...
<service>
<role>KNOXSSO</role>
<param>
<name>sso.cookie.secure.only</name>
<value>false</value>
</param>
</service>
</topology>
The following is an example of what the resulting picketlink.xml file should look like in the generated webapp deployments directory:
<?xml version="1.0" encoding="UTF-8" ?>
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0"
ServerEnvironment="jetty"
BindingType="POST"
IDPUsesPostBinding="true"
SupportsSignatures="true"
CanonicalizationMethod="http://www.w3.org/2001/10/xml-exc-c14n#">
<IdentityURL>https://localhost:8443/idp/profile/SAML2/POST/SSO</IdentityURL>
<ServiceURL>http://localhost:9443/gateway/idp/knoxsso/api/v1/websso</ServiceURL>
<KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
<Auth Key="KeyStoreURL" Value="/Users/larry/Projects/incubator-knox/install/knox-0.7.0-SNAPSHOT/data/security/keystores/gateway.jks"/>
<Auth Key="KeyStorePass" Value="knox"/> // populated automatically to match the master secret - must be made configurable though
<Auth Key="SigningKeyAlias" Value="gateway-identity"/> // hardcoded to be gateway identity since it assumes the gateway identity key is used to sign the token
<Auth Key="SigningKeyPass" Value="knox"/> // populated automatically to match the master secret - must be made configurable though
<ValidatingAlias Key="localhost" Value="localhost"/>
</KeyProvider>
</PicketLinkSP>
<Handlers>
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
<Option Key="CLOCK_SKEW_MILIS" Value="2000"/>
<Option Key="ASSERTION_SESSION_ATTRIBUTE_NAME" Value="org.picketlink.sp.assertion"/>
</Handler>
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>
</Handlers>
</PicketLink>
Proof of Concept Status
The following notes reflect the CURRENT POC state for the above flow inside an Ambari managed ambari-vagrant 3 node cluster:
...