Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

KnoxSSO Integration with AWS SSO Error

Labels:
colton_rodgers
Contributor

Created ‎06-06-2019 07:57 PM

We are attempting to integrate the AWS Single-Sign-On Application with KnoxSSO.


KnoxSSO.xml

<topology>
   <gateway>
     <provider>
         <role>federation</role>
         <name>pac4j</name>
         <enabled>true</enabled>
         <param>
           <name>pac4j.callbackUrl</name>
      <value>https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso</value>
         </param>
         <param>
           <name>clientName</name>
           <value>SAML2Client</value>
         </param>
         <param>
           <name>saml.identityProviderMetadataPath</name>
           <value>https://portal.sso.us-east-1.amazonaws.com/saml/metadata/<REDACTED></value>
         </param> 
         <param>
           <name>saml.serviceProviderMetadataPath</name>
           <value>/tmp/sp-metadata.xml</value>
         </param> 
         <param>
           <name>saml.serviceProviderEntityId</name>
<value>https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso?pac4jCallback=true&amp;client_name=SAML2Client</value>
         </param>
     </provider>
        <provider>
            <role>identity-assertion</role>
            <name>Default</name>
            <enabled>true</enabled>
        </provider>
    </gateway>
    <service>
        <role>KNOXSSO</role>
        <param>
            <name>knoxsso.cookie.secure.only</name>
            <value>true</value>
        </param>
        <param>
            <name>knoxsso.token.ttl</name>
            <value>3000000</value>
        </param>
        <param>
            <name>knoxsso.redirect.whitelist.regex</name>
            <value>.*</value>
        </param>
        <param>
            <name>knoxsso.cookie.max.age</name>
            <value>session</value>
        </param>
    </service>
</topology>


Gateway.xml

<topology>
  <gateway>
    <provider>
        <role>federation</role>
        <name>SSOCookieProvider</name>
        <enabled>true</enabled>
        <param>
            <name>sso.authentication.provider.url</name>
            <value>https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso</value>
        </param>
    </provider>
    <provider>
        <role>identity-assertion</role>
        <name>Default</name>
        <enabled>true</enabled>
    </provider>
  </gateway>    
  <service>
    <role>AMBARI</role>
    <url>http://ip-10-10-32-143.us-east-2.compute.internal:8080</url>
</service>
<service>
    <role>AMBARIUI</role>
    <url>http://ip-10-10-32-143.us-east-2.compute.internal:8080</url>
</service>
<service>
    <role>AMBARIWS</role>
    <url>http://ip-10-10-32-143.us-east-2.compute.internal:8080</url>
</service>
<service>
    <role>NAMENODE</role>
    <url>hdfs://mycluster</url>
</service>
<service>
    <role>JOBTRACKER</role>
    <url>rpc://ip-10-10-32-181.us-east-2.compute.internal:8050</url>
</service>
<service>
    <role>WEBHDFS</role>
    <url>http://ip-10-10-32-169.us-east-2.compute.internal:50070/webhdfs</url>
    <url>http://ip-10-10-32-181.us-east-2.compute.internal:50070/webhdfs</url>
</service>
<service>
    <role>HIVE</role>
    <url>http://ip-10-10-32-181.us-east-2.compute.internal:10001/cliservice</url>
</service>
<service>
    <role>RESOURCEMANAGER</role>
    <url>http://ip-10-10-32-181.us-east-2.compute.internal:8088/ws</url>
</service>
<service>
    <role>JOBHISTORYUI</role>
    <url>http://ip-10-10-32-169.us-east-2.compute.internal:19888</url>
    <url>http://ip-10-10-32-181.us-east-2.compute.internal:19888</url>
    <url>http://ip-10-10-32-181.us-east-2.compute.internal:19888</url>
    <url>http://ip-10-10-32-181.us-east-2.compute.internal:19888</url>
</service>
<service>
    <role>SPARKHISTORYUI</role>
    <url>http://ip-10-10-32-169.us-east-2.compute.internal:18081/</url>
    <url>http://ip-10-10-32-181.us-east-2.compute.internal:18081/</url>
    <url>http://ip-10-10-32-181.us-east-2.compute.internal:18081/</url>
    <url>http://ip-10-10-32-181.us-east-2.compute.internal:18081/</url>
</service>
<service>
    <role>ZEPPELINUI</role>
    <url>http://ip-10-10-32-143.us-east-2.compute.internal:9995</url>
</service>
<service>
    <role>ZEPPELINWS</role>
    <url>ws://ip-10-10-32-143.us-east-2.compute.internal:9995/ws</url>
</service>
<service>
    <role>LIVYSERVER</role>
    <url>http://ip-10-10-32-181.us-east-2.compute.internal:8999</url>
</service>
</topology>


