SAML Based Security For OData
Page edited by Ramesh Reddy
Changes (27)
| ... |
| h3. Pre-requisites * Collect the certificate for authentication that is used by IDP to sign the SAML messages. |
| * Install [Picketlink JBoss AS subsystem|http://docs.jboss.org/picketlink/2/latest/reference/html/ch11.html] into JBoss AS. * Gather the DNS names for machine where JBoss EAP is installed. This should be externally accessible, if the IDP is external to this system. |
| * Gather the SSO POST based URL for your IDP, that your SP can use to redirect for authentication call. |
| ... |
| * Open standalone-teiid.xml file and add the following configurations |
| {code:title="Adding Extension to Picketlink Subsystem"} <extensions> <extension module="org.wildfly.extension.picketlink"/> <extensions> {code} {code:title="Configuring the Picketlink Federation Subsystem"} <subsystem xmlns="urn:jboss:domain:picketlink-federation:1.1"> <federation name="odata"> <saml token-timeout="4000" clock-skew="0"/> <key-store file="/\{CERTIFICATE-FILE-NAME\}" relative-to="jboss.server.config.dir" password="\{PASSWD\}" sign-key-alias="\{CERTIFICATE-ALIAS\}" sign-key-password="\{PASSWD\}"> <keys> <key name="\{CERTIFICATE-ALIAS\}" host="${jboss.bind.address:localhost},127.0.0.1, \{CERTIFICATE-ALIAS\}"/> </keys> </key-store> <identity-provider name="\{SSO-IDP-POST-URL\}" security-domain="idp" supportsSignatures="true" strict-post-binding="true"> <identity-provider name="idp.war" url="\{SSO-IDP-POST-URL\}" security-domain="idp" external="true" encrypt="false" support-signatures="true" strict-post-binding="true" ssl-authentication="false" support-metadata="true"/> <trust> <trust-domain name="localhost" cert-alias="\{CERTIFICATE-ALIAS\}"/> <trust-domain name="127.0.0.1" cert-alias="\{CERTIFICATE-ALIAS\}"/> <trust-domain name="{IDP-DNS-NAME}" cert-alias="\{CERTIFICATE-ALIAS\}"/> </trust> </identity-provider> <service-providers> <service-provider name="odata.war" security-domain="sp" url="http://\{SP-DNS-NAME\}:8080/odata/" post-binding="true" support-signatures="true" support-metadata="true" strict-post-binding="true"/> </service-providers> </federation> </subsystem> {code} {tip:title="CERTIFICATE-ALIAS"} Typically certificate alias in certificate is domain name, such as "idp.jboss.org" {tip} |
| Now configure the Security domains to be used by the SP. |
| ... |
| {code} |
| Now change the Teiid subsystem to use the security domain defined above. You can alternatively combine the required login modules into the existing teiid-security security domain. |
| Now change the OData transport in the Teiid subsystem to use the security domain define above. |
| |
| {code:title="Change Teiid security-domain"} |
| {code:title="Change OData transport security-domain"} |
| ...... |
| <transport name="odata"> |
| <authentication security-domain="sp"/> |
| </transport> |
| <transport ... |
| ...... {code} |
| ... |
| h3. Modify the OData WAR File to use SAML based authentication |
| * Extract the "teiid-odata-xxxx.war" "teiid-olingo-$\{version\}\-odata4.war" file from "<JBossAS>/modules/system/base/dv/org/jboss/teiid/main/deployments" to temporary location. The WAR file is simple ZIP file so you can "jar -x teiid-odata-xxxx.war \-x teiid-olingo-$\{version\}\-odata4.war /temp" |
| |
| * Edit "WEB-INF/jboss-web.xml" file, and it should look like |
| {code} |
| {code: lang=XML} |
| <?xml version="1.0" encoding="UTF-8"?> <jboss-web> |
| <context-root>odata4</context-root> |
| <security-domain>sp</security-domain> <valve> <class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name> <param> <param-name>configProvider</param-name> <param-value>org.picketlink.identity.federation.web.config.SPPostMetadataConfigurationProvider</param-value> </param> </valve> |
| </jboss-web> {code} |
| * Edit "web.xml" file and make sure it has below fragment and remove the "login-config" |
| * Edit "web.xml" file and *remove* the section below |
| {code:title="web.xml"} |
| <security-constraint> <login-config> |
| <display-name>require valid user</display-name> |
| <web-resource-collection> <auth-method>BASIC</auth-method> |
| <web-resource-name>Teiid OData Application</web-resource-name> |
| <url-pattern>/*</url-pattern> <realm-name>yourdomain.com</realm-name> </web-resource-collection> </login-config> |
| <auth-constraint> <role-name>odata</role-name> </auth-constraint> </security-constraint> <security-role> <description>security role</description> <role-name>odata</role-name> </security-role> </web-app> |
| {code} |
| * Add the certificate keystore from your IDP to the classes directory. This is \{KEYSTORE-FILE\} in below configuration. or you can add to a existing keystore using following command {code} keytool -import -file idp_cert.cer -keystore \{KEYSTORE-FILE\} -alias \{CERTIFICATE-ALIAS\} {code} * Add "picketlink.xml" file to WEB-INF directory with following content {code: lang=xml} <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="true"> <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager"> <Auth Key="KeyStoreURL" Value="\{KEYSTORE-FILE\}" /> <Auth Key="KeyStorePass" Value="\{KEYSTORE-PASSWORD\}" /> <Auth Key="SigningKeyAlias" Value="\{CERTIFICATE-ALIAS\}" /> <Auth Key="SigningKeyPass" Value="\{CERTIFICATE-PASSWORD\}" /> <ValidatingAlias Key="localhost" Value="\{CERTIFICATE-ALIAS\}" /> <ValidatingAlias Key="127.0.0.1" Value="\{CERTIFICATE-ALIAS\}" /> </KeyProvider> </PicketLinkSP> <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" /> </Handlers> </PicketLink> {code} {tip} \{CERTIFICATE-ALIAS\} is typically something like "idp.example.com" for which the certificate is created for {tip} |
