Configure the Validation and Use of Native OpenEdge SSO Token in Client Requests

The following table is a list of properties in oeablSecurity.properties that control if and how OE SSO tokens can be used to gain access to the data services.

PropertyName DataType Default Value Range Description
OESSO.error.detail integer 0

0 (none)

1 (terse)

2 (debug)

 Controls the amount of error detail returned to a client for all SSO operations. The default (0) meets security best practices in returning little of value a hacker can make use of. But it does not supply an administrator or end-user with useful information for problem solving. Higher levels provide more information to administrators for problem resolution, but can also provide information usable by a hacker to attack your application.
This property is used to set
OESSOFilter.authErrorDetail
OESSO.require.https boolean true true|false

When true controls the requirement for all SSO operations to require a client request to be made using the HTTPS URL scheme. When set to false allows HTTP ( not recommended for operating a secure web application ).

This property is used to set the property OESSOFilter.authSecurity
OESSOFilter.authPolicy string disabled See the following section, OE SSO Token Consumer Policies.
OESSOFilter.authmanager string string Control which Authentication Manager is used to validate the OECP SSO token passed by the HTTP client. This property is mapped to the http.all.authmanager property and should only be changed when the OECP SSO Authentication-Manager must be different than the one used in the OECP SSO provider.

See the http.all.authmanager property for valid settings.
OESSOFilter.authScheme string OECP valid string

The HTTP Authorization header's authentication scheme field name that identifies the presence of an OECP SSO token value

CAUTION: OpenEdge recommends that you do not change this value.

Format: Authorization: auth-scheme base64-sso-token-value
OESSOFilter.authClientType string * regex

Adds the ability to require the HTTP request's User-Agent: header to contain a specific value as defined by a Java RegEx pattern. The default "*" value disables User-Agent: header checking
OESSOFilter.authErrorDetail int --- ---

Mapped to the property OESSO.error.detail. Explicitly defines a value if the error detail for consuming SSO tokens should be different from other SSO operations.
OESSOFilter.authSecurity boolean --- ---

Mapped to the property OESSO.require.https Explicitly define a value if the requirement to use HTTPS should be different from the other SSO operations.
OESSOTokenManager.ssoAllowScope string blank

blank or list

When non-blank this property is used to control which OE SSO tokens may be used by this web application. If the OE SSO token passed by a client does has not been granted one of the scope values in this list, the token is rejected and the request fails. See the OE SSO token provider property OESSOTokenManager.ssoGrantScope for additional information.

OE SSO Token Consumer Policies

Policy Name Description
disabled The web application will not look for, or handle OE SSO tokens. If a native SSO token is passed in an Authorization header by a client it will be ignored
sufficient

The web application will look for an HTTP Authorization header containing an authentication-scheme specified by the OESSOFilter.authScheme property (OECP) and a native SSO token.

  • If no HTTP Authorization header is present the authentication process continues with the next configured filter, which allows other SSO filters to operate.

  • If an HTTP Authorization header is present, but does not contain an authentication-scheme field matching the OESSOFilter.authScheme property, the authentication process continues with the next configured filter, which allows other SSO filters to operate.

  • If an HTTP Authorization header is present,and contains an authentication-scheme field matching the OESSOFilter.authScheme property, it will validate the contained OE SSO token value.

If a validation error occurs, a 401 error will be returned to the client and no other SSO filters will be invoked.

If validation is successful the native token will be extracted, the remaining authentication filters will be skipped, and the native token’s ROLEs will be used to perform URL authorization.

This policy is best used in the OE SSO token producer and OE SSO token consumer web applications that also support other forms of Spring Security direct-logins to user accounts.
required

The web application will look for an HTTP Authorization header containing an authentication-scheme specified by the OESSOFilter.authScheme property (OECP) and a native SSO token.

A 401 error response will be returned to the client and no other SSO filters will be invoked if any of the following conditions fail:

  • No Authorization header is found
  • An Authorization header is found, but is blank
  • An Authorization header is found but its authentication-scheme does not match the OESSOFilter.authScheme property
  • An Authorization header is found, has an authentication-scheme that does not match the OESSOFilter.authScheme property
  • An Authorization header is found, has an authentication-scheme that does match the OESSOFilter.authScheme property but does not have a SSO token value
  • An Authorization header is found, has an authentication-scheme that does match the OESSOFilter.authScheme property but does not have a valid SSO token value

If successful the native token will be extracted, the remaining authentication filters will be skipped, and the native token’s ROLEs will be used to perform URL authorization.

This policy is best used in the OE SSO token consumer web applications that do not support any other forms of Spring Security direct-login to user accounts.