Skip to main content
Pentaho Documentation

Set Up SAML/JDBC Hybrid Configuration for BA Server

You might need to create a hybrid between a 3rd-party SAML user Identification Provider (IdP) and a JDBC security table for role definitions. This is common in situations where SAML roles can't be redefined for BA Server use.

These instructions are provided for reference purposes only, to walk you through an example SAML set up. If you want to extend your SAML set up further, please work with with your Customer Success Manager.

The default role of Authenticated is assigned to any SAML-authenticated user, unless you specify otherwise.

These instructions help you switch the BA Server's authentication back-end from the Pentaho data access object to a SAML/JDBC hybrid.

 

Before You Begin

Before you begin configuring SAML and JDBC for the BA Server, you'll need to verify a couple of things. 

Task Description
Check For Functional Directory Server Make sure that you have a working directory server with an established configuration.
Verify Database with User Roles Verify that you have a database populated with your user roles.
Set Up SAML for BA Server Make sure that you have completed the tasks described in Set Up SAML for BA Server.

Preparing the BA Server for Hybrid SAML/JDBC 

After you finish the prerequisite tasks above, there are a few things that you need to do in order set up a hybrid SAML/JDBC configuration successfully.

These sections will guide you through the remaining steps of this process:

  • Create User/Authorities Database Tables
  • Set Up the JDBC Connection Properties
  • Enable JDBC Authorization Beans

Step 1: Create User/Authorities Database Tables

You'll need to create a few database tables in order to get SAML and JDBC to work together.

  1. Create a table called USERS:
Column Name Column Type Column Description
username VARCHAR(50) The User name.
password VARCHAR(50) This column value is not considered in a hybrid SAML/JDBC solution; all authentication takes place in the 3rd-party authentication service. you can fill this column with <empty string>, ignored, etc.
enabled VARCHAR(5) Set to ‘true’ if user is enabled, ‘false’ if not enabled.
  1. Create a table called AUTHORITIES:
Column Name Column Type Column Description
authority VARCHAR(50) The Pentaho role, such as Administrator, Report Author, etc.
  1. Create a table called GRANTED_AUTHORITIES:
Column Name Column Type Column Description
username VARCHAR(50) The User name.
authority VARCHAR(5) Associated Pentaho role.

Step 2: Set Up the JDBC Connection Properties

Next, you'll need to update a few things in the config file used for JDBC connections.

  1. Locate the pentaho-solutions/system/applicationContext-spring-security-jdbc.properties file and open it with any text editor.
  2. Update the properties listed below to match your JDBC database.
  3. When you are done, save and close the file.
datasource.driver.classname Fully-qualified Java class name of the JDBC driver you are using.
datasource.url Connection URL to be passed to your JDBC driver to establish a connection.
datasource.username Connection username to be passed to our JDBC driver to establish a connection
datasource.password Connection password to be passed to our JDBC driver to establish a connection
datasource.validation.query SQL query that is used to validate connections from this pool before returning them to the caller. This query must be a SELECT statement that returns at least one row.
datasource.pool.max.wait Maximum number of milliseconds that the pool will wait when there are no available connections. For a connection to be returned before throwing an exception, or <= 0, to wait indefinitely. Default is -1.
datasource.pool.max.active Maximum number of active connections that can be allocated from this pool at the same time, or negative for no limit. Default value is 8.
datasource.max.idle Maximum number of connections that can remain idle in the pool, without extra ones being destroyed, or negative for no limit. Default value is 8.
datasource.min.idle Minimum number of active connections that can remain idle in the pool, without extra ones being created when the evictor runs, or 0 to create none. Default value is 0.

Step 3: Enable SAML/JDBC Authorization 

Last, you'll need to enable a JDBC Authorization bean.

  1. In the pentaho.saml.cfg file, locate the property for authorization.provider.
  2. Modify the authorization.provider value so that it says jdbc.
  3. Save and close the file.
  4. Restart the BA Server.