Ranger 2470: Support for native SAML (Okta , keycloak etc) for Ranger Admin Consol#894
Open
vyommani wants to merge 4 commits intoapache:masterfrom
Open
Ranger 2470: Support for native SAML (Okta , keycloak etc) for Ranger Admin Consol#894vyommani wants to merge 4 commits intoapache:masterfrom
vyommani wants to merge 4 commits intoapache:masterfrom
Conversation
vyommani
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
Summary
This PR adds native SAML2 Service Provider (SP) authentication to Ranger Admin using Spring Security SAML2 and OpenSAML 4.x. With this change, Ranger Admin can act as a SAML SP directly, integrating withany standards-compliant Identity Provider (Keycloak, Okta, ADFS, Azure AD).
What Changed
New classes:
1-> RangerSamlRegistrationFactory — builds the RelyingPartyRegistration from configured SP key/cert and IdP metadata, with REDIRECT-binding SLO support
2-> RangerDelegatingAuthenticationEntryPoint — routes unauthenticated requests to the SAML login endpoint or falls back to the existing entry point depending on ranger.authentication.method
3-> RangerDelegatingLogoutSuccessHandler — routes post-logout to the SAML SLO chain or the default handler
Modified classes:
1-> RangerAuthenticationProvider — handles Saml2Authentication tokens; extracts username and group memberships from configurable SAML attributes; auto-provisions users with a default role
2-> SessionMgr — auto-creates SAML users in the Ranger DB on first login (mirrors existing SSO/Spnego behavior)
3-> RangerSecurityContextFormationFilter — returns AUTH_TYPE_SAML when SAML is the active auth method
4-> UserREST — passes authenticationMethod to the frontend so the UI can handle SAML-specific logout flow
Configuration:
security-applicationContext.xml — wires the SAML filter chain (saml2WebSsoAuthenticationRequestFilter, saml2AuthenticationFilter, samlLogoutRequestFilter, samlLogoutResponseFilter); permits SAML endpoint URLs without authentication
ranger-admin-site.xml — introduces SAML-specific properties (see Configuration section below)
Frontend:
login.jsp — auto-redirects to the IdP when SAML is enabled; guards against redirect loops on post-logout landing
XAUtils.js / SideBarBody.jsx — uses full browser navigation (instead of AJAX) for logout, enabling the SLO redirect chain to complete end-to-end
Configuration
When ranger.authentication.method=SAML, the following properties apply in ranger-admin-site.xml:
ranger.saml.entity.id --> SP Entity ID registered with the IdP
ranger.saml.idp.metadata.location --> IdP metadata file path or URL
ranger.saml.sp.key --> SP private key (PKCS8 PEM) path
ranger.saml.sp.cert --> SP public certificate (X.509 PEM) path
ranger.saml.attribute.username --> SAML attribute to use as the Ranger username NameID
ranger.saml.attribute.role --> SAML attribute to use for group membership groups
ranger.saml.default.role --> Default role assigned to new SAML users ROLE_USER
ranger.saml.admin.group SAML group that maps to ROLE_SYS_ADMIN ranger-admins
Design Decisions
Delegating handlers over replacing them — RangerDelegatingAuthenticationEntryPoint and RangerDelegatingLogoutSuccessHandler wrap existing handlers rather than replacing them, so non-SAML auth methods (LDAP, Kerberos, Unix) are unaffected.
Auto-provisioning on first login — consistent with how Ranger handles SSO and Spnego users; no admin action is needed to pre-create SAML users.
No proxy dependency — the SP logic runs entirely within the Ranger Admin JVM.
How was this patch tested?
SAML login flow tested against [Keycloak]
Single Logout (SLO) tested — browser redirected to IdP and back
Non-SAML auth methods (LDAP/Unix) verified unaffected with ranger.authentication.method set to their respective values
Auto-provisioned user created in Ranger DB on first SAML login