Red Hat Training

A Red Hat training course is available for Red Hat JBoss Data Virtualization

Chapter 11. SAML-Based Security for OData

11.1. SAML-Based Security for OData using Red Hat SSO

By default, the OData access to a Virtual Database (VDB) in Red Hat JBoss EAP uses the HTTP Basic authentication method.
However, you can also configure OData to utilize Single-Sign-On (SSO)-based security for SAML using Red Hat SSO.

Prerequisites

  • An installed Red Hat SSO web server. It should be configured to have a new realm called oauth-demo, a new user, two enterprise roles called "user" and "odata" and a new client called "odata4-saml" that will represent the Data Virtualization SAML client. Finally, you need to either import or generate a new SAML key and then export it. Please refer to the Red Hat SSO documentation for details on how to achieve these tasks: https://access.redhat.com/documentation/en/red-hat-single-sign-on/7.0/
  • You must have an installed and configured Red Hat JBoss Data Virtualization server.
  • You must have a Red Hat SSO SAML adapter for EAP 6 that has been installed in the Red Hat JBoss Data Virtualization instance.
  1. Add the Red Hat SSO-specific modules to the server. Please refer to the Red Hat SSO documentation for details: https://access.redhat.com/documentation/en/red-hat-single-sign-on/7.0/
  2. Run these CLI commands: 
     
/subsystem=security/security-domain=keycloak:add(cache-type=default)
/subsystem=security/security-domain=keycloak/authentication=classic:add
/subsystem=security/security-domain=keycloak/authentication=classic/login-module=keycloak:add(code=org.keycloak.adapters.jboss.KeycloakLoginModule, flag=required)
 
reload
    The commands add this XML to the security-domain section of the domain.xml or standalone.xml file: 
     
<security-domain name="keycloak">
    <authentication>
        <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
    </authentication>
</security-domain>
  3. Run this CLI command: 
     
/subsystem=teiid/transport=odata:write-attribute(name=authentication-security-domain, value=keycloak)
    The command changes the security domain of the odata transport section of the domain.xml or standalone.xml file: 
     
<transport name="odata">
    <authentication security-domain="keycloak"/>
</transport>
  4. In order to use SAML authentication, the OData WAR needs to be updated to make use of the SAML-based security domain.
  5. Run this CLI command to undeploy the WAR: 
    undeploy teiid-olingo-odata4.war
  6. Download the Maven project templates found here: https://github.com/teiid/teiid-web-security
  7. Two WAR files are downloaded. Choose the SAML one.
  8. Replace the "teiid-web-security/teiid-odata-saml-keycloak/src/main/webapp/WEB-INF/keyclock.json" file's content with the "installation" script in "keycloak.json" format from the Red Hat SSO admin console's "odata4-saml" client application.
  9. Similarly, replace the "teiid-web-security/teiid-odata-saml-keycloak/src/main/webapp/WEB-INF/keystore.jks" file with the keystore you exported earlier.
  10. Build the "keycloak-saml.xml" file, and add in all the sections of "metadata" specific to your service. In this way, the service will know where IDP located and which service this represents and so forth.
  11. Build the WAR files using maven by issuing this command: mvn clean package
    A new WAR file is generated.
  12. Run this script in the CLI to update the WAR file: 
     
undeploy teiid-olingo-odata4.war
deploy teiid-web-security/teiid-odata-saml-keycloak/target/teiid-odata-saml-keycloak-{version}.war
    An alternative way to do this is to overlay the new WAR using this CLI script: 
     
deployment-overlay add --name=myOverlay --content=/WEB-INF/web.xml=teiid-web-security/teiid-odata-saml-keycloak/src/main/webapp/WEB-INF/web.xml,/WEB-INF/jboss-web.xml=teiid-web-security/teiid-odata-saml-keycloak/src/main/webapp/WEB-INF/jboss-web.xml,/META-INF/MANIFEST.MF=teiid-web-security/teiid-odata-saml-keycloak/src/main/webapp/META-INF/MANIFEST.MF,/WEB-INF/keycloak-saml.xml=teiid-web-security/teiid-odata-saml-keycloak/src/main/webapp/WEB-INF/keycloak-saml.xml,/WEB-INF/keycloak.jks=teiid-web-security/teiid-odata-saml-keycloak/src/main/webapp/WEB-INF/keycloak.jks --deployments=teiid-olingo-odata4.war --redeploy-affected
  13. To test, open a web browser and issue any OData-specific query like this one: 
     		 
http://localhost:8180/odata4/<vdb>.<version>/<model>/<view>
    You will be redirected to perform SAML authentication.