Manage Progress Application Server (PAS) for OpenEdge

PAS for OpenEdge SSO Configuration Guide

Save PDF

PAS for OpenEdge SSO Configuration Guide

Save PDF

Last Updated: March 30, 2020
1 minute read

OpenEdge
Version 12.2
Documentation

Configuring PAS for OE SSO tokens is accomplished by updating the following files:


File path	Description
`instance-name/conf/oeablSecurity.properties`	Spring configuration defaults for all web applications
`instance-name/webapps/web-app-name/WEB-INF/oeablSecurity.properties`	Spring configuration settings for an individual web application
`instance-name/webapps/web-app-name/WEB-INF/oeablSecurity.csv`	URL access controls (Spring Security intercept-url settings) for individual web applications

Note: The oeablSecurity.properties files are where you configure the OEClientPrincipalFilter bean which manages all aspects of translating Spring tokens to Client-Principal tokens, the sealing of Client-Principal tokens, and the validation of Client-Principal tokens across all methods of direct-login and SSO.

There are two SSO configurations, one for web applications that produce SSO tokens and one for web applications that consume SSO tokens.

Table 1. Overview of SSO Producer Configuration
Configure Client-Principal creation	Add single/multi Domain and Access code(s) Include Spring Authentication Provider granted Roles Optional static Spring Role(s) for authorization to URLs
Configure SSO token creation	Enable SSO token creation Optionally change initial expiration time from 3600 seconds Optionally enable SSO Token Refresh operations Optionally change refresh delta time of 3600 seconds Optionally define a SSO Token scope to filter which PAS for OE services are allowed to accept a SSO token generated by this service Optionally configure error level detail returned to the client Optionally allow HTTP messages instead of the required HTTPS

Note: Because of the security risks, PAS for OpenEdge web applications should not produce SSO tokens unless there are deployed clients capable of using the SSO that is produced. Therefore, the default setting for authentication and generation of native OpenEdge SSO tokens is disabled. In most cases, you can simply enable authentication or generation, or both.

Table 2. Overview of SSO Consumer Configuration
Configure Client-Principal validation	Add single/multi Domain and Access code(s)
Configure SSO Token use & validation	Enable accepting SSO tokens for access to service URLs Optionally configure error level detail returned to the client Optionally allow HTTP messages instead of the required HTTPS