Troubleshooting SAML authentication
Before troubleshooting your SAML authentication configuration in Hue, enable DEBUG for
the Hue Django logs that are located in /var/log/hue
. In the Hue Web UI, go to the Home page, select
Server Logs, and check Force Debug Level. For
managed clusters, you can use Cloudera Manager to enable DEBUG by navigating to the
Hue service, selecting the Configuration tab,
check Enable Django Debug mode, click Save
Changes, and then Restart.
SAML SSL error
OpenSSL might fail with this message:
SSLError: [Errno bad handshake] [('SSL routines', 'SSL3_CHECK_CERT_AND_ALGORITHM', 'dh key too small')]
To resolve, append the following code to the file,
/usr/java/<your_jdk_version>-cloudera/jre/lib/security/java.security
:
jdk.tls.disabledAlgorithms=MD5, RC4, DH
SAML decrypt error
Error: ('failed to decrypt', -1)
To
resolve: - Download and rename the
fix-xmlsec1.txt
Python script.wget https://www.cloudera.com/documentation/other/shared/fix-xmlsec1.txt -O fix-xmlsec1.py
- Change permissions as appropriate, for
example:
chmod 755 fix-xmlsec1.py
- In
hue.ini
, setxmlsec_binary=<path_to_script>/fix-xmlsec1.py
. - Run
fix-xmlsec1.py
.
This script repairs the known issue whereby xmlsec1 is not compiled
with RetrievalMethod
and cannot find the location of
the encrypted key. SAML2 responses would sometimes place
EncryptedKey
outside of the
EncryptedData
tree. This script moves
EncryptedKey
under
EncryptedData
.