Security administrators can choose to use SAML, Security Assertion Markup Language, to authenticate user access to servers, applications, or specific services running on a PAS for OpenEdge instance. SAML is an XML-based framework that defines how an identity provider, like Okta, and a service provider, like PAS for OpenEdge, can exchange a user’s authentication and authorization data using a SAML assertion. Once configured, PAS for OpenEdge automatically converts a valid SAML assertion into a CLIENT-PRINCIPAL object. ABL developers use the CLIENT-PRINCIPAL object to authenticate and authorize access to ABL application resources.

For an introduction to SAML, watch:

Security administrators control the configuration by selecting a standard flow of information between the PAS for OpenEdge as the service provider and the identity provider that checks the user's credentials. PAS for OpenEdge supports the following configurations:
  • SP-initiated flow where the service provider initiates the SAML assertion request.
  • IdP-initiated flow where the identity provider initiates the SAML assertion request.
  • Header-based flow where a client application requests the SAML assertion from the identity provider and passes the assertion to the service provider in the header.

The header-based flow was the first flow available with PAS for OpenEdge. A best practice is to use an SP-initiated flow because it offers PAS for OpenEdge the most secure authentication and authorization process.

This guide demonstrates an SP-initiated flow. The identity provider is Okta. A user, user123@acme.com must be authenticated before they can run the _oeping service on an oepas1 instance running on machine123 on port 8810. While this sample uses HTTP, production systems should use HTTPS.