-
Language:
English
-
Language:
English
Red Hat Training
A Red Hat training course is available for Red Hat JBoss Data Virtualization
Chapter 11. SAML-Based Security for OData
11.1. SAML-Based Security for OData using Red Hat SSO
By default, the OData access to a Virtual Database (VDB) in Red Hat JBoss EAP uses the HTTP Basic authentication method.
However, you can also configure OData to utilize Single-Sign-On (SSO)-based security for SAML using Red Hat SSO.
Prerequisites
- An installed Red Hat SSO web server. It should be configured to have a new realm called oauth-demo, a new user, two enterprise roles called "user" and "odata" and a new client called "odata4-saml" that will represent the Data Virtualization SAML client. Finally, you need to either import or generate a new SAML key and then export it. Please refer to the Red Hat SSO documentation for details on how to achieve these tasks: https://access.redhat.com/documentation/en/red-hat-single-sign-on/7.0/
- You must have an installed and configured Red Hat JBoss Data Virtualization server.
- You must have a Red Hat SSO SAML adapter for EAP 6 that has been installed in the Red Hat JBoss Data Virtualization instance.
- Add the Red Hat SSO-specific modules to the server. Please refer to the Red Hat SSO documentation for details: https://access.redhat.com/documentation/en/red-hat-single-sign-on/7.0/
- Run these CLI commands:
/subsystem=security/security-domain=keycloak:add(cache-type=default) /subsystem=security/security-domain=keycloak/authentication=classic:add /subsystem=security/security-domain=keycloak/authentication=classic/login-module=keycloak:add(code=org.keycloak.adapters.jboss.KeycloakLoginModule, flag=required) reload
The commands add this XML to the security-domain section of the domain.xml or standalone.xml file:<security-domain name="keycloak"> <authentication> <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/> </authentication> </security-domain>
- Run this CLI command:
/subsystem=teiid/transport=odata:write-attribute(name=authentication-security-domain, value=keycloak)
The command changes the security domain of the odata transport section of the domain.xml or standalone.xml file:<transport name="odata"> <authentication security-domain="keycloak"/> </transport>
- In order to use SAML authentication, the OData WAR needs to be updated to make use of the SAML-based security domain.
- Run this CLI command to undeploy the WAR:
undeploy teiid-olingo-odata4.war
- Download the Maven project templates found here: https://github.com/teiid/teiid-web-security
- Two WAR files are downloaded. Choose the SAML one.
- Replace the "teiid-web-security/teiid-odata-saml-keycloak/src/main/webapp/WEB-INF/keyclock.json" file's content with the "installation" script in "keycloak.json" format from the Red Hat SSO admin console's "odata4-saml" client application.
- Similarly, replace the "teiid-web-security/teiid-odata-saml-keycloak/src/main/webapp/WEB-INF/keystore.jks" file with the keystore you exported earlier.
- Build the "keycloak-saml.xml" file, and add in all the sections of "metadata" specific to your service. In this way, the service will know where IDP located and which service this represents and so forth.
- Build the WAR files using maven by issuing this command:
mvn clean package
A new WAR file is generated. - Run this script in the CLI to update the WAR file:
undeploy teiid-olingo-odata4.war deploy teiid-web-security/teiid-odata-saml-keycloak/target/teiid-odata-saml-keycloak-{version}.war
An alternative way to do this is to overlay the new WAR using this CLI script:deployment-overlay add --name=myOverlay --content=/WEB-INF/web.xml=teiid-web-security/teiid-odata-saml-keycloak/src/main/webapp/WEB-INF/web.xml,/WEB-INF/jboss-web.xml=teiid-web-security/teiid-odata-saml-keycloak/src/main/webapp/WEB-INF/jboss-web.xml,/META-INF/MANIFEST.MF=teiid-web-security/teiid-odata-saml-keycloak/src/main/webapp/META-INF/MANIFEST.MF,/WEB-INF/keycloak-saml.xml=teiid-web-security/teiid-odata-saml-keycloak/src/main/webapp/WEB-INF/keycloak-saml.xml,/WEB-INF/keycloak.jks=teiid-web-security/teiid-odata-saml-keycloak/src/main/webapp/WEB-INF/keycloak.jks --deployments=teiid-olingo-odata4.war --redeploy-affected
- To test, open a web browser and issue any OData-specific query like this one:
http://localhost:8180/odata4/<vdb>.<version>/<model>/<view>
You will be redirected to perform SAML authentication.