PAS for OpenEdge SSO supports the sealing and validation of both single and multi-tenant CLIENT-PRINCIPAL tokens using the OEClientPrincipalFilter bean, which is configured in the oeablSecurity.properties file. The OEClientPrincipalFilter bean becomes the single point that manages all aspects of translating Spring tokens to CLIENT-PRINCIPAL tokens, the sealing of CLIENT-PRINCIPAL tokens, and the validation of CLIENT-PRINCIPAL tokens across all methods of direct-login and SSO.

All OpenEdge products that produce or consume CLIENT-PRINCIPAL tokens, including PAS for OpenEdge, are expected to define and use unique OpenEdge domain names, with each OpenEdge domain having a secret access code that is configured in each product that uses the OpenEdge domain. Each OpenEdge product is configurable to use some or all of the enterprise’s defined OpenEdge domains, in effect adding a level of domain authorization to a Progress component. PAS for OpenEdge supports this architectural model

PAS for OpenEdge’s web service SSO requires configuring a minimum of one domain or access code pair, and may support multiples by using a multi-domain registry (generated by the GENDOMREG utility). The ABL business application that receives an SSO token is expected to be configured with the same OpenEdge domain names and access codes. An SSO token must be validated using a domain configuration before it can be accepted as proof of the client’s ability to use services and to be passed to the ABL business applications.