Thursday, December 14, 2017

Cloudera SSO/SAML /X.509 Login Handler/ Cloudera/Hue/navigator/Configuration /Part2


In  my previous blog  shibboleth IDP installation i posted how to install and setup shibboleth. In  this post i am going to show how to configure cloudera manager/Hue/navgator Service provider.

Note that I am using cloudera manager 5.13.1

Prerequisites :

1) Create common folder in  clodera manager and all the nodes like /opt/cloudera-manager/saml/

2) Download the shibboleth idp metdata xml from https://idp.tanu.com:8443/idp/shibboleth URL or copy from /app/test/shibboleth-idp/metadata/idp-metadata.xml to  /opt/cloudera-manager/saml/ directory in all the servers.

3) shibboleth some time wont generate the metadata xml properly. so open the /opt/cloudera-manager/saml/idp-metadata.xml. update the idp correct url and port like below.

        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://idp.tanu.com:8443/idp/profile/Shibboleth/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.tanu.com:8443/idp/profile/SAML2/POST/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.tanu.com:8443/idp/profile/SAML2/POST-SimpleSign/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.tanu.com:8443/idp/profile/SAML2/Redirect/SSO"/>


3)Setup ssl for clouder manager/Hue/Cloudera navigator, follow this link to implement pki for cloudera components  https://hadoopguides.blogspot.com/2017/10/openssl-ca-authority-setup-with-san.html

4) Create additional SAML Keystore for CM/HUE/NAVIGATOR  or you can use existing keystore files used for setting for SSL 

Cloudera Manager SAML Configuration

1) go to https://cm.tanu.com:7183/cmf/settings

2)  Update  below settings
Authentication Backend Order Database then External
External Authentication Type  SAML
Path to SAML IDP Metadata File
Path to SAML Keystore File
SAML Keystore Password
Alias of SAML Sign/Encrypt Private Key
SAML Sign/Encrypt Private Key Password
SAML Entity ID
SAML Entity Alias
SAML Response Binding
Source of User ID in SAML Response
SAML Attribute Identifier for User ID
SAML Role Assignment Mechanism
SAML Attribute Identifier for User Role
SAML Attribute Values for Roles







HUE SAML Configuration

go to Cluster/Hue/Configuration/Advanced/Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini

[desktop]
redirect_whitelist="^\/.*$,^https:\/\/usls1005818.am.hedani.net:9443\/.*$"
[[auth]]
backend=desktop.auth.backend.AllowFirstUserDjangoBackend,libsaml.backend.SAML2Backend

[libsaml]
xmlsec_binary=/usr/bin/xmlsec1
metadata_file=/opt/cloudera-manager/saml/idp-metadata.xml
key_file=/opt/cloudera-manager/ssl/dummy/idp/huesaml.key
cert_file=/opt/cloudera-manager/ssl/dummy/idp/huemsalcert.pem
key_file_password="test123"
username_source=attributes
name_id_format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
entity_id=hueserver1
create_users_on_login=true
authn_requests_signed=true


Navigator SAML Configuration

 Go to Cloudera manager/Cloudera Management Service/Scope - Navigator Metadata Server/Category-External Authentication









Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)