The OpenEdge Authentication Gateway centralizes the OpenEdge domain access model to manage user access to applications and data. Security Administrators can leverage existing Security Assertion Markup Language (SAML) identity providers (IdPs) to authenticate users while configuring the OpenEdge Authentication Gateway to validate and exchange the SAML assertions for client-principal objects. These objects control application and database access.

Each PAS for OpenEdge instance acts as a service provider (SP) and sends user credentials directly to the SAML IdP server as part of an SP-initiated flow. The SAML IdP authenticates the user and returns a SAML assertion to the instance.

When configured to use the OpenEdge Authentication Gateway, PAS for OpenEdge sends the SAML assertion to the OpenEdge Authentication Gateway to validate and exchange the SAML assertion for an ABL client-principal object. Centralizing the domain access codes on the OpenEdge Authentication Gateway server makes systems more secure and easier to maintain because this configuration requires a single set of domain access codes.

Secure an SP-initiated flow

This guide uses a browser-based request to access a resource on a PAS for OpenEdge instance. The PAS for OpenEdge instance acts as an SP in the SAML authentication process. The PAS for OpenEdge instance requests the SAML IdP to authenticate the user and return a SAML assertion. The PAS for OpenEdge server redirects the SAML assertion to the OpenEge Authentication Gateway server to validate and exchange the SAML assertion for an ABL client-principal object. In this example, OESECTOOL creates a SAML IdP server for testing purposes. To demonstrate an SP-initiate flow, configure the following components:

For more information about SAML concepts, see Support for SAML in PAS for OpenEdge.

Secure direct access to database

A separate tutorial is available for securing direct access to a database server. For more information on securing a database server, see Enable the database to use the OpenEdge Authentication Gateway.