Configuring Apache Knox SSO
Also available as:
PDF

Setting Up Knox SSO

Knox SSO provides web UI SSO (Single Sign-on) capabilities to your cluster. Knox SSO enables your users to login once and gain access to cluster resources. To set up Knox SSO, you will configure an identity provider, enable SSO using the Ambari CLI, and then manually configure various component settings.

Context

The flexibility of the Apache Knox authentication and federation providers allows KnoxSSO to provide normalization of authentication events through token exchange, resulting in a common JWT (JSON WebToken)-based token.

KnoxSSO provides an abstraction for integrating any number of authentication systems and SSO solutions, and enables participating web applications to scale to those solutions more easily. Without the token exchange capabilities offered by KnoxSSO, each component UI would need to integrate with each desired solution on its own. With KnoxSSO, they only need to integrate with the single solution and common token.

Configuring Knox SSO Workflow Overview

There are two ways to set up Knox SSO:
  • LDAP/AD: Uses the default form-based identity provider, Shiro. Use this if you have an Active Directory deployment.
  • SAML: Uses the pac4j provider and integrates with the identity provider Okta. Use this if you integrate with an external identity provider.
To set up Knox SSO with LDAP/AD, complete the following workflow:
  1. Install Knox.
  2. Configure Ambari Authentication for LDAP/AD.
  3. Configure an LDAP/AD Identity Provider (IdP).
  4. Enable Knox SSO using the Ambari CLI.
  5. Configure Knox SSO for HDFS, Oozie, MapReduce2, Zeppelin, or YARN.
  6. Restart all services that require a restart via Ambari.
To set up Knox SSO with SAML/Okta, complete the following workflow:
  1. Install Knox.
  2. Configure an Okta Identity Provider (IdP).
  3. Set up Knox SSO via the Ambari CLI.
  4. Set up Knox SSO via Component Config Files.
  5. Restart all services that require a restart via Ambari.

For information on what services are supported for Knox SSO, see the “Knox Supported Services Matrix”.