To enable HUE to use SAML authentication, the Service Provider (Hue) and the Identity Provider (samltest.id) must exchange meta-data to accept each others identity. The procedure to do that on the EMR master node is outlined below.
- Hue is the Service Provider and http://samltest.id is the Identity Provider in this example
- Install the tools to enable Hue to handle SAML:
- yum install git gcc python-devel swig openssl
- yum install --enablerepo=epel xmlsec1 xmlsec1-openssl
- Acquire the IDP metadata from http://samltest.id and save into samltest.xml file
- Put the xml file in /etc/hue/conf/security/samltest.xml
- Verify key and cert files exist.
- Create dummy key and cert files if they do not exist.
- openssl genrsa -des3 -out dummy.key 2048
- openssl rsa -inform PEM -outform PEM -in dummy.key -pubout -out dummy-nopass.pem
- Modify hue.ini with the following
## Example hue.ini settings
[desktop]
redirect_whitelist="^\/.*$,^http:\/\/samltest.id:8080\/.*$"
[[auth]]
backend=libsaml.backend.SAML2Backend
[libsaml]
xmlsec_binary=/usr/bin/xmlsec1
metadata_file=/etc/hue/conf/security/samltest.xml
key_file=/etc/hue/conf/security/key.pem
cert_file=/etc/hue/conf/security/cert.pem
username_source=nameid
name_id_format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
entity_id=samltest.id
logout_enabled=false
- Restart Hue:
- sudo stop hue
- sudo start hue
- Acquire the Hue (SP) metadata:
- curl -k -LO https://masternode:8888/saml2/metadata
- Upload Hue metadata to http://samltest.id/
- Test Hue login at https://masternode:8888/ with account from samltest.id