That looks like the right URL and that error is probably due to not using "https".
On Thu, Feb 21, 2019 at 12:47 PM Rajat Goel <[email protected]> wrote: > Hi Larry, > > > > Thanks for the detailed explanation on the current set of limitations > Larry. Currently, I am using default form based provider integrated with > LDAP so as per comment hopefully it will work. I tried to create a new > topology with following content but it didn’t work. > > > > Knoxssout.xml > > > > <topology> > > <gateway> > > <provider> > > <role>authentication</role> > > <name>Anonymous</name> > > <enabled>true</enabled> > > </provider> > > <provider> > > <role>identity-assertion</role> > > <name>Default</name> > > <enabled>false</enabled> > > </provider> > > </gateway> > > <service> > > <role>KNOXSSOUT</role> > > </service> > > </topology> > > > > What am I doing wrong here? Also what will be my logout url ? I tried > hitting http://<knox ip>:8443/gateway/knoxssout/api/v1/webssout from > browser but I see error ERR_EMPTY_RESPONSE > > > > Regards, > > Rajat > > > > *From: *larry mccay <[email protected]> > *Reply-To: *"[email protected]" <[email protected]> > *Date: *Thursday, 21 February 2019 at 9:17 PM > *To: *"[email protected]" <[email protected]> > *Subject: *Re: KnoxSSO Logout > > > > Hi Rajat - > > > > KNOXSSOUT will work in limited usecases and it isn't really documented or > anything due to those limitations. > > Depending on what your actual SSO IdP is it may not work for you. > > > > Let me describe the issue in the context of a SAML provider... > > > > * SSOCookieProvider determines that there is no KnoxSSO cookie and > redirects you to the KnoxSSO endpoint > > * KnoxSSO is configured for Okta or some other SAML provider and redirects > to the SAML provider endpoint > > * SAML provider authenticates the user and posts back to the KnoxSSO > endpoint > > * KnoxSSO sets the hadoop-jwt cookie and redirects to the originally > requested resource > > > > The above establishes not only a KnoxSSO session but also a session with > the SAML provider via IDP specific cookies. > > > > Now, when you invoke the KNOXSSOUT API from some logout link on an app > page the KNOXSSOUT service will remove > > the KnoxSSO cookie and redirect you back. The SSOCookieProvider will not > find a cookie and send you back to KnoxSSO > > which will send you to the IDP again and that session is still active. > BAM! You are logged right back in. > > > > These types of nuances are different from provider to provider. > > > > Now, if you are only using the default form based provider from Knox - it > may actually work for you as long as you also remove > > any application specific cookies as well as call KNOXSSOUT. > > > > As for a topology example, all you really need to do is add a topology - > say knoxssout.xml - and protect it with the Anonymous > > authentication provider. > > > > Hope that is helpful. > > > > --larry > > > > On Thu, Feb 21, 2019 at 8:39 AM Rajat Goel <[email protected]> wrote: > > Hi, > > > > I was looking for implementing Logout for my service which is integrated > with Knox SSO (SSOCookieProvider). I came across this Jira ticket > https://issues.apache.org/jira/browse/KNOX-744 where a new service > KNOXSSOUT is created which should be used in a new topology. Can someone > please provide a sample topology file for using this service for > invalidating cookie ? > > > > Also, my Knox version is 0.12 (HDP 2.6.5). Will the above approach work > with my Knox version ? > > > > Thanks, > > Rajat > >
