Hi, This is the great advantage of SAML/CAS/OpenID Connect over OAuth, there is one SAML2Client, OidcClient, CasClient versus multiple clients for the various OAuth providers (FacebookClient, TwitterClient, ...): these protocols are better standards without gaps in the specs.
Notice in pac4j v2.x, we have a GenericOAuth2Client though I'm not sure if this is available in Knox. Thanks. Best regards, Jérôme On Wed, Nov 29, 2017 at 3:02 PM, larry mccay <[email protected]> wrote: > Hi Rich - > > Glad to hear that you are using Apache Knox! > > Pac4J OAuth providers require the creation of a "client" provider - as I > understand it. > Whether you can leverage any of the existing clients for a Ping IdP, I do > not know but wouldn't expect. > I am adding Jerome here for further insights - if he has any. > > OpenID Connect support appears to allow for a more generic integration and > others have been more successful in using that. > > Something to be aware of for both of those mechanisms is that you will > likely need the change in KNOX-1119 in order to get a meaningful user > principal from the authentication. Otherwise, you will need to get creative > with the identity assertion providers and try and map the IDs returned to > user accounts. > > KNOX-1119 will be in the upcoming 0.14.0 and 1.0.0 releases. > > HTH. > > --larry > > > On Mon, Nov 27, 2017 at 5:35 PM, O'Connell, Richard <Richard.O'Connell@ > libertymutual.com> wrote: > >> Hi, >> We have been using Knox a little over 2 years to protect Kafka in our HDP >> implementation. However we are still relatively inexperienced with Knox >> beyond the basics. >> >> We are currently using AD/LDAP authentication but are wanting to move >> towards using OAuth which is the standard for our IDP (an implementation of >> Ping Identity). I have read the documentation and found that pac4j does >> support OAuth but have not found a good example of a knoxsso.xml and other >> configuration files necessary for a generic OAuth implementation with Knox. >> >> Any examples or guidance would be much appreciated. >> >> Thank you, >> -Rich >> > >
