https://gethue.com/

https://github.com/cloudera/hue/blob/master/desktop/core/src/desktop/auth/backend.py 

https://github.com/cloudera/hue/blob/cdh5.16.2-release/desktop/core/src/desktop/auth/backend.py

https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/hue_sec_saml_auth.html

https://gist.github.com/jbenninghoff/75a02c446f630dfb16886c9a5491fc4e#file-emr-hue-saml-conf-md

https://github.com/cloudera/hue/blob/branch-4.9.0/desktop/core/src/desktop/auth/backend.py

# The client ID as relay party set in OpenID provider
oidc_rp_client_id=xxx

# The client secret as relay party set in OpenID provider
oidc_rp_client_secret=xx-xx-xx-xx-xx

# The OpenID provider authoriation endpoint
oidc_op_authorization_endpoint=https://keycloak.xxx.com/auth/realms/master/protocol/openid-connect/auth

# The OpenID provider token endpoint
oidc_op_token_endpoint=https://keycloak.xxx.com/auth/realms/master/protocol/openid-connect/token

# The OpenID provider user info endpoint
oidc_op_user_endpoint=https://keycloak.xxx.com/auth/realms/master/protocol/openid-connect/userinfo

# The OpenID provider signing key in PEM or DER format
## oidc_rp_idp_sign_key=/path/to/key_file

# The OpenID provider authoriation endpoint
oidc_op_jwks_endpoint=https://keycloak.xxx.com/auth/realms/master/protocol/openid-connect/certs

# Whether Hue as OpenID Connect client verify SSL cert
oidc_verify_ssl=false

# As relay party Hue URL path to redirect to after login
login_redirect_url=http://xxx:8888/oidc/callback/

# The OpenID provider URL path to redirect to after logout
logout_redirect_url=https://keycloak.xxx.com/auth/realms/master/protocol/openid-connect/logout

# As relay party Hue URL path to redirect to after login
login_redirect_url_failure=http://xxx:8888/hue/oidc_failed/

# Create a new user from OpenID Connect on login if it doesn't exist
create_users_on_login=true

# When creating a new user, which 'claims' attribute from the OIDC provider to be used for creating the username.
#      Default to 'preferred_username'. Possible values include: 'email'
oidc_username_attribute=preferred_username

https://openid.net/specs/openid-connect-core-1_0.html

Caused by: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to xxx@xxx.com

https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/cdh_sg_kerbprin_to_sn.html