Configuring Proxy with Apache Knox
Also available as:
PDF
loading table of contents...

Configuring a Federation Provider

An overview of federation providers, to help you choose the right one for your environment.

There are two types of providers supported in Knox for establishing a user’s identity:
  • Authentication Providers

  • Federation Providers

Authentication providers directly accept a user’s credentials and validates them against some particular user store. Federation providers, on the other hand, validate a token that has been issued for the user by a trusted Identity Provider (IdP).
There are different federation providers:
  • HeaderPreAuth

    HeaderPreAuth is a preauthenticated SSO provider.

    A number of SSO solutions provide mechanisms for federating an authenticated identity across applications. These mechanisms are at times simple HTTP Header type tokens that can be used to propagate the identity across process boundaries.

    Knox Gateway needs a pluggable mechanism for consuming these tokens and federating the asserted identity through an interaction with the cluster.

    The HeaderPreAuth provider is configured within the topology file and has a minimal configuration that assumes SM_USER for CA SiteMinder. The following example is the bare minimum configuration for SiteMinder (with no IP address validation).

  • SSOCookieProvider

    The SSOCookieProvider enables the federation of the authentication event that occurred through KnoxSSO. KnoxSSO is a typical SP-initiated websso mechanism that sets a cookie to be presented by browsers to participating applications and cryptographically verified.

  • JWT

    The JWT federation provider accepts JWT tokens as Bearer tokens within the Authorization header of the incoming request. Upon successfully extracting and verifying the token, the request is then processed on behalf of the user represented by the JWT token.

    This provider is closely related to the Knox Token Service and is essentially the provider that is used to consume the tokens issued by the Knox Token Service.

  • Pac4j

    Pac4j is a Java security engine to authenticate users, get their profiles and manage their authorizations in order to secure Java web applications. It supports many authentication mechanisms for UI and web services and is implemented by many frameworks and tools.

    For Knox, it is used as a federation provider to support the OAuth, CAS, SAML and OpenID Connect protocols. It must be used for SSO, in association with the KnoxSSO service and optionally with the SSOCookieProvider for access to REST APIs.