Single sign-on (SSO) in OpenEdge refers to the creation of a sealed security token called the ClientPrincipal that represents a user identity within a security domain. The ClientPrincipal is created after Spring Security successfully completes authentication and authorization. The ClientPrincipal retains the user credentials and remains available within a web application, eliminating the need for a user to login again.

In PAS for OpenEdge, basic Spring Security token generation is extended to create an OpenEdge ClientPrincipal object. Creation of the ClientPrincipal is enabled by default by this property in the oeablSecurity.properties file of the web application:
OEClientPrincipalFilter.enabled=true
Set the property to false to disable the ClientPrincipal. You can set other ClientPrincipal properties in the OEClientPrincipalFilter bean section of the oeablSecurity.properties file. In particular, you will want to set the OEClientPrincipalFilter.domain property to specify where the ClientPrincipal is valid.

After domain and other properties are set for the ClientPrincipal, you can configure SSO properties in the OpenEdge SSO support section of the oeablSecurity.properties file.

See the oeablSecurity.properties.README file for more information on the properties and values for the ClientPrincipal and for SSO.

Note: In PAS for OpenEdge, SSO is available for client access via the APSV and REST transports but not for the SOAP transport.