The SAML2Request:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso?pac4jCallback=true&amp;client_name=SAML2Client"
                     Destination="https://portal.sso.us-east-1.amazonaws.com/saml/assertion/<REDACTED>"
                     ForceAuthn="false"
                     ID="_hkqsnsohez6jghntmirrdoiadknevetpemxqrwd"
                     IsPassive="false"
                     IssueInstant="2019-06-06T19:39:27.927Z"
                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                     ProviderName="pac4j-saml"
                     Version="2.0"
                     xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso?pac4jCallback=true&amp;client_name=SAML2Client</saml2:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
      <ds:Reference URI="#_hkqsnsohez6jghntmirrdoiadknevetpemxqrwd">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512" />
        <ds:DigestValue>7lbvfnpnYJJho3ebYnkzb+mbsJrUKJmUle/eYObkqMroSFLwKFfUnRIstSRaOvSRhzfu7P7gTv3U mWLk52iTfg==
        </ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
      <REDACTED>
    </ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>
<REDACTED>
</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
</saml2p:AuthnRequest>


The SAML2Response:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                 xmlns:enc="http://www.w3.org/2001/04/xmlenc#"
                 xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                 Destination="https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso?pac4jCallback=true&amp;amp;client_name=SAML2Client"
                 ID="_da4abe2b-a005-4f5c-950b-3e9e2646c0a5"
                 InResponseTo="_hkqsnsohez6jghntmirrdoiadknevetpemxqrwd"
                 IssueInstant="2019-06-06T19:39:28.148Z"
                 Version="2.0">
  <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://portal.sso.us-east-1.amazonaws.com/saml/assertion/<REDACTED></saml2:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
      <ds:Reference URI="#_da4abe2b-a005-4f5c-950b-3e9e2646c0a5">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
      PrefixList="xsd" />
          </ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
        <ds:DigestValue>mq219kl40ETgkW9K1WNoqi3R/KsxVYtTyXNis7Vpsy4=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>

      oNkvQntjMJ7NS3lLSM9XYxjSmHfWLw6C8fh/dFRcM4hVxNUpiplYN8dYQt/xAniAsAI6UEsFY5wz NHHH5R0hSkKhMp4KlBDY9ASJ5ySeCWM0CIZhV1w9V0pO935rV+hdhUMgS2Fb86ggN4LjBlKNHSFp D4sqUKvsTXptWYcu48Y8tOPedtgpwHUdc+ziV5ufAeJsbLtumk5oN3kGpDBX7qqOUc8T7GhKopXS wc+1kCEY1tjOZX0dN/T6K5A4wL/+DhzycxTGY0b0KB2eKK4ULEfDFxeIVdicaFH5yMyhWor7urL7
      t6A5rEpyFlPKM23KDUZq/eDkhBp6LV+aMMuVUA==
</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>
MIIDAzCCAeugAwIBAgIBATANBgkqhkiG9w0BAQsFADBFMRYwFAYDVQQDDA1hbWF6b25hd3MuY29tMQ0wCwYDVQQLDARJREFTMQ8wDQYDVQQKDAZBbWF6b24xCzAJBgNVBAYTAlVTMB4XDTE5MDYwNjE4NTQ0OVoXDTI0MDYwNjE4NTQ0OVowRTEWMBQGA1UEAwwNYW1hem9uYXdzLmNvbTENMAsGA1UECwwESURBUzEPMA0GA1UECgwGQW1hem9uMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL8E+P9tAWZuze/PC94va6epzs1p6KXiVaCqNgGltkZ2a7ffukNuV2ll0PXkK3SPDguiSR+FHdD3hmqhCmBnGZRge/TP+HFNBS8cxtThCV72dUfIYvJIa+dVIXf5aBOqMmUzjHPrGyaDjMaHQge1AYfoGWzSt6Fon0ji+UXJyYs57IGe8OA5DgeATfykWWpHDF1EAH3U5nF0WIOSl31kW6nTYhDNkZkBc2MgrO0fzNGyrj/dSfaU+LFsh52IsXNtHxnZTy1+rmEvW5iJb/lYQG+JFvu6o45zvLLjGpz7L1T7b5l9pq0AgrJEOvTS0W2NKdgAfTlI2Xdv7bVNIME3K18CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAkAh5SWXZZXr7HxBbSG7UCf9vX+9aF3mX6KrPrikWskf/g99C3U2DOlStz17KZ7+dTwvhSZLkIwuWRa+t+HyJy4R+3c/aW4jlTeibQGxfTDeHBHozjSeub1g8oKW7ui7eMH3maXwe87WGTkPvRN3zQgfBSlBTKhU/DRUTdeIlC+en2hoFTchW0OTGd/O2t/CxXSqRHhDT6n8RHq5jDL8q5LvjNHAnEOD/1rjd9FIo3i+47HpUGp7RJnzN3SD9W1piUc2Ai5SI7AOzwpBGgg6XioFt9Itt5eYPgBuuS/pLhXjrg4VC7ZYIBL9TAIHmgmG2am5/AVTsD+Y+gZ0tKRzLiQ==
</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></saml2p:Status>
  <saml2:Assertion ID="_b818a50e-1221-46df-9bca-9f29f7613532"
                   IssueInstant="2019-06-06T19:39:28.149Z"
                   Version="2.0"
                   xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://portal.sso.us-east-1.amazonaws.com/saml/assertion/<REDACTED></saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
        <ds:Reference URI="#_b818a50e-1221-46df-9bca-9f29f7613532">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
              <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
        PrefixList="xsd" />
            </ds:Transform>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
          <ds:DigestValue>k+f/xrSENKFdbbvRs4WeeDiN+cm6eigvJwkcKxRFiBk=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>