| * Add the certificate received from IDP vendor to "WEB-INF/classes" directory. Note this must be same name as \{CERTIFICATE-FILE-NAME\} used in "Configuring the Picketlink Subsystem" |
| * Add "sp-metadata.xml" to the classes directory. Note that your "sp-metadata.xml" contents will entirely dependent upon your Identity Provider settings. The below sample *ONLY* provided as an example {code: lang=XML} <?xml version="1.0" encoding="UTF-8"?> <EntitiesDescriptor Name="urn:mace:shibboleth:testshib:two" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <EntityDescriptor entityID="http://localhost:8080/idp-metadata/"> <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol"> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient </NameIDFormat> <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="http://localhost:8080/idp-metadata/" /> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/idp-metadata/" /> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8080/idp-metadata/" /> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/idp-metadata/?GLO=true" /> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8080/idp-metadata/SLO" /> </IDPSSODescriptor> <Organization> <OrganizationName xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xml:lang="en">JBoss</OrganizationName> <OrganizationDisplayName xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xml:lang="en">JBoss by Red Hat</OrganizationDisplayName> <OrganizationURL xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xml:lang="en">http://www.jboss.org</OrganizationURL> </Organization> <ContactPerson contactType="technical"> <GivenName>The</GivenName> <SurName>Admin</SurName> <EmailAddress>admin@mycompany.com</EmailAddress> </ContactPerson> </EntityDescriptor> <EntityDescriptor entityID="http://localhost:8080/odata4/"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext"> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient </NameIDFormat> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/odata4/" index="1" isDefault="true" /> </SPSSODescriptor> <Organization> <OrganizationName xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xml:lang="en">JBoss</OrganizationName> <OrganizationDisplayName xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xml:lang="en">JBoss by Red Hat</OrganizationDisplayName> <OrganizationURL xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xml:lang="en">http://localhost:8080/odata4/</OrganizationURL> </Organization> <ContactPerson contactType="technical"> <GivenName>The</GivenName> <SurName>Admin</SurName> <EmailAddress>admin@mycompany.com</EmailAddress> </ContactPerson> </EntityDescriptor> </EntitiesDescriptor> {code} |
| * Create the WAR file again based on the modified contents of the files. {code} |
| jar -cvf teiid-odata-xxxx.war teiid-olingo-$\{version\}\-odata4.war /temp/* |
| {code} |
| * Copy the newly created WAR file into "<JBossAS>/modules/system/base/dv/org/jboss/teiid/main/deployments" directory |
| * Start the Teiid Server, and access the OData URL, you will be redirected to SSO based authentication. |
Full Content
By default the OData access to a Virtual Database (VDB) in JBoss AS is restricted to authentication using the HTTP Basic. However, it possible with below instructions one can configure OData access to participate in a Single-Sign-On (SSO) based security using SAML2. The below instructions are based on JBoss EAP platform using Picketlink security framework.
In SAML based authentication there are Identity Providers (IDP) who provide authentication services and Service Providers (SP), a end user service like odata and user (you). It is expected that you already have IDP, configured and working with security domain of your choice like LDAP or Kerberoes etc. The SP in this case is the OData WAR file that is supplied with Teiid distribution along with Picketlink based framework. Picketlink framework does not explicitly mention the interoperability with other third party external vendors supplied IDP, but Teiid team has tested successfully with
- Shibboleth
- Picketlink IDP
- Salesforce IDP (this is documented on Picketlink, not verified)
- Social Logins with Picketlink IDP (like, google, facebook etc. This has been mentioned in Picketlink documentation but not verified)
 | Since SAML2 is standard, we believe any standards complaint IDP vendor will work with Picketlink SP. |
Pre-requisites
- Collect the certificate for authentication that is used by IDP to sign the SAML messages.
- Gather the SSO POST based URL for your IDP, that your SP can use to redirect for authentication call.
| "DNS Names" Do not try to use IP address or localhost except for the testing scenarios. Configure proper DNS names for both IDP and SP servers and make sure both can access each other using the URLs configured. |
Configure for SAML based authentication the OData
- Open standalone-teiid.xml file and add the following configurations
Now configure the Security domains to be used by the SP.
