Hi Larry,
Thanks for the detailed explanation on the current set of limitations Larry.
Currently, I am using default form based provider integrated with LDAP so as
per comment hopefully it will work. I tried to create a new topology with
following content but it didn’t work.
Knoxssout.xml
<topology>
<gateway>
<provider>
<role>authentication</role>
<name>Anonymous</name>
<enabled>true</enabled>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>false</enabled>
</provider>
</gateway>
<service>
<role>KNOXSSOUT</role>
</service>
</topology>
What am I doing wrong here? Also what will be my logout url ? I tried hitting
http://<knox<http://%3cknox> ip>:8443/gateway/knoxssout/api/v1/webssout from
browser but I see error ERR_EMPTY_RESPONSE
Regards,
Rajat
From: larry mccay <[email protected]>
Reply-To: "[email protected]" <[email protected]>
Date: Thursday, 21 February 2019 at 9:17 PM
To: "[email protected]" <[email protected]>
Subject: Re: KnoxSSO Logout
Hi Rajat -
KNOXSSOUT will work in limited usecases and it isn't really documented or
anything due to those limitations.
Depending on what your actual SSO IdP is it may not work for you.
Let me describe the issue in the context of a SAML provider...
* SSOCookieProvider determines that there is no KnoxSSO cookie and redirects
you to the KnoxSSO endpoint
* KnoxSSO is configured for Okta or some other SAML provider and redirects to
the SAML provider endpoint
* SAML provider authenticates the user and posts back to the KnoxSSO endpoint
* KnoxSSO sets the hadoop-jwt cookie and redirects to the originally requested
resource
The above establishes not only a KnoxSSO session but also a session with the
SAML provider via IDP specific cookies.
Now, when you invoke the KNOXSSOUT API from some logout link on an app page the
KNOXSSOUT service will remove
the KnoxSSO cookie and redirect you back. The SSOCookieProvider will not find a
cookie and send you back to KnoxSSO
which will send you to the IDP again and that session is still active. BAM! You
are logged right back in.
These types of nuances are different from provider to provider.
Now, if you are only using the default form based provider from Knox - it may
actually work for you as long as you also remove
any application specific cookies as well as call KNOXSSOUT.
As for a topology example, all you really need to do is add a topology - say
knoxssout.xml - and protect it with the Anonymous
authentication provider.
Hope that is helpful.
--larry
On Thu, Feb 21, 2019 at 8:39 AM Rajat Goel
<[email protected]<mailto:[email protected]>> wrote:
Hi,
I was looking for implementing Logout for my service which is integrated with
Knox SSO (SSOCookieProvider). I came across this Jira ticket
https://issues.apache.org/jira/browse/KNOX-744 where a new service KNOXSSOUT is
created which should be used in a new topology. Can someone please provide a
sample topology file for using this service for invalidating cookie ?
Also, my Knox version is 0.12 (HDP 2.6.5). Will the above approach work with my
Knox version ?
Thanks,
Rajat
