Hi Rajat - KNOXSSOUT will work in limited usecases and it isn't really documented or anything due to those limitations. Depending on what your actual SSO IdP is it may not work for you.
Let me describe the issue in the context of a SAML provider... * SSOCookieProvider determines that there is no KnoxSSO cookie and redirects you to the KnoxSSO endpoint * KnoxSSO is configured for Okta or some other SAML provider and redirects to the SAML provider endpoint * SAML provider authenticates the user and posts back to the KnoxSSO endpoint * KnoxSSO sets the hadoop-jwt cookie and redirects to the originally requested resource The above establishes not only a KnoxSSO session but also a session with the SAML provider via IDP specific cookies. Now, when you invoke the KNOXSSOUT API from some logout link on an app page the KNOXSSOUT service will remove the KnoxSSO cookie and redirect you back. The SSOCookieProvider will not find a cookie and send you back to KnoxSSO which will send you to the IDP again and that session is still active. BAM! You are logged right back in. These types of nuances are different from provider to provider. Now, if you are only using the default form based provider from Knox - it may actually work for you as long as you also remove any application specific cookies as well as call KNOXSSOUT. As for a topology example, all you really need to do is add a topology - say knoxssout.xml - and protect it with the Anonymous authentication provider. Hope that is helpful. --larry On Thu, Feb 21, 2019 at 8:39 AM Rajat Goel <[email protected]> wrote: > Hi, > > > > I was looking for implementing Logout for my service which is integrated > with Knox SSO (SSOCookieProvider). I came across this Jira ticket > https://issues.apache.org/jira/browse/KNOX-744 where a new service > KNOXSSOUT is created which should be used in a new topology. Can someone > please provide a sample topology file for using this service for > invalidating cookie ? > > > > Also, my Knox version is 0.12 (HDP 2.6.5). Will the above approach work > with my Knox version ? > > > > Thanks, > > Rajat >
