Thanks Larry and Jerome. It sounds like OpenID Connect would be more appropriate implementation.
Is there an expected release date for Knox 0.14.0 ? -Rich From: Jérôme LELEU Reply-To: "[email protected]<mailto:[email protected]>" Date: Wednesday, November 29, 2017 at 10:21 AM To: larry mccay Cc: "[email protected]<mailto:[email protected]>" Subject: Re: Configuring Knox for generic OAuth Hi, This is the great advantage of SAML/CAS/OpenID Connect over OAuth, there is one SAML2Client, OidcClient, CasClient versus multiple clients for the various OAuth providers (FacebookClient, TwitterClient, ...): these protocols are better standards without gaps in the specs. Notice in pac4j v2.x, we have a GenericOAuth2Client though I'm not sure if this is available in Knox. Thanks. Best regards, Jérôme On Wed, Nov 29, 2017 at 3:02 PM, larry mccay <[email protected]<mailto:[email protected]>> wrote: Hi Rich - Glad to hear that you are using Apache Knox! Pac4J OAuth providers require the creation of a "client" provider - as I understand it. Whether you can leverage any of the existing clients for a Ping IdP, I do not know but wouldn't expect. I am adding Jerome here for further insights - if he has any. OpenID Connect support appears to allow for a more generic integration and others have been more successful in using that. Something to be aware of for both of those mechanisms is that you will likely need the change in KNOX-1119 in order to get a meaningful user principal from the authentication. Otherwise, you will need to get creative with the identity assertion providers and try and map the IDs returned to user accounts. KNOX-1119 will be in the upcoming 0.14.0 and 1.0.0 releases. HTH. --larry On Mon, Nov 27, 2017 at 5:35 PM, O'Connell, Richard <Richard.O'[email protected]<mailto:Richard.O'[email protected]>> wrote: Hi, We have been using Knox a little over 2 years to protect Kafka in our HDP implementation. However we are still relatively inexperienced with Knox beyond the basics. We are currently using AD/LDAP authentication but are wanting to move towards using OAuth which is the standard for our IDP (an implementation of Ping Identity). I have read the documentation and found that pac4j does support OAuth but have not found a good example of a knoxsso.xml and other configuration files necessary for a generic OAuth implementation with Knox. Any examples or guidance would be much appreciated. Thank you, -Rich
