As of HDP-3.0.0, SSO is enabled using the ambari-server setup-sso
        wizard. SSO for Ambari, Atlas, and Ranger is automatically enabled by the wizard. To enable
        SSO for HDFS, Oozie, MapReduce2, Zeppelin, or YARN, you must manually change their
        configuration files. Users who try to access these components will be redirected to the Knox
        SSO login page for authentication.
        
            You must be running Ambari 2.7.0.0 with HDP-3.0.0 or higher.
            You must have already enabled SSO using ambari-server setup-sso.
         
        - 
                In Ambari, set the following properties for your components:
                
                    
                        - HDFS:
                            core-site.xml"hadoop.http.authentication.type": "org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler”
"hadoop.http.authentication.public.key.pem": “$SSOPUBLICKEY"
"hadoop.http.authentication.authentication.provider.url": "$SSOPROVIDERURL"
 
- Oozie:
                            oozie-site.xmloozie.authentication.type=org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler
oozie.authentication.authentication.provider.url=https://$KNOX_HOST:8443/gateway/knoxsso/api/v1/websso
oozie.authentication.public.key.pem=$KNOX_PUBLIC_KEY
optional: oozie.authentication.expected.jwt.audiences=$AUDIENCES (default: EMPTY; which means ALL)
optional: oozie.authentication.jwt.cookie=$COOKIE-NAME (default: hadoop-jwt)
 
- MapReduce2:
                            core-site.xml"hadoop.http.authentication.type": "org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler”
"hadoop.http.authentication.public.key.pem": “$SSOPUBLICKEY"
"hadoop.http.authentication.authentication.provider.url": "$SSOPROVIDERURL"
 
- Zeppelin: Advanced zeppelin-shiro-ini >
                            shiro_ini_contentknoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
knoxJwtRealm.providerUrl = $PROVIDERURL
knoxJwtRealm.login = gateway/knoxsso/knoxauth/login.html
knoxJwtRealm.publicKeyPath = $PATH_OF_KNOX-SSO.PEM
knoxJwtRealm.logoutAPI = false
knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout
knoxJwtRealm.cookieName = hadoop-jwt
knoxJwtRealm.redirectParam = originalUrl
knoxJwtRealm.groupPrincipalMapping = group.principal.mapping
knoxJwtRealm.principalMapping = principal.mapping
authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter
 
- Zeppelin: Advanced spark2-env, for
                            SPARK_HISTORY_OPTSexport SPARK_HISTORY_OPTS=’
-Dspark.ui.filters=org.apache.hadoop.security.authentication.server.AuthenticationFilter
-Dspark.org.apache.hadoop.security.authentication.server.AuthenticationFilter.params ="type=org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler,
kerberos.principal=$SPARK_HISTORY_KERBEROS_PRINCIPAL,
kerberos.keytab=$SPNEGO_KEYTAB,
authentication.provider.url=$PROVIDER_URL ,
public.key.pem=$PUBLIC_KEY”’
 
- YARN:
                            core-site.xml"hadoop.http.authentication.type": "org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler”
"hadoop.http.authentication.public.key.pem": “$SSOPUBLICKEY"
"hadoop.http.authentication.authentication.provider.url": "$SSOPROVIDERURL"
 
 
 
- 
                Click Save and confirm subsequent prompts.
            
- 
                Click  to restart all other services that require a restart.