"Security-Domain for SP"
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="sp" cache-type="default">
<authentication>
<login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>
</authentication>
</security-domain>
</security-domains>
</subsystem>
Now change the OData transport in the Teiid subsystem to use the security domain define above.
"Change OData transport security-domain"
......
<transport name="odata">
<authentication security-domain="sp"/>
</transport>
......
Modify the OData WAR File to use SAML based authentication
- Extract the "teiid-olingo-${version}-odata4.war" file from "<JBossAS>/modules/system/base/dv/org/jboss/teiid/main/deployments" to temporary location. The WAR file is simple ZIP file so you can "jar -x teiid-olingo-${version}-odata4.war /temp"
- Edit "WEB-INF/jboss-web.xml" file, and it should look like
<?xml version="1.0" encoding="UTF-8"?> <jboss-web> <context-root>odata4</context-root> <security-domain>sp</security-domain> <valve> <class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name> <param> <param-name>configProvider</param-name> <param-value>org.picketlink.identity.federation.web.config.SPPostMetadataConfigurationProvider</param-value> </param> </valve> </jboss-web>
- Edit "web.xml" file and remove the section below
"web.xml"
<login-config> <auth-method>BASIC</auth-method> <realm-name>yourdomain.com</realm-name> </login-config>
- Add the certificate keystore from your IDP to the classes directory. This is {KEYSTORE-FILE} in below configuration. or you can add to a existing keystore using following command
keytool -import -file idp_cert.cer -keystore \{KEYSTORE-FILE\} -alias \{CERTIFICATE-ALIAS\}
- Add "picketlink.xml" file to WEB-INF directory with following content
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="true"> <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager"> <Auth Key="KeyStoreURL" Value="\{KEYSTORE-FILE\}" /> <Auth Key="KeyStorePass" Value="\{KEYSTORE-PASSWORD\}" /> <Auth Key="SigningKeyAlias" Value="\{CERTIFICATE-ALIAS\}" /> <Auth Key="SigningKeyPass" Value="\{CERTIFICATE-PASSWORD\}" /> <ValidatingAlias Key="localhost" Value="\{CERTIFICATE-ALIAS\}" /> <ValidatingAlias Key="127.0.0.1" Value="\{CERTIFICATE-ALIAS\}" /> </KeyProvider> </PicketLinkSP> <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" /> </Handlers> </PicketLink>
| {CERTIFICATE-ALIAS} is typically something like "idp.example.com" for which the certificate is created for |
- Add the certificate received from IDP vendor to "WEB-INF/classes" directory. Note this must be same name as {CERTIFICATE-FILE-NAME} used in "Configuring the Picketlink Subsystem"
- Add "sp-metadata.xml" to the classes directory. Note that your "sp-metadata.xml" contents will entirely dependent upon your Identity Provider settings. The below sample ONLY provided as an example
<?xml version="1.0" encoding="UTF-8"?> <EntitiesDescriptor Name="urn:mace:shibboleth:testshib:two" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <EntityDescriptor entityID="http://localhost:8080/idp-metadata/"> <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol"> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient </NameIDFormat> <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="http://localhost:8080/idp-metadata/" /> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/idp-metadata/" /> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8080/idp-metadata/" /> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/idp-metadata/?GLO=true" /> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8080/idp-metadata/SLO" /> </IDPSSODescriptor> <Organization> <OrganizationName xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xml:lang="en">JBoss</OrganizationName> <OrganizationDisplayName xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xml:lang="en">JBoss by Red Hat</OrganizationDisplayName> <OrganizationURL xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xml:lang="en">http://www.jboss.org</OrganizationURL> </Organization> <ContactPerson contactType="technical"> <GivenName>The</GivenName> <SurName>Admin</SurName> <EmailAddress>admin@mycompany.com</EmailAddress> </ContactPerson> </EntityDescriptor> <EntityDescriptor entityID="http://localhost:8080/odata4/"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext"> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient </NameIDFormat> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/odata4/" index="1" isDefault="true" /> </SPSSODescriptor> <Organization> <OrganizationName xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xml:lang="en">JBoss</OrganizationName> <OrganizationDisplayName xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xml:lang="en">JBoss by Red Hat</OrganizationDisplayName> <OrganizationURL xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xml:lang="en">http://localhost:8080/odata4/</OrganizationURL> </Organization> <ContactPerson contactType="technical"> <GivenName>The</GivenName> <SurName>Admin</SurName> <EmailAddress>admin@mycompany.com</EmailAddress> </ContactPerson> </EntityDescriptor> </EntitiesDescriptor>
- Create the WAR file again based on the modified contents of the files.
jar -cvf teiid-olingo-$\{version\}\-odata4.war /temp/*
- Copy the newly created WAR file into "<JBossAS>/modules/system/base/dv/org/jboss/teiid/main/deployments" directory
- Start the Teiid Server, and access the OData URL, you will be redirected to SSO based authentication.
Stop watching space
|
Change email notification preferences
View Online
|
View Changes
|
Add Comment