Only certain types of PAS for OpenEdge web application may be a source of native SSO tokens. External authentication systems that produce their own security tokens and are integrated into Spring Security’s process are prohibited from having an SSO token generated by OpenEdge.

The generation of an OpenEdge native SSO token occurs after Spring Security’s authentication process completes a successful user direct-login. This post processing operation generates an extended ClientPrincipal security token that is safe enough to function in a less secure client login context environment (where a client receives and exposes a security token to the network world). This processing is handled by the existing OpenEdge authentication success handling, which uses the OpenEdge Client-Principal handler to do the physical Client-Principal generation and sealing. The OpenEdge successful authentication handler has the following configuration properties for producing OpenEdge SSO tokens, and adds some optional properties to allow tailoring to individual installations:

The following table is a list of properties in oeablSecurity.properties that control OpenEdge token generation properties.

Property Name Data Type Default Value Range Description
OESSO.require.https boolean true true | false When true, controls the requirement for all SSO operations to require a client request to be made using the HTTPS URL scheme.

Set to false to allow HTTP ( not recommended for operating a secure web application ).

This property is used to set the OEAuthnSuccessHandler.tokenSecure property.
OESSO.error.detail integer 0

0 (none)

1 (terse)

2 (debug)

 Controls the amount of error detail returned to a client for all SSO operations. The default (0) meets security best practices in returning little of value a hacker can make use of. But it does not supply an administrator or end-user with useful information for problem solving. Higher levels provide more information to administrators for problem resolution, but can also provide information usable by a hacker to attack your application.

This property is used to set the OEAuthnSuccessHandler.tokenErrorDetail property.
OESSOTokenManager.tokenPolicy string disabled

Controls the actions to take when producing and returning a native OpenEdge SSO Token to a client.

See the following OESSOTokenManager Policies section for more information.
OESSOTokenManager.ssoTokenURLOption string oesso

“oesso”

“”

The URL query option name used by a client to request the server issue a OpenEdge SSO token if the OESSOTokenManager.tokenPolicy value is ifRequired.

For example:

https://myauthserver/static/auth/j_spring_security_check?token.URL.Option={yes|no}

A yes option value requests a OpenEdge SSO token be created and returned to the client if the user's authentication is successful. Any other option value will not create or return an OpenEdge SSO token.

Ignored if the OESSOTokenManager.tokenPolicy property value is disabled or always.
OESSOTokenManager.ssoTokenRefresh boolean true true|false

Controls a client's ability to request that an expired OpenEdge SSSO be refreshed with a new expiration date.

NOTE: This property's value is forced to false if the OESSOTokenManager.tokenPolicy property's value is disabled.
OESSOTokenManabger.ssoTokenExpires integer

3600

(1 hour)

0n seconds

This property controls the number of seconds a newly created OpenEdge SSO token is valid before it expires.

If the value is less than 1, no refresh token will be generated and returned
OESSOTokenManager.ssoGrantScope string "" string

This property can be used to control which OpenEdge web applications may use an OpenEdge SSO Token produced by the Token Manager. It is used when an ABL application has many web applications, but not all of them should accept any OpenEdge SSO token.

The string a comma separated list of names that correspond to web applications that should accept the OpenEdge SSO token. When blank, no scope information will be included in the OpenEdge SSO token. When

Refer to the OpenEdge SSO token consumer property OESSOTokenManager.ssoAllowScope.
OEAuthnSuccessHandler.tokenErrorDetail integer 0 0-3

Controls the amount of error detail returned to a client during the OpenEdge SSO token creation process.

This property is normally set using the OESSO.error.detail property to keep error detail information level consistent across the different SSO process operations. The property's value may be explicitly set if the OpenEdge SSO token generation errors return a different amount of error information than other SSO operations.
OEAuthnSuccessHandler.tokenSecure boolean true true|false

Controls the requirement for HTTPS requests from the client while authenticating the user and returning an OpenEdge SSO token.

This property is normally set using the OESSO.require.https property to keep the requirements for using HTTPS consistent across the different SSO process operations.This property may be explicitly set independently if the requirement for HTTPS is different from other SSO operations.

OESSOTokenManager Policies

Policy Name Description
disabled

The web application will not generate OpenEdge SSO tokens.

This policy must be used in all web applications that do not support the Spring Security HTTP Form direct-login to user accounts.
ifRequired

The web application will only produce an OpenEdge SSO token if the client application requests it by using adding a URL option during a successful direct-login operation.

For more information refer to the OESSOTokenManager.tokenURLOption property

This policy should be used only in OpenEdge SSO token producer web applications that support the Spring Security HTTP Form type of direct-login to user accounts
always

The web application will always produce a OpenEdge SSO token if the client completes a successful direct-login operation.

This policy should be used only in OpenEdge SSO token producer web applications that support the Spring Security HTTP Form type of direct-login to user account.

Note: This is an extremely dangerous policy setting and should only be used in cases where the web application’s authentication process is protected by other controls such as client types, IP addresses, etc.