Configure Apache Knox authentication for SAML
Knox authentication configurations for SAML in Cloudera Manager. Knox uses pac4j provider for SAML.
Configuring SAML with the pac4j provider
You can configure SAML in Cloudera Manager through
An example minimal configuration is shown below:
authentication.enabled=false
role=federation
federation.name=pac4j
federation.param.clientName=SAML2Client federation.param.pac4j.callbackUrl=https://knox.example.com:8443/gateway/knoxsso/api/v1/websso federation.param.saml.identityProviderMetadataPath=/etc/knox/conf/idp.xml federation.param.saml.serviceProviderMetadataPath=/etc/knox/conf/sp.xml
federation.param.saml.serviceProviderEntityId=knox-sp-entity
authentication.param.remove=main.pamRealm
authentication.param.remove=main.pamRealm.service
You can find additional
advanced configuration options in the upstream Apache Knox and pac4j documentation.You can obtain the Identity Provider (IdP) metadata that Knox needs from your IdP admins. The information required to configure the SAML Identity Provider, including the Knox entity id and AssertionConsumerService endpoint, is contained in the SAML Service Provider (SP) metadata which Knox generates automatically. Once the SP metadata has been written to the serviceProviderMetadataPath on the Knox host, you can send it to the IdP admins to complete the configuration at the IdP side.