Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

KnoxSSO Integration with AWS SSO Error

Highlighted

KnoxSSO Integration with AWS SSO Error

Contributor

We are attempting to integrate the AWS Single-Sign-On Application with KnoxSSO.


KnoxSSO.xml

<topology>
   <gateway>
     <provider>
         <role>federation</role>
         <name>pac4j</name>
         <enabled>true</enabled>
         <param>
           <name>pac4j.callbackUrl</name>
      <value>https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso</value>
         </param>
         <param>
           <name>clientName</name>
           <value>SAML2Client</value>
         </param>
         <param>
           <name>saml.identityProviderMetadataPath</name>
           <value>https://portal.sso.us-east-1.amazonaws.com/saml/metadata/<REDACTED></value>
         </param> 
         <param>
           <name>saml.serviceProviderMetadataPath</name>
           <value>/tmp/sp-metadata.xml</value>
         </param> 
         <param>
           <name>saml.serviceProviderEntityId</name>
<value>https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso?pac4jCallback=true&amp;client_name=SAML2Client</value>
         </param>
     </provider>
        <provider>
            <role>identity-assertion</role>
            <name>Default</name>
            <enabled>true</enabled>
        </provider>
    </gateway>
    <service>
        <role>KNOXSSO</role>
        <param>
            <name>knoxsso.cookie.secure.only</name>
            <value>true</value>
        </param>
        <param>
            <name>knoxsso.token.ttl</name>
            <value>3000000</value>
        </param>
        <param>
            <name>knoxsso.redirect.whitelist.regex</name>
            <value>.*</value>
        </param>
        <param>
            <name>knoxsso.cookie.max.age</name>
            <value>session</value>
        </param>
    </service>
</topology>


Gateway.xml

<topology>
  <gateway>
    <provider>
        <role>federation</role>
        <name>SSOCookieProvider</name>
        <enabled>true</enabled>
        <param>
            <name>sso.authentication.provider.url</name>
            <value>https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso</value>
        </param>
    </provider>
    <provider>
        <role>identity-assertion</role>
        <name>Default</name>
        <enabled>true</enabled>
    </provider>
  </gateway>    
  <service>
    <role>AMBARI</role>
    <url>http://ip-10-10-32-143.us-east-2.compute.internal:8080</url>
</service>
<service>
    <role>AMBARIUI</role>
    <url>http://ip-10-10-32-143.us-east-2.compute.internal:8080</url>
</service>
<service>
    <role>AMBARIWS</role>
    <url>http://ip-10-10-32-143.us-east-2.compute.internal:8080</url>
</service>
<service>
    <role>NAMENODE</role>
    <url>hdfs://mycluster</url>
</service>
<service>
    <role>JOBTRACKER</role>
    <url>rpc://ip-10-10-32-181.us-east-2.compute.internal:8050</url>
</service>
<service>
    <role>WEBHDFS</role>
    <url>http://ip-10-10-32-169.us-east-2.compute.internal:50070/webhdfs</url>
    <url>http://ip-10-10-32-181.us-east-2.compute.internal:50070/webhdfs</url>
</service>
<service>
    <role>HIVE</role>
    <url>http://ip-10-10-32-181.us-east-2.compute.internal:10001/cliservice</url>
</service>
<service>
    <role>RESOURCEMANAGER</role>
    <url>http://ip-10-10-32-181.us-east-2.compute.internal:8088/ws</url>
</service>
<service>
    <role>JOBHISTORYUI</role>
    <url>http://ip-10-10-32-169.us-east-2.compute.internal:19888</url>
    <url>http://ip-10-10-32-181.us-east-2.compute.internal:19888</url>
    <url>http://ip-10-10-32-181.us-east-2.compute.internal:19888</url>
    <url>http://ip-10-10-32-181.us-east-2.compute.internal:19888</url>
</service>
<service>
    <role>SPARKHISTORYUI</role>
    <url>http://ip-10-10-32-169.us-east-2.compute.internal:18081/</url>
    <url>http://ip-10-10-32-181.us-east-2.compute.internal:18081/</url>
    <url>http://ip-10-10-32-181.us-east-2.compute.internal:18081/</url>
    <url>http://ip-10-10-32-181.us-east-2.compute.internal:18081/</url>
</service>
<service>
    <role>ZEPPELINUI</role>
    <url>http://ip-10-10-32-143.us-east-2.compute.internal:9995</url>
</service>
<service>
    <role>ZEPPELINWS</role>
    <url>ws://ip-10-10-32-143.us-east-2.compute.internal:9995/ws</url>
</service>
<service>
    <role>LIVYSERVER</role>
    <url>http://ip-10-10-32-181.us-east-2.compute.internal:8999</url>
</service>
</topology>


