The use of the Pac4J Provider within KnoxSSO allows users to authenticate to their web UIs within Hadoop with KnoxSSO support via SAML v2.

One of the SAML providers that has been tested with KnoxSSO during release testing has been Okta and a personal oktapreview account.

This article describes the Okta Application configuration that was used for testing the SAML integration.

Okta Application

An application within your Okta account needs to be configured for each specific KnoxSSO endpoint.

It's recommended that you set up KnoxSSO as an Okta app manually, as opposed to using a 'preconfigured' configuration.

While setting up the application you must select SAML as the application type then edit other application and SAML details for the integration.

General Details

Single Sign On URL: https://<gatewayhost>:8443/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client
Recipient URL: https://<gatewayhost>:8443/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client
Destination URL: https://<gatewayhost>:8443/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client
Audience Restriction: https://<gatewayhost>:8443/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client
Default Relay State: <not required/leave blank>
Name ID Format: EmailAddress
Response: Signed
Assertion Signature: Signed
Signature Algorithm: RSA_SHA256
Digest Algorithm: SHA256
Assertion Encryption: Unencrypted
SAML Single Logout: Disabled
authnContextClassRef: PasswordProtectedTransport
Honor Force Authentication: Yes
SAML Issuer ID:${org.externalKey}

Attribute Statements (Optional)

NameFormat: unspecified

Group Attribute Statements (Optional)

Name: unspecified
Filter: blank


Once this application is configured, you are ready to configure your KnoxSSO topology to use the Pac4J Provider to participate in SAML based WebSSO flows with Okta as the provider.

You can more about the configuration of KnoxSSO for SAML and integration with Ambari here, read the KnoxSSO documentation and Pac4J Provider documentation here.


  • No labels