moresandeep commented on PR #1264: URL: https://github.com/apache/knox/pull/1264#issuecomment-4709126433
> @moresandeep - Thanks for your review; I replied back to the default value above. > > > Subject. For SSO groups are populated from SAML right? can you elaborate on how this will Subject groups are populated. > > Nope. SAML is one way to authenticate. But we do support other authN mechanisms, such as LDAP. In case of LDAP, Knox needs to be configured with the `HadoopGroupProvider` for group lookup. If that's configured, Knox will place `GroupPrincipal` items in the current Subject during request processing flow. Ultimately, we arrive to the `KNOXSSO` service (`WebSSOResource` in the codebase), which is a terminating-service (i.e. non-proxying), but at this phase the Subject is already decorated and we can read what groups were resolved by Knox. Ahh, i see, that makes sense, don't you think we should also support SAML and not just LDAP? IMO we should support a way to fetch groups from SAML too if we are supporting fetching groups from other ways too. There have been internal requests for this. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
