Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 11. SAML-Based Security for OData

11.1. SAML-Based Security for OData using Red Hat SSO
Link kopieren

By default, the OData access to a Virtual Database (VDB) in Red Hat JBoss EAP uses the HTTP Basic authentication method.
However, you can also configure OData to utilize Single-Sign-On (SSO)-based security for SAML using Red Hat SSO.

Prerequisites

  • An installed Red Hat SSO web server. It should be configured to have a new realm called oauth-demo, a new user, two enterprise roles called "user" and "odata" and a new client called "odata4-saml" that will represent the Data Virtualization SAML client. Finally, you need to either import or generate a new SAML key and then export it. Please refer to the Red Hat SSO documentation for details on how to achieve these tasks: https://access.redhat.com/documentation/en/red-hat-single-sign-on/7.0/
  • You must have an installed and configured Red Hat JBoss Data Virtualization server.
  • You must have a Red Hat SSO SAML adapter for EAP 6 that has been installed in the Red Hat JBoss Data Virtualization instance.
  1. Add the Red Hat SSO-specific modules to the server. Please refer to the Red Hat SSO documentation for details: https://access.redhat.com/documentation/en/red-hat-single-sign-on/7.0/
  2. Run these CLI commands: 
     
/subsystem=security/security-domain=keycloak:add(cache-type=default)
/subsystem=security/security-domain=keycloak/authentication=classic:add
/subsystem=security/security-domain=keycloak/authentication=classic/login-module=keycloak:add(code=org.keycloak.adapters.jboss.KeycloakLoginModule, flag=required)
 
reload
    Copy to Clipboard Toggle word wrap
    The commands add this XML to the security-domain section of the domain.xml or standalone.xml file: 
     
<security-domain name="keycloak">
    <authentication>
        <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
    </authentication>
</security-domain>
    Copy to Clipboard Toggle word wrap
  3. Run this CLI command: 
     
/subsystem=teiid/transport=odata:write-attribute(name=authentication-security-domain, value=keycloak)
    Copy to Clipboard Toggle word wrap
    The command changes the security domain of the odata transport section of the domain.xml or standalone.xml file: 
     
<transport name="odata">
    <authentication security-domain="keycloak"/>
</transport>
    Copy to Clipboard Toggle word wrap
  4. In order to use SAML authentication, the OData WAR needs to be updated to make use of the SAML-based security domain.
  5. Run this CLI command to undeploy the WAR: 
    undeploy teiid-olingo-odata4.war
    Copy to Clipboard Toggle word wrap
  6. Download the Maven project templates found here: https://github.com/teiid/teiid-web-security
  7. Two WAR files are downloaded. Choose the SAML one.
  8. Replace the "teiid-web-security/teiid-odata-saml-keycloak/src/main/webapp/WEB-INF/keyclock.json" file's content with the "installation" script in "keycloak.json" format from the Red Hat SSO admin console's "odata4-saml" client application.
  9. Similarly, replace the "teiid-web-security/teiid-odata-saml-keycloak/src/main/webapp/WEB-INF/keystore.jks" file with the keystore you exported earlier.
  10. Build the "keycloak-saml.xml" file, and add in all the sections of "metadata" specific to your service. In this way, the service will know where IDP located and which service this represents and so forth.
  11. Build the WAR files using maven by issuing this command: mvn clean package
    A new WAR file is generated.
  12. Run this script in the CLI to update the WAR file: 
     
undeploy teiid-olingo-odata4.war
deploy teiid-web-security/teiid-odata-saml-keycloak/target/teiid-odata-saml-keycloak-{version}.war
    Copy to Clipboard Toggle word wrap
    An alternative way to do this is to overlay the new WAR using this CLI script: 
     
deployment-overlay add --name=myOverlay --content=/WEB-INF/web.xml=teiid-web-security/teiid-odata-saml-keycloak/src/main/webapp/WEB-INF/web.xml,/WEB-INF/jboss-web.xml=teiid-web-security/teiid-odata-saml-keycloak/src/main/webapp/WEB-INF/jboss-web.xml,/META-INF/MANIFEST.MF=teiid-web-security/teiid-odata-saml-keycloak/src/main/webapp/META-INF/MANIFEST.MF,/WEB-INF/keycloak-saml.xml=teiid-web-security/teiid-odata-saml-keycloak/src/main/webapp/WEB-INF/keycloak-saml.xml,/WEB-INF/keycloak.jks=teiid-web-security/teiid-odata-saml-keycloak/src/main/webapp/WEB-INF/keycloak.jks --deployments=teiid-olingo-odata4.war --redeploy-affected
    Copy to Clipboard Toggle word wrap
  13. To test, open a web browser and issue any OData-specific query like this one: 
     		 
http://localhost:8180/odata4/<vdb>.<version>/<model>/<view>
    Copy to Clipboard Toggle word wrap
    You will be redirected to perform SAML authentication.
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat