By default the OData access to a Virtual Database (VDB) in JBoss AS is restricted to authentication using the HTTP Basic. However, it possible with below instructions one can configure OData access to participate in a Single-Sign-On (SSO) based security using SAML2. The below instructions are based on JBoss EAP platform using Picketlink security framework.

In SAML based authentication there are Identity Providers (IDP) and Service Providers (SP) and user (you). It is expected that you already have a IDP, configured working with security domain of you choice like LDAP or Kerberoes etc. The SP in this case is the OData WAR file that is supplied with Teiid distribution. Picketlink SP does not explicitly mention the interoperability with other external vendor supplied IDP, but Teiid tean has tested successfully with

• Shibboleth
• Picketlink IDP
• Salesforce IDP (this is documented on Picketlink, not verified)
• Social Logins with Picketlink IDP (like, google, facebook etc. This has been mentioned in Picketlink documentation but not verified)

Since SAML2 is standard, we believe any standards complaint IDP vendor will work with Picketlink SP.

Pre-requisites

• Collect the certificate for authentication which is used by IDP to sign the SAML message.
• Install Picketlink JBoss AS subsystem into JBoss AS.
• Gather the DNS name for machine where JBoss EAP is installed. This should be externally accessible, if the IDP is external to this system.
• Gather the SSO POST based URL for your IDP installation.

"DNS Names" Do not try to use IP address or localhost except for the testing scenarios. Configure proper DNS names for both IDP and SP servers and make sure both can access each other using the URL configured below.

Configure for SAML based authentication the OData

• Open Standalone-teiid.xml file and following configurations

<extensions>
  <extension module="org.picketlink.as.extension" />
<extensions>

<subsystem xmlns="urn:jboss:domain:picketlink:1.0">
  <federation alias="odata">
    <saml token-timeout="4000" clock-skew="0"/>
    <key-store url="/\{CERTIFICATE-FILE-NAME\}" passwd="\{PASSWD\}" sign-key-alias="\{CERTIFICATE-ALIAS\}" sign-key-passwd="\{PASSWD\}"/>
    <identity-provider url="\{SSO-IDP-POST-URL\}" alias="idp.war" security-domain="idp" supportsSignatures="true" strict-post-binding="true">

      <trust>
        <trust-domain name="localhost" cert-alias="\{CERTIFICATE-ALIAS\}"/>
        <trust-domain name="127.0.0.1" cert-alias="\{CERTIFICATE-ALIAS\}"/>
        <trust-domain name="{IDP-DNS-NAME}" cert-alias="\{CERTIFICATE-ALIAS\}"/>
      </trust>
    </identity-provider>
    <service-providers>
    <service-provider alias="odata.war" security-domain="sp" url="http://\{SP-DNS-NAME\}:8080/odata/" post-binding="true" supportsSignatures="true"/>
    </service-providers>
  </federation>
</subsystem>

"CERTIFICATE-ALIAS" Typically certificate alias in certificate is domain name, such as "idp.jboss.org"

Now configure the Security domains to be used by the SP.

<subsystem xmlns="urn:jboss:domain:security:1.2">
    <security-domains>
        <security-domain name="sp" cache-type="default">
            <authentication>
                <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>
                <login-module code="org.jboss.security.ClientLoginModule" flag="required"/>
            </authentication>
        </security-domain>
    </security-domains>
</subsystem>

Now change the OData transport in the Teiid subsystem to use the security domain define above.

......
   <transport name="odata">
     <authentication security-domain="sp"/>
   </transport>
......

Modify the OData WAR File to use SAML based authentication

• Extract the "teiid-odata-xxxx.war" file from "<JBossAS>/modules/system/base/org/jboss/teiid/main/deployments" to temporary location. The WAR file is simple ZIP file so you can "jar -x teiid-odata-xxxx.war /temp"

• Edit "jboss-web.xml" file, and it should look like

  <?xml version="1.0" encoding="UTF-8"?>
  <jboss-web>
      <context-root>odata</context-root>
  </jboss-web>
  

• Edit "web.xml" file and it should look like below
  "web.xml"

  <?xml version="1.0" encoding="UTF-8"?>
  <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
      <display-name>odata</display-name>
      <context-param>
          <param-name>javax.ws.rs.Application</param-name>
          <param-value>org.teiid.odata.TeiidODataApplication</param-value>
      </context-param>   
      <context-param>
          <param-name>batch-size</param-name>
          <param-value>256</param-value>
      </context-param>  
      <context-param>
          <param-name>skiptoken-cache-time</param-name>
          <param-value>300000</param-value>
      </context-param>   
      <context-param>
          <param-name>local-transport-name</param-name>
          <param-value>odata</param-value>
      </context-param>      
      <listener>
          <listener-class>org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap</listener-class>
      </listener>    
      <servlet>
          <servlet-name>Resteasy</servlet-name>
          <servlet-class>org.teiid.odata.ODataServlet</servlet-class>
      </servlet>     
      
      <servlet-mapping>
          <servlet-name>Resteasy</servlet-name>
          <url-pattern>/*</url-pattern>
      </servlet-mapping>
           
      <security-constraint>
          <display-name>require valid user</display-name>
          <web-resource-collection>
              <web-resource-name>Teiid Rest Application</web-resource-name>
              <url-pattern>/*</url-pattern>
          </web-resource-collection>
          <auth-constraint>
              <role-name>*</role-name>
          </auth-constraint>
      </security-constraint>
  
  	<login-config>
  		<auth-method>FORM</auth-method>
  		<realm-name>sp</realm-name>
  		<form-login-config>
  			<form-login-page>/jsp/login.jsp</form-login-page>
  			<form-error-page>/jsp/loginerror.jsp</form-error-page>
  		</form-login-config>
  	</login-config>
           
       <security-role>
          <description>security role</description>
          <role-name>*</role-name>
      </security-role>
       
  </web-app>
  

• Add the certificate received from IDP vendor to "WEB-INF/classes" directory. Note this must be same name as {CERTIFICATE-FILE-NAME} used in "Configuring the Picketlink Subsystem"

• Create the WAR file again based on the modified contents of the files.

  jar -cvf teiid-odata-xxxx.war /temp/*
  

• Copy the newly created WAR file into "<JBossAS>/modules/system/base/org/jboss/teiid/main/deployments" directory

• Start the Teiid Server, and access the OData URL, you will be redirected to SSO based authentication.