Configurate JDBC Realm:

By default, OpenSSO has the parent realm, this realm is using LDAP.  The admin user is belong to this realm.  To connect to JDBC to get the username, you should create your own realm with your application name like “2qvideo” and configure this realm to use the JDBC Authenticate and JDBC datastore.

·       Login to SP: using amadmin as username and the password is the one that you provide when you run the Default Configure.

·       Go to  Access Control tab, click new to create new realm
·       Enter name like: 2qvideo (you can put your sp application name for your realm name) and click ok.



JDBC set up for "2qvideo" realm on SP:

There will be two steps to set up to the JDBC, one is that User should able to do the SP login in the Registration (JDBC authenticate) and the other is that the SP need to able to insert/search/update the nameId (alias) in the database (JDBC data store).  For the purpose of this article, we will use MySQL database and use the opensso_users table that we design above to do the configuration.  When we did this project, I did use the DB2 since the business application is under DB2 database.  That means this should work for DB2 as well.

You can either using the JNDI datasource or Programatic to config the database connection.  But we should use JNDI datasource with the connection pools for better performance.


How to Set up the JNDI datasource on Tomcat and web.xml:

For this article, I will create a datasource name: jdbc/2qvideo.  This will have 2 steps on tomcat ( you can refer to tomcat for the set up).

1.    Create context.xml and add these config lines to your META-INF under /webapps/sp/context.xml





              username="root" password="" maxActive="20" maxIdle="10"



2.       Add these database resource reference to SP war web.xml

        2qvideo db idrepo



JDBC Authenticate:

  • ·         Login to SP using amadmin account:
  • ·         Go to Access Control tab
  • ·         Click on “2qvideo” realm
  • ·         Go to Authenticate tab
  • ·         Scroll down to Module Instances , click new to add JDBC instance and click ok.


  • ·         Go back to the Module Instances and click on JDBC link
  • ·         You can either choose the JNDI data pool or configure the JDBC connection.    (If you choose JNDI data pool, you still have to enter jdbc connection information, I think it is a bug in this module).
  • ·         Configure the select statement to select the password from the database.
  • ·         For the Class to Transform Password Syntax, use default one: com.sun.identity.authentication.modules.jdbc.ClearTextTransform




Note: OpenSSO have an interface class com.sun.identity.authentication.modules.jdbc.JDBCPasswordSyntaxTransform in the amserver.jar dependency.  This interface has one method to implement:

public String transform(String input) throws AuthLoginException ;

where the input parameter is the username from the form and return String is the password to validate in the database.  If you have any encrypt/decrypt logic, you should implement them here and return the encrypt/decrypt value of your password which should compare to the encrypt/decrypt in the database.

For this article, we will use the default ClearTextTransform: com.sun.identity.authentication.modules.jdbc.ClearTextTransform