We are working on the remaining blockers now. I expect to have a new RC by end of the week or next week.
On Wed, Nov 29, 2017 at 3:52 PM, O'Connell, Richard < Richard.O'[email protected]> wrote: > Thanks Larry and Jerome. It sounds like OpenID Connect would be more > appropriate implementation. > > Is there an expected release date for Knox 0.14.0 ? > > -Rich > > From: Jérôme LELEU > Reply-To: "[email protected]" > Date: Wednesday, November 29, 2017 at 10:21 AM > To: larry mccay > Cc: "[email protected]" > Subject: Re: Configuring Knox for generic OAuth > > Hi, > > This is the great advantage of SAML/CAS/OpenID Connect over OAuth, there > is one SAML2Client, OidcClient, CasClient versus multiple clients for the > various OAuth providers (FacebookClient, TwitterClient, ...): these > protocols are better standards without gaps in the specs. > > Notice in pac4j v2.x, we have a GenericOAuth2Client though I'm not sure if > this is available in Knox. > > Thanks. > Best regards, > Jérôme > > > On Wed, Nov 29, 2017 at 3:02 PM, larry mccay <[email protected]> wrote: > >> Hi Rich - >> >> Glad to hear that you are using Apache Knox! >> >> Pac4J OAuth providers require the creation of a "client" provider - as I >> understand it. >> Whether you can leverage any of the existing clients for a Ping IdP, I do >> not know but wouldn't expect. >> I am adding Jerome here for further insights - if he has any. >> >> OpenID Connect support appears to allow for a more generic integration >> and others have been more successful in using that. >> >> Something to be aware of for both of those mechanisms is that you will >> likely need the change in KNOX-1119 in order to get a meaningful user >> principal from the authentication. Otherwise, you will need to get creative >> with the identity assertion providers and try and map the IDs returned to >> user accounts. >> >> KNOX-1119 will be in the upcoming 0.14.0 and 1.0.0 releases. >> >> HTH. >> >> --larry >> >> >> On Mon, Nov 27, 2017 at 5:35 PM, O'Connell, Richard < >> Richard.O'[email protected]> wrote: >> >>> Hi, >>> We have been using Knox a little over 2 years to protect Kafka in our >>> HDP implementation. However we are still relatively inexperienced with Knox >>> beyond the basics. >>> >>> We are currently using AD/LDAP authentication but are wanting to move >>> towards using OAuth which is the standard for our IDP (an implementation of >>> Ping Identity). I have read the documentation and found that pac4j does >>> support OAuth but have not found a good example of a knoxsso.xml and other >>> configuration files necessary for a generic OAuth implementation with Knox. >>> >>> Any examples or guidance would be much appreciated. >>> >>> Thank you, >>> -Rich >>> >> >> >
