Contributed by Leonardo Dias
This tutorial will provide the steps to configure and integrate Ipsilon with Knox SSO, using SAML2.
Ipsilon is a server and a toolkit to configure Apache-based Service Providers. The server is a pluggable selfcontained mod_wsgi application that provides federated SSO to web applications. User authentication is always performed against a separate Identity Management system (for example a FreeIPA server), and communication with application is done using a federation protocol like SAML, OpenID, etc..
Knox
...
SSO will be a Service
...
Provider of Ipsilon.
The following picture illustrates how Ipsilon works and you can see where KnoxSSO is within the architecture as the Application (Service Provider):
Requirements
- Apache Knox installed
- Apache Ambari Server installed (for Ambari UI SSO)
- Apache Ranger installed (from Ranger UI SSO)
- IPA installed and configured
- Ipsilon binaries already installed on system
Configuration
Configure Ipsilon Server with SAML2 support:
ipsilon-server-install --saml2=yes --form=yes --gssapi=yes --ipa=yes --info-sssd=yes
Patch the Ipsilon Server to fix NameIDPolicy bug (https://pagure.io/ipsilon/pull-request/44). Patch is not included on version 1.0.0 of Ipsilon that can be downloaded from EPEL.
From e23eead22c21258c3a0ef22a65f8e1aebc115b77 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcritten@redhat.com> Date: Oct 21 2015 14:52:38 +0000 Subject: Don't crash if no NameIdPolicy is requested This fixes two problems: 1. Logging was done before a None check was completed 2. The None check was insufficient because the whole object could be None Signed-off-by: Rob Crittenden <rcritten@redhat.com> https://fedorahosted.org/ipsilon/ticket/189 --- diff --git a/ipsilon/providers/saml2/provider.py b/ipsilon/providers/saml2/provider.py index 6cbf5ab..6d46ad2 100644 --- a/ipsilon/providers/saml2/provider.py +++ b/ipsilon/providers/saml2/provider.py @@ -254,10 +254,12 @@ class ServiceProvider(ServiceProviderConfig): self.load_config() def get_valid_nameid(self, nip): - self.debug('Requested NameId [%s]' % (nip.format,)) - if nip.format is None: + if nip is None or nip.format is None: + self.debug('No NameId requested, returning default [%s]' + % SAML2_NAMEID_MAP[self.default_nameid]) return SAML2_NAMEID_MAP[self.default_nameid] else: + self.debug('Requested NameId [%s]' % (nip.format,)) allowed = self.allowed_nameids self.debug('Allowed NameIds %s' % (repr(allowed))) for nameid in allowed:
Configure Ipsilon Client on Knox Server. Command is using "ipsilon.example.com" as the Ipsilon Server FQDN.
ipsilon-client-install --saml-idp-url https://ipsilon.example.com/idp
--saml-sp-name knox
--saml-auth "/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client"
--saml-no-httpd--saml-sp-post "/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client"
false
--saml-sp "/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client"
--saml-sp-logout="/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client"
--port 8443 --saml-secure-setup=falseThis command will configure a Service Provider on Ipisilon and generate three files on the current directory:
certificate.pem, certificate.key and metadata.xmlIt will ask for admin password on Ipsilon.
Property Name
Description --saml-idp-url URL for Ipsilon IDP Server --saml-sp-name Alias to Knox Service Provider --saml-auth Should match saml.serviceProviderEntityId on KnoxSSO Topology, without server:port --saml-no-httpd Generate metadata and certificates local and not configure HTTPD as Service Provides (Knox will be SP) --saml-sp-post Should match saml.serviceProviderEntityId on KnoxSSO Topology, without server:port --saml-sp Should match saml.serviceProviderEntityId on KnoxSSO Topology, without server:port --saml-sp-logout Should match saml.serviceProviderEntityId on KnoxSSO Topology, without server:port --port Knox port --saml-secure-setup Disable two way SSL This command will configure a Service Provider on Ipisilon and generate three files on the current directory: certificate.pem, certificate.key and metadata.xml.
