The Knox Gateway supports federation solution providers by accepting HTTP header tokens. This section explains how to configure HTTP header fields for SSO or Federation solutions that have simple HTTP header-type tokens. For suggestions on product specific solutions, see the Apache Knox Gateway User Guide.
The gateway extracts the user identifier from the HTTP header field. The gateway can also extract the group information and propagate it to the Identity-Assertion provider.
Warning | |
---|---|
The Knox Gateway federation plug-in, |
To configure the HTTP header tokens:
Open the cluster topology descriptor file,
, in a text editor.$cluster-name
.xmlAdd a
HeaderPreAuth
federation provider totopology/gateway
as follows:<provider> <role>federation</role> <name>HeaderPreAuth</name> <enabled>true</enabled> <param> <name>preauth.validation.method</name> <value>$validation_type</value> </param> <param> <name>preauth.ip.addresses</name> <value>$trusted_ip</value> </param> <param> <name>preauth.custom.header</name> <value>$user_field</value> </param> <param> <name>preauth.custom.group.header</name> <value>$group_field</value> </param> </provider>
where the values of the parameters are specific to your environment:
$validation_type
(Optional, recommended) Indicates the type of trust, use eitherpreauth.ip.validation
indicating to trust only connections from the address defined inpreauth.ip.addresses
OR null (omitted) indicating to trust all IP addresses.$trusted_ip
(Required when the pre-authentication method is set topreauth.ip.validation
) A comma separated list of IP addresses, addresses may contain a wild card to indicate a subnet, such as10.0.0.*
.$user_field
name of the field in the header that contains the user name that the gateway extracts. Any incoming request that is missing the field is refused with HTTP status 401, unauthorized.$group_field
(Optional) name of the field in the header that contains the group name that the gateway extracts. Any incoming request that is missing the field results in no group name being extracted and the connection is allowed.
Save the file.
The gateway creates a new WAR file with modified timestamp in
/var/lib/knox/data/deployments
.