Knox SSO Cookie Invalidation

This feature allows a list of pre-configured superusers to invalidate previously issued Knox SSO tokens for (a) particular user(s) in case there is a malicious attack where one (or more) of those users’ SSO tokens get compromised.

Enabling the feature

By default, the feature is disabled. There are 2 separate steps to enable it:

  1. Go to Cloudera Manager > Knox > Configuration and enable Knox SSO - Cookie Management Enabled.
  2. In Knox Service Advanced Configuration Snippet (Safety Valve) for conf/gateway-site.xml, press +.
    1. In Name, type gateway.knox.token.exp.server-managed.
    2. In Value, type true.
    3. Click Save Changes(CTRL+S)

Additional configuration

In addition to enabling the feature, you should review and update the following configuration,if needed:

  • Knox Home Page - Global Logout Page URL - when the knoxsso topology is configured to use the Pac4J federation filter (which is the default case in CDP Public Cloud), this configuration is an essential parameter (thus it must not be empty). This usually points to the logout endpoint of the pre-configured SAML/OIDC callback.
  • Knox Token Integration - Users Who Can See All Tokens - A comma-separated list of user names who can see all tokens on the Token Management page. By default, this is an empty list. Each organization should configure this property to a narrowed set of users, security officers for instance, who will have the capability of disabling SSO cookies in case of a security breach.

How it works

After enabling the feature, every SSO cookie, the result of a login event through the Knox SSO service, will be recorded in the same database that Knox uses for token management purposes. These SSO cookies are included on the Token Management page. If the logged-in user is a configured "superuser" (added in the above-referenced Users Who Can See All Tokens list), that user is capable of narrowing down user tokens, for whom they suspect are the subject of malicious activities, and disabling the active tokens on the UI (either individually or in batches).

Once a Knox SSO cookie is disabled, it cannot be re-enabled or revoked. Knox has its own cleanup strategy to remove expired tokens from the underlying token state repository (a database in CDP Public Cloud) periodically, on a pre-configured schedule.

It is also important to emphasize, that the default Time To Live (TTL) value of Knox SSO cookies is set to 1 day by default. It's highly recommended that organizations overview their own UI jobs and reduce this value to as short as possible to reduce the security risk involved here.