Export IPA/Ipsilon certificate and root certificate to file:
openssl x509 -in <(openssl s_client -connect ipsilon.example.com:443 -prexit 2>/dev/null) > ipa.pem cat /etc/ipa/ca.crt >> ipa.pem
Import IPA/Ipsilon certificate and root certificate to Java Truststore:
$JAVA_HOME/bin/keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file ipa.pem -alias ipa
Deploy Knox SSO Topology (
/etc/knox/topologies/knoxsso.xml
or use Ambari to configure it). Template below consider Knox Server onhdp24.example.com:8443
and Ipsilon Server onipsilon.example.com/idp
<topology>
<gateway>
<provider>
<role>federation</role>
<name>pac4j</name>
<enabled>true</enabled>
<param>
<name>pac4j.callbackUrl</name>
<value>https://hdp24.example.com:8443/gateway/knoxsso/api/v1/websso</value>
</param>
<param>
<name>clientName</name>
<value>SAML2Client</value>
</param>
<param>
<name>saml.identityProviderMetadataPath</name>
<value>https://ipsilon.example.com/idp/saml2/metadata</value>
</param>
<param>
<name>saml.serviceProviderMetadataPath</name>
<value>/tmp/hdp24.example.com/metadata.xml</value>
</param>
<param>
<name>saml.serviceProviderEntityId</name>
<value>https://hdp24.example.com:8443/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
</gateway>
<service>
<role>KNOXSSO</role>
<param>
<name>knoxsso.cookie.secure.only</name>
<value>false</value>
</param>
<param>
<name>knoxsso.token.ttl</name>
<value>100000</value>
</param>
<param>
<name>knoxsso.redirect.whitelist.regex</name>
<value>^https?:\/\/(hdp24\.example\.com|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
</param>
</service>
</topology>
Below you can find a description of each parameter set:
...
8) Extract the Knox Certificate from Gateway Keystore, which will be used on Ambari and Ranger configuration.
JAVA_HOME/bin/keytool -export -alias gateway-identity -rfc -file knox.pem -keystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks
...
7) Configure Ambari UI for KnoxSSO. On Ambari Server Host run the command:
root@hdp24 ~]# ambari-server setup-sso
Using python /usr/bin/python
Setting up SSO authentication properties...
Do you want to configure SSO authentication [y/n] (y)?y
Provider URL [URL] (https://hdp24.example.com:8443/gateway/knoxsso/api/v1/websso):
Public Certificate pem (stored) (empty line to finish input):
MIIDCzCCAfOgAwIBAgIJAOE0SBrVjLOaMA0GCSqGSIb3DQEBCwUAMBwxGjAYBgNV
BAMMEWhkcDI0LmV4YW1wbGUuY29tMB4XDTE2MTExODEzMzIwNloXDTIxMTExNzEz
MzIwNlowHDEaMBgGA1UEAwwRaGRwMjQuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDC6bBZAdQPUik1ahpD3kiKpEjJ0L/yZOvbxGPJ
ig8StHR4pSxV7e15blKg5r+LGxvh63tKb/Ju7e66hVto0W2M3phXDR1WhQBhLg+2
UGBypYVQaSibjkmXMXeNx514T+2rXmdcrVuZBCzMf67dsa5lPTWwLjWZh+RlLmhM
iVWfGiN9RRDCmBunCPyZRPE1vqDK8LZVtNTjgPcbMM+Zd9ozegTZhMiyw3YmYu2z
iG29VbOQV52zyv2jQSpXZayNDSWJxKm5g3oSU54PYCV0Psl+YKKbCr7NwAAuih11
hHqIN9k1oWAfrEz56BOuNbbKtWx2hU9Dnrll7kJ72wJewdeBAgMBAAGjUDBOMB0G
A1UdDgQWBBRcmkaQywf/BMuRyDW4wVT5Mv5fQDAfBgNVHSMEGDAWgBRcmkaQywf/
BMuRyDW4wVT5Mv5fQDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBd
GwZXq5Es0IzDT9cUeFVBhubdhyn0rMuQckdarRI0iisaCwrSQwBICSVvszckLYcx
fuzhfpjmAtsj5zJ0oT7eZJWNuHznPQMAiAz9BKnarHV21TvSkVMHYOUL2KoiWPxo
2t7SjmfukX5zAxSCeyimOMEhwT8AXJldEHPTCSleDfFz8HPJsB3mwhhf8GHK6V99
YQC2zpRfb+u1SK+EjVXgsdc7Y0pfa08oNgGK/WzvSYaol4ejy55wyG5hcwhVr5hr
QMFGI0Q4MxyU54W6wPu3mm/vNcFSgoyLO9UHG3dUeuEHS/dzG9dfNcNe6MTYquvZ
iQM5c1FKPrAQS5qPZWaR
Do you want to configure advanced properties [y/n] (n) ?
Ambari Server 'setup-sso' completed successfully.
[root@hdp24 ~]#
...
9 Configure Ranger UI for KnoxSSO. On Ambari Server, go to Ranger -> Configs -> Advanced and set Knox SSO Settings:
NOTE: Do not paste the Header and Footer of certificate when asked for Public Certificate, which is the Knox Certificate.
...