In OpenEdge, the authentication system used to validate users is identified by an OpenEdge security domain—or, simply, domain. A domain also includes an application, or collection of applications, whose security systems are configured to create and trust a common security token for authentication and authorization. A domain also allows all authenticated users to share other common attributes, such as a common tenancy in a multi-tenant database and (through domain authorization settings) access to a common set of database and application resources.

In OpenEdge, a security domain is defined in OpenEdge RDBMS and is configured with:

  • A name
  • The authentication system used to authenticate the identity of all users who are members of the domain
  • Specify common attributes associated with all authenticated users
  • A secret access code used to cryptographically seal a security token after a successful user authentication, and also used to later validate the user identity represented by the sealed security token
  • An indication whether the domain is enabled for use at run time

In a multi-tenant database environment, the domain also identifies the tenancy of all users whose identity is authenticated in the domain.

Domain registries

At run time, OpenEdge provides identity management access to security domains through a domain registry. OpenEdge provides:

  • A default local database domain registry to access domains to authenticate OpenEdge database connection identities.
  • ABL elements for creating an ABL session domain registry to access domains to authenticate a single ABL session identity. You also have the option to use the ABL session domain registry to authenticate OpenEdge database connection identities.

The domain registry that your application uses depend on security administrator settings for each database, and whether and how your application creates and uses ABL session registries. In any case, a session identity is always authenticated through the current session domain registry. However, the registry configured to authenticate the identity for a given database connection is referred to as the database trusted domain registry.

Preconfigured OpenEdge domains

OpenEdge includes several built-in domains in every OpenEdge RDBMS that you cannot remove. These built-in domains include the following:

  • Default (blank) domain—Provided for backward compatibility with earlier OpenEdge releases where users are not defined as members of a domain. You can configure it with any available authentication system, including a user-defined one.
  • WINDOWS and UNIX—Enabled for user authentication operations against user accounts managed by the current operating system. Note that these domains are not supported for use in an ABL application.
  • WINDOWSID and UNIXID—Enabled for SSO operations on the operating system process user ID. For an ABL application, OpenEdge also assigns one of these domains for any user who connects a database without authenticating a user identity and is thus assigned the default OS process user ID as their connection identity.