“Unknown Attribute Name” exception while enabling SAML

You may see an “Unknown Attribute Name” exception when a SAML Identity Provider (IdP) returns the 'uid' profile attribute, but Hue which uses pysaml2 cannot interpret this attribute. To resolve this, you must create an attribute mapping file and then reference it in the libsaml configuration of Hue.

To resolve this issue:

  1. SSH into a Hue server as a root user.
  2. Create a attribute mapping directory as follows:
    mkdir -p /opt/cloudera/security/saml/attribute_mapping
  3. Create an attribute mapping file as follows:
    vi /opt/cloudera/security/saml/attribute_mapping/saml_uri.py
  4. Add the following lines into the saml_uri.py file:
    MAP = {
        "identifier": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
        "fro": {
            'uid': 'uid',
            },
        "to": {
            'uid': 'uid',
        }
    }
  5. Repeat steps 1 thru 4 on all the Hue hosts.
  6. Sign in to Cloudera Manager as an Administrator.
  7. Go to Clusters > $Hue service > Configuration and search safety valve.
  8. Add the following lines in the Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini field:
    [libsaml]
    xmlsec_binary=/usr/bin/xmlsec1
    metadata_file=/opt/certs/saml/FederationMetadata.xml
    key_file=/opt/certs/hue.key
    cert_file=/opt/certs/hue.crt
    entity_id=hue-pri.unedic.intra
    logout_enabled=false
    username_source=attributes
    attribute_map_dir=/opt/cloudera/security/saml/attribute_mapping  
    #user_attribute_mapping='{"uid":"username"}'
  9. Click Save Changes.
  10. Restart the Hue service by clicking Actions > Restart.

The users should now be able to authenticate to Hue through SAML.