Author: lmccay
Date: Wed Dec 14 00:27:32 2016
New Revision: 1774117
URL: http://svn.apache.org/viewvc?rev=1774117&view=rev
Log:
Updated KnoxSSO param table to remove OPEN ISSUE regarding audience claims
Modified:
knox/site/books/knox-0-11-0/user-guide.html
knox/trunk/books/0.11.0/config_knox_sso.md
Modified: knox/site/books/knox-0-11-0/user-guide.html
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-11-0/user-guide.html?rev=1774117&r1=1774116&r2=1774117&view=diff
==============================================================================
--- knox/site/books/knox-0-11-0/user-guide.html (original)
+++ knox/site/books/knox-0-11-0/user-guide.html Wed Dec 14 00:27:32 2016
@@ -2656,7 +2656,7 @@ APACHE_HOME/bin/apachectl -k stop
</tr>
<tr>
<td>knoxsso.token.audiences </td>
- <td>This is a comma separated list of audiences to add to the JWT token.
This is used to ensure that a token received by a participating application
knows that the token was intended for use with that application. It is
optional. In the event that an application has expected audiences and they are
not present the token must be rejected. In the event where the token has
audiences and the application has none expected then the token is accepted.
OPEN ISSUE - not currently being populated in WebSSOResource. </td>
+ <td>This is a comma separated list of audiences to add to the JWT token.
This is used to ensure that a token received by a participating application
knows that the token was intended for use with that application. It is
optional. In the event that an application has expected audiences and they are
not present the token must be rejected. In the event where the token has
audiences and the application has none expected then the token is accepted.</td>
<td>empty</td>
</tr>
<tr>
Modified: knox/trunk/books/0.11.0/config_knox_sso.md
URL:
http://svn.apache.org/viewvc/knox/trunk/books/0.11.0/config_knox_sso.md?rev=1774117&r1=1774116&r2=1774117&view=diff
==============================================================================
--- knox/trunk/books/0.11.0/config_knox_sso.md (original)
+++ knox/trunk/books/0.11.0/config_knox_sso.md Wed Dec 14 00:27:32 2016
@@ -37,7 +37,7 @@ knoxsso.cookie.secure.only | This
knoxsso.cookie.max.age | optional: This indicates that a cookie can
only live for a specified amount of time - in seconds. This should probably be
left to the default which makes it a session cookie. Session cookies are
discarded once the browser session is closed. | session
knoxsso.cookie.domain.suffix | optional: This indicates the portion of the
request hostname that represents the domain to be used for the cookie domain.
For single host development scenarios the default behavior should be fine. For
production deployments, the expected domain should be set and all configured
URLs that are related to SSO should use this domain. Otherwise, the cookie will
not be presented by the browser to mismatched URLs. | Default cookie domain or
a domain derived from a hostname that includes more than 2 dots.
knoxsso.token.ttl | This indicates the lifespan of the token
within the cookie. Once it expires a new cookie must be acquired from KnoxSSO.
This is in milliseconds. The 36000000 in the topology above gives you 10 hrs. |
30000 That is 30 seconds.
-knoxsso.token.audiences | This is a comma separated list of audiences
to add to the JWT token. This is used to ensure that a token received by a
participating application knows that the token was intended for use with that
application. It is optional. In the event that an application has expected
audiences and they are not present the token must be rejected. In the event
where the token has audiences and the application has none expected then the
token is accepted. OPEN ISSUE - not currently being populated in
WebSSOResource. | empty
+knoxsso.token.audiences | This is a comma separated list of audiences
to add to the JWT token. This is used to ensure that a token received by a
participating application knows that the token was intended for use with that
application. It is optional. In the event that an application has expected
audiences and they are not present the token must be rejected. In the event
where the token has audiences and the application has none expected then the
token is accepted.| empty
knoxsso.redirect.whitelist.regex | A semicolon separated list of regex
expressions. The incoming originalUrl must match one of the expressions in
order for KnoxSSO to redirect to it after authentication. Defaults to only
relative paths and localhost with or without SSL for development usecases. This
needs to be opened up for production use and actual participating applications.
Note that cookie use is still constrained to redirect destinations in the same
domain as the KnoxSSO service - regardless of the expressions specified here. |
^/.\*$;^https?://localhost:\\d{0,9}/.\*$
