SAML protocols using pac4j

Larry McCay (JIRA) Fri, 08 Jan 2016 21:37:33 -0800

    [ 
https://issues.apache.org/jira/browse/KNOX-641?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15090428#comment-15090428
 ]


Larry McCay commented on KNOX-641:
----------------------------------

Hey [~jleleu] - 
I'd like to dig into the topic of how to assert the appropriate username back 
to the cluster.
It seems that there is a UserProfile for each authentication event but that the 
attributes for each may be different.

If we look at how the flow through the pipeline works...

1. The authentication/federation provider establishes the java Subject that 
represents the authentication event.
2. The identity assertion provider can map the PrimaryPrincipal to another 
identity in some provider specific way.
3. The dispatch provider then dispatches the asserted identity to the service 
endpoint of the component within Hadoop using the appropriate mechanism.

We have a number of out of the box identity assertion providers that could be 
used for this.

* The default provider will take the PrimaryPrincipal.getName and attempt to 
map it to another username through principal mapping (if there are any defined) 
otherwise, it will just use the PrimaryPrincipal.getName
* There is also a regex identity assertion provider that can use regular 
expressions against the PrimaryPrincipal.getName in order to determine the 
username to assert to the hadoop service. We may need to add the principal 
mapping capability to this provider.

My question is - whether it makes sense to provide configuration to determine 
what attribute from the UserProfile to use for the PrimaryPrincipal. We could 
make that an optional parameter and when it is absent it could default to the 
id.

Based on the attribute chosen as the PrimaryPrincipal, the identity assertion 
provider can be chose to take the username out of the email address or map the 
id against a username, etc.

What do you think?


> Support CAS / OAuth / OpenID C / SAML protocols using pac4j
> -----------------------------------------------------------
>
>                 Key: KNOX-641
>                 URL: https://issues.apache.org/jira/browse/KNOX-641
>             Project: Apache Knox
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>            Assignee: Jérôme Leleu
>             Fix For: 0.8.0
>
>         Attachments: KNOX-641.patch, knox641.patch2
>
>




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KNOX-641) Support CAS / OAuth / OpenID C / SAML protocols using pac4j

Reply via email to