Chapter 7. Configuring Identity Assertion

The Knox Gatewayidentity-assertion provider maps an authenticated user to an internal cluster user and/or group. This allows the Knox Gateway accept requests from external users without requiring internal cluster user names to be exposed.

The gateway evaluates the authenticated user against the identity-assertion provider to determine the following:

  1. Does the user match any user mapping rules:

    • True:The first matching $cluster_user is asserted, that is it becomes the authenticated user.

    • False:The authenticated user is asserted.

  2. Does the authenticated user match any group mapping rules:

    • True:The authenticated user is a member of all matching groups (for the purpose of authorization).

    • False:The authenticated user is not a member of any mapped groups.


When authenticated by an SSO provider, the authenticated user is a member of all groups defined in the request as well as any that match the group.principal.mapping.

loading table of contents...