I believe that you will need to pass groups for the user as well – in order for the groups to be used in the enforcement of the ranger policies.
When using username/password and having the appropriate shiro KnoxLdapRealm configuration, the groups are looked up via LDAP.
If you are indeed federating another authentication event – and not just passing some known username – then you should also have group information available as well.
The following link contains Preauthenticated SSO documentation for Knox:
http://knox.apache.org/books/knox-0-6-0/user-guide.html#Preauthenticated+SSO+Provider
Note that you will need to provide configuration in the sso provider that indicates the header name for groups.
Configure that and provide the list of comma delimited group names in the corresponding header of the request.
Hope that helps!