[ https://issues.jboss.org/browse/TEIID-2819?page=com.atlassian.jira.plugin... ] Ramesh Reddy commented on TEIID-2819: ------------------------------------- SAML implementation on server/client web application is defined here [http://cxf.apache.org/docs/jax-rs-saml.html] TODO: write a sample application for testing In OAuth2, the client application typically need to register first with source (ex: google, twitter, salesforce), then they provide a "client_id" representing the registered application and "secret_key" to be used. Then when user wanting to gain access to SP, can use "client_id" and "secret_key" to get a "authorization code", using a their credentials. For different sources, the auth url is different, need to consult their docs. This "authorization code" is specific to a given user. Now, given "authorization code" client can make the calls. I found this [http://oauth.net/] and this library [https://github.com/fernandezpablo85/scribe-java] One of the ways SAML assertion can be used as "authentication code" is SAML Bearer. Now The CXF support is defined here [http://cxf.apache.org/docs/jax-rs-oauth2.html] and [http://cxf.apache.org/docs/jaxrs-oauth2-assertions.html] Basically in SSO scenario, if a user issues query into Teiid who is originally authenticated using "SAML" (may be through odata, or some other upstream app) then that SAML assertion can be used as "authorization code" to gain access to a OAuth2 application. Using the "authorization code", OAuth2 IDP can provide the "access-token" that can be used in the http header to issue the final query back to source. Now the question is how this needs to be done in Teiid? 1) Need to build a JAAS login module to handle general OAuth2 calls to resources like google, twitter, fb etc. 2) The based on the previous subject in context the check for SAML assertions? -- This message was sent by Atlassian JIRA (v6.3.1#6329)