... |
h3. Configure for SAML based authentication the OData |
* Open Standalone[-teiid].xml file and following configurations |
* Open standalone-teiid.xml file and add the following configurations |
{code:title="Adding Extension to Picketlink Subsystem"} |
... |
By default the OData access to a Virtual Database (VDB) in JBoss AS is restricted to authentication using the HTTP Basic. However, it possible with below instructions one can configure OData access to participate in a Single-Sign-On (SSO) based security using SAML2. The below instructions are based on JBoss EAP platform using Picketlink security framework.
In SAML based authentication there are Identity Providers (IDP) who provide authentication services and Service Providers (SP), a end user service like odata and user (you). It is expected that you already have IDP, configured and working with security domain of your choice like LDAP or Kerberoes etc. The SP in this case is the OData WAR file that is supplied with Teiid distribution along with Picketlink based framework. Picketlink framework does not explicitly mention the interoperability with other third party external vendors supplied IDP, but Teiid team has tested successfully with
Since SAML2 is standard, we believe any standards complaint IDP vendor will work with Picketlink SP. |
"DNS Names" Do not try to use IP address or localhost except for the testing scenarios. Configure proper DNS names for both IDP and SP servers and make sure both can access each other using the URLs configured. |
<extensions> <extension module="org.picketlink.as.extension" /> <extensions>
<subsystem xmlns="urn:jboss:domain:picketlink:1.0"> <federation alias="odata"> <saml token-timeout="4000" clock-skew="0"/> <key-store url="/\{CERTIFICATE-FILE-NAME\}" passwd="\{PASSWD\}" sign-key-alias="\{CERTIFICATE-ALIAS\}" sign-key-passwd="\{PASSWD\}"/> <identity-provider url="\{SSO-IDP-POST-URL\}" alias="idp.war" security-domain="idp" supportsSignatures="true" strict-post-binding="true"> <trust> <trust-domain name="localhost" cert-alias="\{CERTIFICATE-ALIAS\}"/> <trust-domain name="127.0.0.1" cert-alias="\{CERTIFICATE-ALIAS\}"/> <trust-domain name="{IDP-DNS-NAME}" cert-alias="\{CERTIFICATE-ALIAS\}"/> </trust> </identity-provider> <service-providers> <service-provider alias="odata.war" security-domain="sp" url="http://\{SP-DNS-NAME\}:8080/odata/" post-binding="true" supportsSignatures="true"/> </service-providers> </federation> </subsystem>
"CERTIFICATE-ALIAS" Typically certificate alias in certificate is domain name, such as "idp.jboss.org" |
Now configure the Security domains to be used by the SP.
<subsystem xmlns="urn:jboss:domain:security:1.2"> <security-domains> <security-domain name="sp" cache-type="default"> <authentication> <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/> <login-module code="org.jboss.security.ClientLoginModule" flag="required"/> </authentication> </security-domain> </security-domains> </subsystem>
Now change the OData transport in the Teiid subsystem to use the security domain define above.
...... <transport name="odata"> <authentication security-domain="sp"/> </transport> ......
<?xml version="1.0" encoding="UTF-8"?> <jboss-web> <context-root>odata</context-root> </jboss-web>
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5"> <display-name>odata</display-name> <context-param> <param-name>javax.ws.rs.Application</param-name> <param-value>org.teiid.odata.TeiidODataApplication</param-value> </context-param> <context-param> <param-name>batch-size</param-name> <param-value>256</param-value> </context-param> <context-param> <param-name>skiptoken-cache-time</param-name> <param-value>300000</param-value> </context-param> <context-param> <param-name>local-transport-name</param-name> <param-value>odata</param-value> </context-param> <listener> <listener-class>org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap</listener-class> </listener> <servlet> <servlet-name>Resteasy</servlet-name> <servlet-class>org.teiid.odata.ODataServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>Resteasy</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping> <security-constraint> <display-name>require valid user</display-name> <web-resource-collection> <web-resource-name>Teiid Rest Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>sp</realm-name> <form-login-config> <form-login-page>/jsp/login.jsp</form-login-page> <form-error-page>/jsp/loginerror.jsp</form-error-page> </form-login-config> </login-config> <security-role> <description>security role</description> <role-name>*</role-name> </security-role> </web-app>
jar -cvf teiid-odata-xxxx.war /temp/*