Configuring Knox SSO

Learn about the properties that you need to set for configuring Knox SSO.

Edge Flow Manager supports Knox SSO for end user authentication with the following limitations:

Knox cannot be used as a gateway that forwards requests to Edge Flow Manager.
Knox must be accessible using the same hostname as Edge Flow Manager (a different port is fine). Otherwise, the authentication token issued by Knox, which is stored in a browser cookie, cannot be passed to Edge Flow Manager and its authentication fails with a Credentials not present error. This means the following:
- For Edge Flow Manager clusters, Knox must be accessible through the same load balancer or reverse proxy used to access Edge Flow Manager nodes.
- For individual, non-clustered Edge Flow Manager instances, Knox must run on the same host as Edge Flow Manager on a different port.

You have installed Knox.
You have installed and secured the Edge Flow Manager server to use TLS. For more information on enabling TLS in Edge Flow Manager, see TLS configuration for Edge Flow Manager.

Obtain the Knox SSO token signing certificate in PEM format.
This is sometimes the same as the public certificate used for TLS by Knox, and can therefore be obtained using OpenSSL against the Knox host:
```
openssl s_client -servername HOSTNAME -connect HOST:PORT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > knox_server_cert_in_pem_file_format.pem
```
Sometimes, however, a different signing keypair is configured specifically for Knox SSO signing and must be obtained from that server configuration. Once you have the Knox SSO token signing certificate, save the certificate on the Edge Flow Manager server and ensure that the file is readable by the user running the Edge Flow Manager process.

Update the Edge Flow Manager configuration file with the following properties:

efm.security.user.knox.enabled=true
efm.security.user.knox.url=https://knox.mycompany.com:8443/gateway/knoxsso/api/v1/websso
efm.security.user.knox.publicKey=path/to/knox_server_cert_in_pem_file_format.pem
efm.security.user.knox.cookieName=hadoop-jwt
efm.security.user.knox.audiences=

In Cloudera Manager, that manages Knox, update the Knox topology for the Knox SSO service to add the Edge Flow Manager hostname (or Edge Flow Manager load balancer hostname when clustered) to the authorized redirect URLs.
For example:
```
<service>
  <role>KNOXSSO</role>
  ...
  <param>
    <name>knoxsso.redirect.whitelist.regex</name>
    <value>^https?:\/\/(efm\.hostname\.com|localhost|127\.0\.0\.1|::1):[0-9].*$</value>
  </param>
</service>
```
Restart Edge Flow Manager and Knox.