The SAML2Request:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso?pac4jCallback=true&amp;client_name=SAML2Client"
                     Destination="https://portal.sso.us-east-1.amazonaws.com/saml/assertion/<REDACTED>"
                     ForceAuthn="false"
                     ID="_hkqsnsohez6jghntmirrdoiadknevetpemxqrwd"
                     IsPassive="false"
                     IssueInstant="2019-06-06T19:39:27.927Z"
                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                     ProviderName="pac4j-saml"
                     Version="2.0"
                     xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso?pac4jCallback=true&amp;client_name=SAML2Client</saml2:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
      <ds:Reference URI="#_hkqsnsohez6jghntmirrdoiadknevetpemxqrwd">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512" />
        <ds:DigestValue>7lbvfnpnYJJho3ebYnkzb+mbsJrUKJmUle/eYObkqMroSFLwKFfUnRIstSRaOvSRhzfu7P7gTv3U mWLk52iTfg==
        </ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
      <REDACTED>
    </ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>
<REDACTED>
</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
</saml2p:AuthnRequest>


The SAML2Response:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                 xmlns:enc="http://www.w3.org/2001/04/xmlenc#"
                 xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                 Destination="https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso?pac4jCallback=true&amp;amp;client_name=SAML2Client"
                 ID="_da4abe2b-a005-4f5c-950b-3e9e2646c0a5"
                 InResponseTo="_hkqsnsohez6jghntmirrdoiadknevetpemxqrwd"
                 IssueInstant="2019-06-06T19:39:28.148Z"
                 Version="2.0">
  <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://portal.sso.us-east-1.amazonaws.com/saml/assertion/<REDACTED></saml2:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
      <ds:Reference URI="#_da4abe2b-a005-4f5c-950b-3e9e2646c0a5">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
      PrefixList="xsd" />
          </ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
        <ds:DigestValue>mq219kl40ETgkW9K1WNoqi3R/KsxVYtTyXNis7Vpsy4=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>

      oNkvQntjMJ7NS3lLSM9XYxjSmHfWLw6C8fh/dFRcM4hVxNUpiplYN8dYQt/xAniAsAI6UEsFY5wz NHHH5R0hSkKhMp4KlBDY9ASJ5ySeCWM0CIZhV1w9V0pO935rV+hdhUMgS2Fb86ggN4LjBlKNHSFp D4sqUKvsTXptWYcu48Y8tOPedtgpwHUdc+ziV5ufAeJsbLtumk5oN3kGpDBX7qqOUc8T7GhKopXS wc+1kCEY1tjOZX0dN/T6K5A4wL/+DhzycxTGY0b0KB2eKK4ULEfDFxeIVdicaFH5yMyhWor7urL7
      t6A5rEpyFlPKM23KDUZq/eDkhBp6LV+aMMuVUA==
</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>
MIIDAzCCAeugAwIBAgIBATANBgkqhkiG9w0BAQsFADBFMRYwFAYDVQQDDA1hbWF6b25hd3MuY29tMQ0wCwYDVQQLDARJREFTMQ8wDQYDVQQKDAZBbWF6b24xCzAJBgNVBAYTAlVTMB4XDTE5MDYwNjE4NTQ0OVoXDTI0MDYwNjE4NTQ0OVowRTEWMBQGA1UEAwwNYW1hem9uYXdzLmNvbTENMAsGA1UECwwESURBUzEPMA0GA1UECgwGQW1hem9uMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL8E+P9tAWZuze/PC94va6epzs1p6KXiVaCqNgGltkZ2a7ffukNuV2ll0PXkK3SPDguiSR+FHdD3hmqhCmBnGZRge/TP+HFNBS8cxtThCV72dUfIYvJIa+dVIXf5aBOqMmUzjHPrGyaDjMaHQge1AYfoGWzSt6Fon0ji+UXJyYs57IGe8OA5DgeATfykWWpHDF1EAH3U5nF0WIOSl31kW6nTYhDNkZkBc2MgrO0fzNGyrj/dSfaU+LFsh52IsXNtHxnZTy1+rmEvW5iJb/lYQG+JFvu6o45zvLLjGpz7L1T7b5l9pq0AgrJEOvTS0W2NKdgAfTlI2Xdv7bVNIME3K18CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAkAh5SWXZZXr7HxBbSG7UCf9vX+9aF3mX6KrPrikWskf/g99C3U2DOlStz17KZ7+dTwvhSZLkIwuWRa+t+HyJy4R+3c/aW4jlTeibQGxfTDeHBHozjSeub1g8oKW7ui7eMH3maXwe87WGTkPvRN3zQgfBSlBTKhU/DRUTdeIlC+en2hoFTchW0OTGd/O2t/CxXSqRHhDT6n8RHq5jDL8q5LvjNHAnEOD/1rjd9FIo3i+47HpUGp7RJnzN3SD9W1piUc2Ai5SI7AOzwpBGgg6XioFt9Itt5eYPgBuuS/pLhXjrg4VC7ZYIBL9TAIHmgmG2am5/AVTsD+Y+gZ0tKRzLiQ==
</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></saml2p:Status>
  <saml2:Assertion ID="_b818a50e-1221-46df-9bca-9f29f7613532"
                   IssueInstant="2019-06-06T19:39:28.149Z"
                   Version="2.0"
                   xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://portal.sso.us-east-1.amazonaws.com/saml/assertion/<REDACTED></saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
        <ds:Reference URI="#_b818a50e-1221-46df-9bca-9f29f7613532">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
              <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
        PrefixList="xsd" />
            </ds:Transform>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
          <ds:DigestValue>k+f/xrSENKFdbbvRs4WeeDiN+cm6eigvJwkcKxRFiBk=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>

