Edit the oeablSecurity.properties to enable SAML and to set properties for exchanging information with the identity provider. Security can be set at different levels. Secure a web application's oeablSecurity.properties file located in the WEB-INF folder and restart the server to apply the changes.

Table 1. SAML properties
Property
Client login model

Set the value of the client.login.model property to saml:

client.login.model=saml
Metadata

Set the identity provider's metadata to an XML file on the file system or to the identity provider's metadata URL. URLs are recommended to keep the metadata files updated. 

 samlToken.metadata.idpMetaDataFileLocation=[filepath to metadata|URL for Idp metadata]
HTTP method validation

Set the allowed HTTP methods for incoming HTTP requests that contain the SAML assertion. If the only allowed method is GET, and the SAML assertion is part of a POST message, PAS for OpenEdge rejects the request.

samlToken.httpBinding.allowMethods=GET,POST,PUT,DELETE

Validity period

PAS for OpenEdge rejects a request if the SAML assertion's NotOnOrAfter timestamp has passed. However, you can set the following property to extend the duration of the assertion's validity period.

samlToken.webSSOProcessingFilter.responseSkew=<time in seconds>
Roles

If the incoming SAML assertion's attribute statements define user roles, you can set the attribute names as comma-separated values in the following property. This enables PAS for OpenEdge to populate the ROLES attribute when creating the CLIENT-PRINCIPAL object.

samlToken.UserDetails.roleAttrName=Attribute1,Attribute2
Note: PAS for OpenEdge authorizes a user to access a resource only if the role values in the SAML assertion's attributes map to roles defined for resource URLs in the oeablSecurity.csv file. By default, these roles have a ROLE_ prefix. If the incoming role values do not contain the prefix, you can use the following property to add it:
samlToken.UserDetails.rolePrefix=ROLE_
Domains

If the name ID passed in the SAML assertion is an email address (for example johndoe@hisdomain.com), PAS for OpenEdge extracts the domain name using the '@' separator and assigns it to the DOMAIN-NAME attribute of the CLIENT-PRINCIPAL object that it creates. However, if the name ID is not an email address, you can use the following property to set a default domain name:

samlToken.UserDetails.userDomain=Domain_Name

You may want to specify a domain name that has minimal access rights to your ABL application.

Note: If saml is set as the client login model, this property overrides the OEClientPrincipalFilter.domain property.

To create a sealed CLIENT-PRINCIPAL object, PAS for OpenEdge requires a domain access code that corresponds to the domain name. Typically, a CSV file is created containing a list of key-value pairs (for example, domain, domain-access-code) and then encrypted into a Java keystore file. To specify this keystore file, use the following property:

samlToken.UserDetails.registryFile=keystore_file
Note: If saml is set as the client login model, this property overrides the OEClientPrincipalFilter.registryFile property. For more information about creating registry files, see Configuring multiple domains.

For more information on properties, see About oeablSecurity.properties files.