Hi, I just uploaded a patch for KNOX-655 and successfully tested it: using https://127.0.0.1:8443/gateway/sandbox/webhdfs/v1/tmp?op=LISTSTATUS, I'm redirected to my CAS server for login. I can force the authentication on Facebook using: https://127.0.0.1:8443/gateway/idp/api/v1/websso? *client_name=FacebookClient*&originalUrl= https://127.0.0.1:8443/gateway/sandbox/webhdfs/v1/tmp?op=LISTSTATUS
The documentation needs to be amended on two points: 1) about the clientName definition: if more than one client is defined, it must define the default pac4j client to use (the order of the properties defined in the configuration are not taken into account, it's the order in the pac4j PropertiesConfigFactory in fact); if you want to be able to use two clients (let's say a CasClient and a SAML2Client) and you want CAS to be the default authentication method, you need to define the clientName as follows: CasClient,SAML2Client 2) a warning must be written somewhere to say that a pac4jCallback=true parameter is added to the IDP endpoint url (Knox side) and thus, this must be maybe taken into account when defining it on the identity provider side. Thanks. Best regards, Jérôme 2016-01-21 15:02 GMT+01:00 larry mccay <[email protected]>: > That sounds perfect and actually the right way to keep pac4j and the knox > pac4j provider aligned properly. > I filed https://issues.apache.org/jira/browse/KNOX-655 for this effort. > > Thanks, Jérôme! > > --larry > > On Thu, Jan 21, 2016 at 4:38 AM, Jérôme LELEU <[email protected]> wrote: > > > Hi, > > > > Interesting point. > > > > In pac4j, we have a callback controller which uses the client_name > > parameter to finish the login process and a protection filter which > > protects a resource and redirects the user to the identity provider for > > login. Since pac4j 1.8, most libraries using it now accept a client_name > > parameter in the protection filter as well to choose the authentication > > mechanism to use if the user is not authenticated. > > > > With Knox, this feature (choosing the authentication mechanism with the > > client_name parameter) is not available as this parameter is already used > > to define if it's a callback or an access. This could be changed and we > > could opt for a new convention, like a new pac4jCallback parameter to say > > if it's a callback or not. And this way, you could choose on the fly > which > > authentication mechanism you want to use. > > > > Does it make sense? > > > > This is certainly not a big change: can you open a JIRA for that and I'll > > handle it before the 0.8.0 release? > > > > Thanks. > > Best regards, > > Jérôme > > > > > > > > > > > > 2016-01-20 0:54 GMT+01:00 larry mccay <[email protected]>: > > > > > Trying to figure out how to specify the client_name for a given > > > authentication attempt when there are multiple mechanisms defined in > the > > > topology. What I had in mind was providing a couple links to login > with: > > > > > > Login with Okta > > > Login with Twitter > > > Login with Google > > > > > > and at the end of each url I thought that I could just indicate > > > &client_name=SAMLClient and that it would choose the SAML config in the > > > topology. > > > That doesn't seem to be how it works - either I am missing something or > > we > > > need a JIRA to fix something. > > > > > > Can you provide a little more insight into the client selection > feature? > > > > > > Thanks! > > > > > > > > > On Tue, Jan 19, 2016 at 10:11 AM, larry mccay <[email protected]> > > > wrote: > > > > > > > Hmmmm... > > > > > > > > I think that providing appropriate templates (see the templates > > directory > > > > in the knox install) for both the knoxsso.xml (instead of idp.xml) > and > > > > sandbox.xml to reflect the same config would provide the same value > and > > > be > > > > self contained without the need to keep the binaries up to date in > the > > > demo > > > > with each release. > > > > > > > > There is probably value in a blog for early access to pac4j provider > > demo > > > > that could point to the demo. > > > > > > > > > > > > On Tue, Jan 19, 2016 at 9:04 AM, Jérôme LELEU <[email protected]> > > wrote: > > > > > > > >> Should we add a link in the documentation to point to the demo? > > > >> > > > >> 2016-01-19 14:19 GMT+01:00 larry mccay <[email protected]>: > > > >> > > > >> > That's great! > > > >> > > > > >> > On Tue, Jan 19, 2016 at 7:53 AM, Jérôme LELEU <[email protected]> > > > wrote: > > > >> > > > > >> > > Hi, > > > >> > > > > > >> > > Following my own idea, here is a demo with the Knox / pac4j > > support: > > > >> > > https://github.com/pac4j/knox-pac4j-demo > > > >> > > Feel free to submit pull requests if you want me to amend it. > > > >> > > > > > >> > > What do you think? > > > >> > > > > > >> > > Thanks. > > > >> > > Best regards, > > > >> > > Jérôme > > > >> > > > > > >> > > > > > >> > > 2016-01-18 11:03 GMT+01:00 Jérôme LELEU <[email protected]>: > > > >> > > > > > >> > > > Hi, > > > >> > > > > > > >> > > > It's great news! > > > >> > > > > > > >> > > > One more thing I'm thinking of: we always have a demo > > > corresponding > > > >> to > > > >> > a > > > >> > > > pac4j support. It would be great to have a knox-pac4j-demo and > > > >> > reference > > > >> > > it > > > >> > > > from the manual. I can handle it. > > > >> > > > > > > >> > > > Does it make sense? > > > >> > > > > > > >> > > > Thanks. > > > >> > > > Best regards, > > > >> > > > Jérôme > > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > > 2016-01-17 6:37 GMT+01:00 larry mccay <[email protected]>: > > > >> > > > > > > >> > > >> KNOX-641 and KNOX-642 have both been committed to master. > > > >> > > >> > > > >> > > >> There is a new docs book where you can check out the pac4j > docs > > > >> > > available: > > > >> > > >> > > > >> > > >> > > > >> > > > > > >> > > > > >> > > > > > > http://knox.apache.org/books/knox-0-8-0/user-guide.html#Pac4j+Provider+-+CAS+/+OAuth+/+SAML+/+OpenID+Connect > > > >> > > >> > > > >> > > >> I have some additional ideas for the docs that I will roll > out > > in > > > >> the > > > >> > > next > > > >> > > >> few days. > > > >> > > >> > > > >> > > >> We need to discuss the identity assertion approach for 0.8.0. > > > >> > > >> > > > >> > > >> I think we are on track for 1/29 release date. > > > >> > > >> > > > >> > > > > > > >> > > > > > >> > > > > >> > > > > > > > > > > > > > >