        <REDACTED>
</ds:SignatureValue>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>
<REDACTED>
</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </ds:Signature>
    <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                    SPNameQualifier="https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso?pac4jCallback=true&amp;amp;client_name=SAML2Client">CRodgers@guideone.com</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData InResponseTo="_hkqsnsohez6jghntmirrdoiadknevetpemxqrwd"
         NotOnOrAfter="2019-06-06T20:39:28.149Z"
         Recipient="https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso?pac4jCallback=true&amp;amp;client_name=SAML2Client" /></saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2019-06-06T19:34:28.149Z"
                      NotOnOrAfter="2019-06-06T20:39:28.149Z">
      <saml2:AudienceRestriction>
        <saml2:Audience>https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso?pac4jCallback=true&amp;amp;client_name=SAML2Client</saml2:Audience>
      </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement AuthnInstant="2019-06-06T19:39:28.149Z"
                          SessionIndex="_836223ec-5dcc-43ca-9029-3b1697389835"
                          SessionNotOnOrAfter="2019-06-06T20:39:28.149Z">
      <saml2:AuthnContext>
        <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
    </saml2:AuthnStatement>
    <saml2:AttributeStatement>
      <saml2:Attribute Name="Username"
                       NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                              xsi:type="xsd:string">i103246@guidehome.com</saml2:AttributeValue>
      </saml2:Attribute>
    </saml2:AttributeStatement>
  </saml2:Assertion>
</saml2p:Response>


Gateway.log Errors:

2019-06-06 14:38:54,540 ERROR knox.gateway (AbstractGatewayFilter.java:doFilter(69)) - Failed to execute filter: org.pac4j.core.exception.TechnicalException: name cannot be blank
2019-06-06 14:38:54,540 ERROR knox.gateway (GatewayFilter.java:doFilter(173)) - Gateway processing failed: javax.servlet.ServletException: org.pac4j.core.exception.TechnicalException: name cannot be blank
javax.servlet.ServletException: org.pac4j.core.exception.TechnicalException: name cannot be blank
Caused by: org.pac4j.core.exception.TechnicalException: name cannot be blank


AWS ACS URL: https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso?pac4jCallback=true&a...

AWS Audience: https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso?pac4jCallback=true&a...

AWS Start URL: https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso?pac4jCallback=true&a...


Is there anything glaringly wrong with this setup? We believe our issue to be coming from the encoding/decoding of the & -> &amp; -> &amp;amp; We've tried to remove the ampersand all together, but each time a request is made, the &amp; shows up in the request. Any and all help is appreciated.

1 REPLY 1

Re: KnoxSSO Integration with AWS SSO Error

Community Manager

The above was originally posted in the Community Help Track. On Sun Jun 9 15:04 UTC 2019, a member of the HCC moderation staff moved it to the Cloud & Operations track. The Community Help Track is intended for questions about using the HCC site itself.

Bill Brooks, Community Manager
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Don't have an account?
Coming from Hortonworks? Activate your account here