Troubleshooting SAML authentication

Before troubleshooting your SAML authentication configuration in Hue, enable DEBUG for the Hue Django logs that are located in /var/log/hue. In the Hue Web UI, go to the Home page, select Server Logs, and check Force Debug Level. For managed clusters, you can use Cloudera Manager to enable DEBUG by navigating to the Hue service, selecting the Configuration tab, check Enable Django Debug mode, click Save Changes, and then Restart.

SAML SSL error

OpenSSL might fail with this message:

SSLError: [Errno bad handshake] [('SSL routines', 'SSL3_CHECK_CERT_AND_ALGORITHM', 'dh key too small')]

To resolve, append the following code to the file, /usr/java/<your_jdk_version>-cloudera/jre/lib/security/java.security:

jdk.tls.disabledAlgorithms=MD5, RC4, DH

SAML decrypt error

The following error is an indication that you are using a slightly different SAML protocol from what Hue expects:
Error: ('failed to decrypt', -1)
To resolve:
  1. Download and rename the fix-xmlsec1.txt Python script.
    wget https://www.cloudera.com/documentation/other/shared/fix-xmlsec1.txt -O fix-xmlsec1.py
  2. Change permissions as appropriate, for example:
    chmod 755 fix-xmlsec1.py
  3. In hue.ini, set xmlsec_binary=<path_to_script>/fix-xmlsec1.py.
  4. Run fix-xmlsec1.py.

This script repairs the known issue whereby xmlsec1 is not compiled with RetrievalMethod and cannot find the location of the encrypted key. SAML2 responses would sometimes place EncryptedKey outside of the EncryptedData tree. This script moves EncryptedKey under EncryptedData.