Configure Apache Knox Authentication for SAML

Knox authentication configurations for SAML in Cloudera Manager. Knox uses pac4j provider for SAML.

Configuring SAML with the pac4j provider

You can configure SAML in Cloudera Manager through Knox > Configuration > Knox Simplified Topology Management - SSO Authentication Provider.An example minimal configuration is shown below:

authentication.enabled=false 
role=federation 
federation.name=pac4j 
federation.param.clientName=SAML2Client federation.param.pac4j.callbackUrl=https://knox.example.com:8443/gateway/knoxsso/api/v1/websso federation.param.saml.identityProviderMetadataPath=/etc/knox/conf/idp.xml federation.param.saml.serviceProviderMetadataPath=/etc/knox/conf/sp.xml 
federation.param.saml.serviceProviderEntityId=knox-sp-entity 
authentication.param.remove=main.pamRealm 
authentication.param.remove=main.pamRealm.service

You can find additional advanced configuration options in the upstream Apache Knox and pac4j documentation.

You can obtain the Identity Provider (IdP) metadata that Knox needs from your IdP admins. The information required to configure the SAML Identity Provider, including the Knox entity id and AssertionConsumerService endpoint, is contained in the SAML Service Provider (SP) metadata which Knox generates automatically. Once the SP metadata has been written to the serviceProviderMetadataPath on the Knox host, you can send it to the IdP admins to complete the configuration at the IdP side.