Cloudera Docs

Configure custom SSO cookie name for Knox

Learn how to configure a custom SSO cookie name for Knox to enable concurrent SSO sessions across different clusters without authentication conflicts.

Knox, by default, uses hadoop-jwt as the cookie name for SSO authentication for all Hadoop services. When accessing different clusters configured for SSO authentication, using the same default cookie name causes conflicts because the web browser uses the cookie from one cluster to attempt authentication with another cluster, resulting in access issues.

To resolve this issue, you must configure a unique cookie name for each cluster's Knox SSO service.

  1. In Cloudera Manager, select the Knox service.
  2. Go to the Configuration tab.
  3. Search for Knox Gateway Advanced Configuration Snippet (Safety Valve) for conf/cdp-resources.xml.
  4. Click View as XML and add the following configuration properties: 
    <property>
<name>knoxsso</name>
<value>providerConfigRef=knoxsso#KNOXSSO:knoxsso.token.ttl=86400000#KNOXSSO:knoxsso.cookie.name=[***CUSTOM COOKIE NAME***]#app:knoxauth</value>
</property>
<property>
<name>providerConfigs:homepage</name>
<value>role=federation#federation.name=SSOCookieProvider#federation.enabled=true#federation.param.sso.cookie.name=[***CUSTOM COOKIE NAME***]</value>
</property>
<property>
<name>providerConfigs:metadata</name>
<value>role=federation#federation.name=SSOCookieProvider#federation.enabled=true#federation.param.sso.cookie.name=[***CUSTOM COOKIE NAME***]</value>
</property>
<property>
<name>providerConfigs:sso</name>
<value>role=federation#federation.name=SSOCookieProvider#federation.enabled=true#federation.param.sso.authentication.provider.url=https://[***YOUR KNOX HOST***]:8443/gateway/knoxsso/api/v1/websso#federation.param.sso.cookie.name=[***CUSTOM COOKIE NAME***]</value>
</property>


  5. Click Save Changes(CTRL+S).
  6. Refresh the Knox instances configuration by clicking the Stale Configuration: Restart needed indicator and wait until the refresh process completes.
  7. Verify that the new cookie name is in use by accessing the Knox UI and checking the browser's cookie storage.

    After logging in, you should see the custom cookie name you configured instead of the default hadoop-jwt.

You can now access different clusters with Knox SSO enabled simultaneously without authentication conflicts. Each cluster will use its own unique JWT cookie name for session management.