Concat Identity Assertion Provider
The Concat identity assertion provider allows for composition of a new user principal through the concatenation of optionally configured prefix and/or suffix provider parameters. This is a useful assertion provider for converting an incoming identity into a disambiguated identity within the cluster based on what topology is used to access.
Concat Identity Assertion is a new provider for the Knox Gateway that enables you to map principals by concatenating strings to either the front or the back of a specified username. The Identity Assertion Provider provides the critical function of determining the Identity Principal that you will want to use in your cluster to represent the identity that has been authenticated at the gateway. For more information on the Identity Assertion Provider and how it is used in the Knox Gateway, refer to the Identity Assertion chapter in the Apache Knox 0.11.x User Guide. If you would like to convert the user principal into a value that represents an identity from a particular user domain, use a configuration similar to the below example.
<provider>
<role>identity-assertion</role>
<name>Concat</name>
<enabled>true</enabled>
<param>
<name>concat.suffix</name>
<value>domain1</value>
</param>
<provider>
Notice in this example that the identity-assertion
role has been
named Concat
and has been enabled (true) for the Identity Assertion
Provider, with the conact.suffix
parameter given a value of
domain1
and concatenation will occur at the end of the username
(concat.suffix
). You may also use a parameter called
concat.prefix
to indicate a value to concatenate to the front
of the username.