...
The following table details the configuration elements of the provider and reflects the current implementation in the master branch:
Param | Description | Default |
---|---|---|
identity.url | The URL to redirect incoming requests that do not contain the expected cookie and presumably to facilitate an authentication challenge. | none |
service.url | The URL back to the KnoxSSO endpoint for the IdP to redirect the browser after authentication. | none |
keystore.url | The location of the keystore with the public cert of the IdP for token validation. BUG: this is currently hardcoded to gateway.jks | gateway.jks |
validating.alias.key | This is the idp domain which is used as the alias for looking up the alias for the cert to validate incoming tokens with - ie. idp.example.com | none |
validating.alias.value | This is the alias for the actual cert to use for the idp domain - ie. server.crt | none |
clock.skew.milis | The clock skew to use during the validation of tokens | none |
...
<topology>
<gateway>
<provider>
<role>federation</role>
<name>Picketlink</name>
<enabled>true</enabled>
<param>
<name>identity.url</name>
<value>https://localhost:9443/idp/profile/SAML2/POST/SSO</value>
</param>
<param>
<name>service.url</name>
<value>http://c6401.ambari.apache.org:8888/gateway/idp/knoxsso/</value>
</param>
<param>
<name>keystore.url</name>
<value>/usr/hdp/current/knox-server/data/security/keystores/gateway.jks</value>
</param>
<param>
<name>validating.alias.key</name>
<value>c6401.ambari.apache.org</value>
</param>
<param>
<name>validating.alias.value</name>
<value>gateway-identity<<value>servercert</value>
</param>
<param>
<name>clock.skew.milis</name>
<value>2000</value>
</param>
</provider>
...