In OpenEdge, the authentication system used to validate users is identified by an OpenEdge security domain—or, simply, domain. A domain is a grouping of user accounts and resources, such as servers, applications, or collection of applications, whose security systems are configured to create and trust a common security token for authentication and authorization. A domain also allows all authenticated users to share other common attributes, such as a common tenancy in a multi-tenant database and (through domain authorization settings) access to a common set of database and application resources.

In OpenEdge, a security domain is configured with:

  • A name.
  • The authentication system used to authenticate the identity of all users who are members of the domain. For example, Microsoft Active Directory.
  • Common attributes associated with all authenticated users that are specified.
  • A secret access code used to cryptographically seal a security token after a successful user authentication, and also used to later validate the user identity represented by the sealed security token.
  • An indication of whether the domain is enabled for use at run time.

An OpenEdge security domain is specified within a domain registry. The domain registry contains a list of individual security domain names, and their associated domain access codes, as well as other details that are contextual to the OpenEdge product with which the domain registry is configured, from which an identity can be authenticated. Each OpenEdge product that seals a CLIENT-PRINCIPAL object, and every OpenEdge product that can validate a CLIENT-PRINCIPAL seal, has a domain registry.

A domain registry functions much like a filter. When an authenticated user presents a CLIENT-PRINCIPAL token, the domain and domain access code within that token are compared to the domains and access codes listed in the domain registry. Access is permitted only if the domain and access code are a match with the contents in the domain registry.

The configuration requirements for each domain registry, including where the domain registry is stored, differ from one OpenEdge product to another. For example:

OpenEdge product Domain registry configuration and storage
PAS for OpenEdge The domain registry is stored is an encrypted keystore file that contains a set of domain name and domain access code pairs.
OpenEdge Database The domain registry is contained in two database tables.
OpenEdge Authentication Gateway The domain registry consists of two files:
  • The domains.JSON file, which defines the configuration of each domain and how it authenticates its users and performs SSO operations
  • An encrypted keystore file that that containsa set of domain name and domain access code pairs

In a multi-tenant database environment, the domain also identifies the tenancy of all users whose identity is authenticated in the domain.

For more information about managing identities in OpenEdge domains used with PAS for OpenEdge, see What is Identity Management?.