Configuring SAML authentication on managed clusters

To configure Hue for SAML authentication on managed clusters, you must add the SAML authentication properties to the Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini in Cloudera Manager.

These instructions assume that you have an Identity Provider set up and running. You can use any identity provider of your choice. For example, Okta, Ping Identity, and OpenAM.

  1. Log on to Cloudera Manager and go to Hue > Configuration.
  2. In the search text box, enter hue_safety_valve.ini to locate the Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini.
  3. Enter the SAML parameters into the Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini text box. For example:
    ## Example Settings using Open AM:
    [desktop]
    redirect_whitelist="^\/.*$,^https:\/\/idp.example.com:8080\/.*$"
    [[auth]]
    backend=libsaml.backend.SAML2Backend
    [libsaml]
    want_response_signed=True
    want_assertions_signed=True
    xmlsec_binary=/usr/bin/xmlsec1
    metadata_file=/opt/cloudera/security/saml/idp-metadata.xml
    key_file=/opt/cloudera/security/saml/host.key
    cert_file=/opt/cloudera/security/saml/host.pem
    key_file_password=Config(
      key="key_file_password",
      help=_t("key_file_password password of the private key"),
      default=None) ## If using encrypted private key
    username_source=nameid
    name_id_format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
    entity_id=[***HOST-BASE-NAME***]
    logout_enabled=false
  4. Click Save Changes, then select, Actions > Restart Hue.