  I am trying to configure HUE with SAML Authentication and receiving following error:

 

 [03/Oct/2017 11:13:36 +0000] response DEBUG conditions: <?xml version='1.0' encoding='UTF-8'?>
<saml:Conditions xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore="2017-10-03T18:08:35.668Z" NotOnOrAfter="2017-10-03T18:18:35.668Z"><saml:AudienceRestriction><saml:Audience>http://xxxxx.us-east-1.elb.amazonaws.com/saml2/metadata/</saml:Audience></saml:AudienceRestriction></saml:Conditions>
[03/Oct/2017 11:13:36 +0000] response DEBUG --- Getting Identity ---
[03/Oct/2017 11:13:36 +0000] response DEBUG Attribute Statement: <?xml version='1.0' encoding='UTF-8'?>
<saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:string">svasiraju</saml:AttributeValue></saml:Attribute><saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:string">abc@yahoo.com</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>
[03/Oct/2017 11:13:36 +0000] response DEBUG Converts name format: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
[03/Oct/2017 11:13:36 +0000] response DEBUG --- AVA: {'uid': ['svasiraju'], 'email': ['abc@yahoo.com']}
[03/Oct/2017 11:13:36 +0000] response INFO Subject NameID: <?xml version='1.0' encoding='UTF-8'?>
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName">abc@yahoo.com</saml:NameID>
[03/Oct/2017 11:13:36 +0000] client_base INFO --- ADDED person info ----
[03/Oct/2017 11:13:36 +0000] backends ERROR Session info or attribute mapping are None
[03/Oct/2017 11:13:36 +0000] views ERROR The user is None

Here is my configuration in HUE:

 

# Xmlsec1 binary path. This program should be executable by the user running Hue.
   xmlsec_binary=/usr/bin/xmlsec1
        assertion_consumer_service_uri="http://xxx.us-east-1.elb.amazonaws.com/saml2/acs/"
  
entity_id="http://xxx.us-east-1.elb.amazonaws.com/saml2/metadata/"
   create_users_on_login=true
    required_attributes=uid
  metadata_file=/opt/hue/desktop/conf/metadata2.xml

     key_file=/opt/hue/desktop/conf/mattermost-x509.pem

  cert_file=/opt/hue/desktop/conf/cert2.pem

     user_attribute_mapping={'uid': ('username', ), 'email': ('email', )},
     logout_requests_signed=true
     username_source=attributes

TIA

 

3,712 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank bgooley author-rank
Master Guru

Created ‎10-03-2017 05:14 PM

@sudhakarv,

 

I have used the following with success previously:

user_attribute_mapping='{"uid":"username"}'

 

It does appear that the IDP --> Django mapping is not occurring.  Currently we only use map to "username".

 

View solution in original post

3,693 Views
4 REPLIES 4

avatar
author-rank sudhakarv
Explorer

Created ‎10-03-2017 02:36 PM

Surprisingly commenting out “user_attribute_mapping={'uid': ('username',)}” in config file (is uses same thing which is default) does the magic. Looks like following code in libsaml/conf.py is creating problem.

def dict_list_map(value):
  if isinstance(value, str):
    d = {}
    for k, v in json.loads(value).iteritems():
      d[k] = (v,)
    return d
  elif isinstance(value, dict):
    return value
  return None

USER_ATTRIBUTE_MAPPING = Config(
  key="user_attribute_mapping",
  default={'uid': ('username', )},
  type=dict_list_map,
  help=_t("A mapping from attributes in the response from the IdP to django user attributes."))
3,702 Views
0 Kudos

avatar
author-rank bgooley author-rank
Master Guru

Created ‎10-03-2017 05:14 PM

@sudhakarv,

 

I have used the following with success previously:

user_attribute_mapping='{"uid":"username"}'

 

It does appear that the IDP --> Django mapping is not occurring.  Currently we only use map to "username".

 

3,694 Views

avatar
author-rank sudhakarv
Explorer

Created ‎10-04-2017 08:22 AM

Thank you for your response. It is working with user_attribute_mapping='{"uid":"username"}'. I was following the given example user_attribute_mapping={'uid': ('username', )} which was failing. 

 

Thank you once again.

3,679 Views
0 Kudos

avatar
author-rank VijayM
Rising Star

Created ‎03-10-2019 11:52 PM

@bgooley

 

Can you help me with some example for user_attribute_mapping='{"uid":"username"}'  ?

 

My requirement is:

 

Post integrating with SAML when user try to access Hue UI, If IDP returns UID of user post authentication but when user logged in Hue UI shows Username which i want to be displayed.

 

Can you help me to understand about below property which says

 

user_attribute_mapping  - Map user attributed provided by IDP to Hue attributes

 

What is Hue attributes?

 

- Vijay M

2,378 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements