OpenEdge Getting Started: OpenEdge Authentication Gateway Guide

The STS AuthenticationProvider

Save PDF

The STS AuthenticationProvider

Save PDF

Last Updated: October 29, 2020
1 minute read

OpenEdge
Version 12.2
Documentation

The STS AuthenticationProvider in PAS for OpenEdge is a plug-in that enables the use of the OpenEdge Authentication Gateway as the source for user authentication and client-principal token generation.

The STS AuthenticationProvider:

Takes user credentials (i.e. user name and password) as input
Connects to the Authentication Gateway via a secure HTTPS connection
Sends user credentials to the Authentication Gateway for authentication

If the authentication is successful, the STS AuthenticationProvider:

Receives a sealed client-principal token from the Authentication Gateway
Passes the client-principal (unaltered) to the Spring Security URL authorization process

Spring Security URL authorization:

Performs Role-Based Authorization (RBA)
Passes the client-principal token (if RBA is successful) to ABL applications

Note: The client-principal's ROLES attribute serves as input to the Spring Security URL RBA process. Therefore, the ROLES attribute must contain at least one role name that meets Spring Security's URL access control requirements.

Like other Spring Security components in PAS for OpenEdge, the STS AuthenticationProvider is configured in an oeablSecurty.properties file on the instance, ABL application, or web application levels. (For more information about the hierarchy of these oeablSecurty.properties files, see Enable ABL application authentication.)

On the instance level (../conf/oeablSecurity.properties, the file contains a complete set of STS AuthenticationProvider properties. For example:

`## OpenEdge Authentication Gateway client configuration ## for direct user logins to a PASOE server ## sts.AuthProvider.multiTenant=true sts.AuthProvider.userDomain= sts.UserDetails.stsURL=https://host:port sts.UserDetails.stsKeystore= sts.UserDetails.clientHeaderName=x-oests-token sts.UserDetails.noHostVerify=false sts.UserDetails.certLocation=${psc.as.oe.dlc}/certs sts.UserDetails.tlsCipherSuites= sts.UserDetails.tlsProtocols= sts.UserDetails.userAgent=PASOE (Spring) sts.UserDetails.sniHost=`

## OpenEdge Authentication Gateway client configuration 
 ## for direct user logins to a PASOE server
 ##
 sts.AuthProvider.multiTenant=true
 sts.AuthProvider.userDomain=
 sts.UserDetails.stsURL=https://host:port
 sts.UserDetails.stsKeystore=
 sts.UserDetails.clientHeaderName=x-oests-token
 sts.UserDetails.noHostVerify=false
 sts.UserDetails.certLocation=${psc.as.oe.dlc}/certs
 sts.UserDetails.tlsCipherSuites=
 sts.UserDetails.tlsProtocols=
 sts.UserDetails.userAgent=PASOE (Spring)
 sts.UserDetails.sniHost=

The files on the ABL application (../ablapps/abl-app-name/oeablSecurity.properties) and the web application levels (../webapps/web-app-name/WEB-INF/oeablSecurity.properties) contain the properties that can override the properties specified on the instance level. For example:

`## OpenEdge Authentication Gateway client configuration ## for direct user logins to a PASOE server ## sts.AuthProvider.multiTenant=true sts.AuthProvider.userDomain= sts.UserDetails.stsURL=https://host:port sts.UserDetails.stsKeystore= sts.UserDetails.noHostVerify=true sts.UserDetails.sniHost=`

## OpenEdge Authentication Gateway client configuration 
 ## for direct user logins to a PASOE server
 ##
 sts.AuthProvider.multiTenant=true
 sts.AuthProvider.userDomain=
 sts.UserDetails.stsURL=https://host:port
 sts.UserDetails.stsKeystore=
 sts.UserDetails.noHostVerify=true
 sts.UserDetails.sniHost=

See the ../conf/oeablSecurity.properties.README file for a description of the STS AuthenticationProvider properties and an explanation of their valid values.