Configure the OpenEdge Authentication Gateway to use SAML
- Last Updated: January 26, 2026
- 3 minute read
- OpenEdge
- Version 12.8
- Documentation
Configure the OpenEdge Authentication Gateway using the sts.properties file based on the OpenEdge domains configuration and the SAML identity provider settings.
Add OpenEdge domains
Every user must belong to a defined OpenEdge domain with encrypted domain access codes.
- Edit
instance/webapps/ROOT/WEB-INF/config/domains.json.
Note: Replace
instancewith the OpenEdge Authentication Gateway server name. The default name isoeauthserver. - To add a new domain, perform the following steps:
- Copy an existing domain and change the name to
domainnamee.com.Note: Replacedomainname.comwith your domain. - Set
enabledtotrue. - Set the
enabledoption of theexchangeproperty underactionstotrue. - Set
authProvidertoanonymous."version": "1.0.0", "domains": [ { "name" : "domainname.com", "enabled" : true, "description" : "SAML token exchange", "actions" : { "authenticate" : { "enabled" : false, "options" : "" }, "exchange" : { "enabled" : true, "options" : "" }, "sso" : { "enabled" : false, "options" : "" }, "refresh" : { "enabled" : false, "options" : "" } }, "options" : "", "authProvider" : "anonymous", "policyProvider" : "", "events" : { "provider" : "", "groups" : { } } } }Note: When you enableexchangefor your domain, the OpenEdge Authentication Gateway identifies the inbound token as a SAML token for your domain. The other options do not apply.
- Copy an existing domain and change the name to
- Save the file.
For more information about domains, see Configure domains.
Configure OpenEdge domain access codes
Each new domain must have a domain name and passwordkey access code. To secure codes
using gendomreg, perform the following steps:
- Edit the
instance-name/webapps/ROOT/WEB-INF/config/domainsks.csv
file to include all new domains in the domain.json file.
.... , oests.server,passwordkey, domainname.com,passwordNote: Replacedomainname.comandpasswordwith your domain and password. - Save the file.
For more information about domain access codes, see Configure domain access codes.
Generate the keystore
In a keystore, the domain access codes are more secure than in a plain text CSV file. To create a keystore, perform the following:
- Generate the keystore using
gendomreg.gendomreg domainsks.csv domains.keystoreNote: Replace domainsks.csv and domains.keystore with your values. Remember to remove the CSV file from the instance directory and store it in a secure location after generating the keystore because the CSV file contains clear text passwords.For more information about
gendomreg, see gendomreg.
Configure sts.properties
The sts.properties file stores the security settings for security token service on the OpenEdge Authentication Gateway instance. To configure the OpenEdge Authentication Gateway to validate the SAML assertion with a specific identity provider, perform the following steps:
- Edit the sts.properties file.
- Set the location of the metadata XML file supplied by the identity provider.
- For remote access to the metadata:
samlToken.metadata.idpMetaDataFileLocation= https://hostname:port/samlidp/metadataNote: Remote validation is most often used. For testing, hostname is the host name of the OESECTOOL SAML IdP server. When testing with OESECTOOL the hostname must be lowercase. - For local access to the
metadata:
samlToken.metadata.idpMetaDataFileLocation= file:///%WRKDIR%/instance/webapps/ROOT/WEB-INF/metadata/idp.xml -
Note: For testing, instance is the name of the OESECTOOL SAML IdP server.
- For remote access to the metadata:
- Set the comma-delimited list of audiences.
samlToken.validation.validAudiences=/saml2/metadata/instance1,/saml2/metadata/instance1Note: Replaceinstance1andinstance1with the names of the PAS for OpenEdge (SP) instances to locate the metadata URL for the intended recipients of the SAML assertion. - Save the file.