        <REDACTED>
</ds:SignatureValue>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>
<REDACTED>
</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </ds:Signature>
    <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                    SPNameQualifier="https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso?pac4jCallback=true&amp;amp;client_name=SAML2Client">CRodgers@guideone.com</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData InResponseTo="_hkqsnsohez6jghntmirrdoiadknevetpemxqrwd"
         NotOnOrAfter="2019-06-06T20:39:28.149Z"
         Recipient="https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso?pac4jCallback=true&amp;amp;client_name=SAML2Client" /></saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2019-06-06T19:34:28.149Z"
                      NotOnOrAfter="2019-06-06T20:39:28.149Z">
      <saml2:AudienceRestriction>
        <saml2:Audience>https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso?pac4jCallback=true&amp;amp;client_name=SAML2Client</saml2:Audience>
      </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement AuthnInstant="2019-06-06T19:39:28.149Z"
                          SessionIndex="_836223ec-5dcc-43ca-9029-3b1697389835"
                          SessionNotOnOrAfter="2019-06-06T20:39:28.149Z">
      <saml2:AuthnContext>
        <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
    </saml2:AuthnStatement>
    <saml2:AttributeStatement>
      <saml2:Attribute Name="Username"
                       NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                              xsi:type="xsd:string">i103246@guidehome.com</saml2:AttributeValue>
      </saml2:Attribute>
    </saml2:AttributeStatement>
  </saml2:Assertion>
</saml2p:Response>


Gateway.log Errors:

2019-06-06 14:38:54,540 ERROR knox.gateway (AbstractGatewayFilter.java:doFilter(69)) - Failed to execute filter: org.pac4j.core.exception.TechnicalException: name cannot be blank
2019-06-06 14:38:54,540 ERROR knox.gateway (GatewayFilter.java:doFilter(173)) - Gateway processing failed: javax.servlet.ServletException: org.pac4j.core.exception.TechnicalException: name cannot be blank
javax.servlet.ServletException: org.pac4j.core.exception.TechnicalException: name cannot be blank
Caused by: org.pac4j.core.exception.TechnicalException: name cannot be blank


AWS ACS URL: https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso?pac4jCallback=true&a...

AWS Audience: https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso?pac4jCallback=true&a...

AWS Start URL: https://<REDACTED>.us-east-2.elb.amazonaws.com/cr-cluster/knoxsso/api/v1/websso?pac4jCallback=true&a...


Is there anything glaringly wrong with this setup? We believe our issue to be coming from the encoding/decoding of the & -> &amp; -> &amp;amp; We've tried to remove the ampersand all together, but each time a request is made, the &amp; shows up in the request. Any and all help is appreciated.

1,106 Views
0 Kudos
1 REPLY 1

ask_bill_brooks
Moderator

Created ‎06-09-2019 03:07 PM

The above was originally posted in the Community Help Track. On Sun Jun 9 15:04 UTC 2019, a member of the HCC moderation staff moved it to the Cloud & Operations track. The Community Help Track is intended for questions about using the HCC site itself.

Bill Brooks, Community Moderator
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
1,064 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Community Announcements
March 2023 Community Highlights
What's New @ Cloudera
Cloudera DataFlow Designer for self-service data flow development is now generally available to all CDP Public Cloud customers
What's New @ Cloudera
Cloudera Operational Database (COD) UI provides the JWT configuration details to connect to your HBase client
What's New @ Cloudera
Cloudera Operational Database (COD) UI allows storage type selection when creating an operational database
What's New @ Cloudera
Release of Cloudera Streaming Analytics (CSA) 1.9.0 for CDP 7.1.7 SP2 & CDP 7.1.8
View More Announcements