“Unknown Attribute Name” exception while enabling SAML

You may see an “Unknown Attribute Name” exception when a SAML Identity Provider (IdP) returns the 'uid' profile attribute, but Hue which uses pysaml2 cannot interpret this attribute. To resolve this, you must create an attribute mapping file and then reference it in the libsaml configuration of Hue.

To resolve this issue:

1. SSH into a Hue server as a root user.
2. Create a attribute mapping directory as follows:

   mkdir -p /opt/cloudera/security/saml/attribute_mapping

3. Create an attribute mapping file as follows:

   vi /opt/cloudera/security/saml/attribute_mapping/saml_uri.py

4. Add the following lines into the saml_uri.py file:

   MAP = {
       "identifier": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
       "fro": {
           'uid': 'uid',
           },
       "to": {
           'uid': 'uid',
       }
   }

5. Repeat steps 1 thru 4 on all the Hue hosts.
6. Sign in to Cloudera Manager as an Administrator.
7. Go to Clusters > $Hue service > Configuration and search safety valve.
8. Add the following lines in the Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini field:

   [libsaml]
   xmlsec_binary=/usr/bin/xmlsec1
   metadata_file=/opt/certs/saml/FederationMetadata.xml
   key_file=/opt/certs/hue.key
   cert_file=/opt/certs/hue.crt
   entity_id=hue-pri.unedic.intra
   logout_enabled=false
   username_source=attributes
   attribute_map_dir=/opt/cloudera/security/saml/attribute_mapping  
   #user_attribute_mapping='{"uid":"username"}'

9. Click Save Changes.
10. Restart the Hue service by clicking Actions > Restart.

The users should now be able to authenticate to Hue through SAML.