Hi Christopher -

1) Is it possible to include additional claims that contain group
information for the user from LDAP?

Not currently - there are a couple issues with this appproach but I
wouldn't be against a patch that optionally enables it.
* There can be 100's of groups sometimes for a given user
* No one in the current ecosystem is expecting to extract groups from the
cookie for authorization purposes and group lookup is done closer to the
resource itself
* Given that the token represents an authentication event as a snapshot in
time, the group membership may change by the time you extract them from the

2) Does the Knox SSO implementation support JSON Web Key (JWK)?

Not currently.

3) Where is the signing key stored? I have the desire to validate the JWT
in a third party web container. I am using Knox 0.12.0 on HDP 2.6.2.

By default it uses the gateway-identity alias within the
{GATEWAY_HOME}/data/security/keystores/gateway.jks keystore.
It may also be configured to use custom signing keys [1] - via
gateway.signing.keystore.name and gateway.signing.key.alias

4) On HDP 2.6.2 I have noticed that when I make changes to the "Advanced
knoxsso-topology” section for the Knox Service in Ambari and then restart
the service that the changes are not persisted to disk at
/usr/hdp/current/knox-server/conf/topologies/knoxsso.xml and thus the
changes are not picked up until that file is hand edited to reflect the
changes. Is this a known issue? For example changes to the
“knoxsso.redirect.whitelist.regex” in the ambari config will not take
effect until the file mentioned above is hand edited.

The trick is that you have to restart the server in order for Ambari to
actually push any config changes out to the Knox instances.
This is unfortunate - since Knox can hot deploy topology changes but is
what it is.
Be aware that if you hand edit the files as you are, the next time you
restart via Ambari it will overwrite any changes that you have made there.



On Wed, Jun 27, 2018 at 1:00 PM, Christopher Jackson <