Configuring the Generation of OpenEdge Native SSO Tokens

The generation of an OpenEdge native SSO token occurs after Spring Security’s authentication process completes a successful user direct-login. This post processing operation generates an extended ClientPrincipal security token that is safe enough to function in a less secure client login context environment (where a client receives and exposes a security token to the network world). This processing is handled by the existing OE authentication success handling, which uses the OpenEdge Client-Principal handler to do the physical Client-Principal generation and sealing. The OpenEdge successful authentication handler has the following configuration properties for producing OpenEdge SSO tokens, and adds some optional properties to allow tailoring to individual installations:

Property Name	Data Type	Default	Value Range	Description
OESSO.require.https	boolean	true	true \| false	When true, controls the requirement for all SSO operations to require a client request to be made using the HTTPS URL scheme. Set to false to allow HTTP ( not recommended for operating a secure web application ). This property is used to set the OEAuthnSuccessHandler.tokenSecure property.
OESSO.error.detail	integer	0	0 (none) 1 (terse) 2 (debug)	Controls the amount of error detail returned to a client for all SSO operations. The default (0) meets security best practices in returning little of value a hacker can make use of. But it does not supply an administrator or end-user with useful information for problem solving. Higher levels provide more information to administrators for problem resolution, but can also provide information usable by a hacker to attack your application. This property is used to set the OEAuthnSuccessHandler.tokenErrorDetail property.
OESSOTokenManager.tokenPolicy	string	disabled	—	Controls the actions to take when producing and returning a native OE SSO Token to a client. See the following OESSOTokenManager Policies section for more information.
OESSOTokenManager.tokenURLOption	string	oesso	“oesso” “”	The URL query option name used by a client to request the server issue a OE SSO token if the OESSOTokenManager.tokenPolicy value is ifRequired. For example: https://myauthserver/static/auth/j_spring_security_check?token.URL.Option={yes\|no} A yes option value requests a OE SSO token be created and returned to the client if the user's authentication is successful. Any other option value will not create or return an OE SSO token. Ignored if the OESSOTokenManager.tokenPolicy property value is disabled or always.
OESSOTokenManager.ssoTokenRefresh	boolean	true	true\|false	Controls a client's ability to request that an expired OE SSSO be refreshed with a new expiration date. NOTE: This property's value is forced to false if the OESSOTokenManager.tokenPolicy property's value is disabled.
OESSOTokenManabger.ssoTokenExpires	integer	3600 (1 hour)	0 – n seconds	This property controls the number of seconds a newly created OE SSO token is valid before it expires. If the value is less than 1, no refresh token will be generated and returned
OESSOTokenManager.ssoGrantScope	string	""	string	This property can be used to control which OpenEdge web applications may use an OE SSO Token produced by the Token Manager. It is used when an ABL application has many web applications, but not all of them should accept any OE SSO token. The string a comma separated list of names that correspond to web applications that should accept the OE SSO token. When blank, no scope information will be included in the OE SSO token. When Refer to the OE SSO token consumer property OESSOTokenManager.ssoAllowScope.
OEAuthnSuccessHandler.tokenErrorDetail	integer	0	0-3	Controls the amount of error detail returned to a client during the OE SSO token creation process. This property is normally set using the OESSO.error.detail property to keep error detail information level consistent across the different SSO process operations. The property's value may be explicitly set if the OE SSO token generation errors return a different amount of error information than other SSO operations.
OEAuthnSuccessHandler.tokenSecure	boolean	true	true\|false	Controls the requirement for HTTPS requests from the client while authenticating the user and returning an OE SSO token. This property is normally set using the OESSO.require.https property to keep the requirements for using HTTPS consistent across the different SSO process operations.This property may be explicitly set independently if the requirement for HTTPS is different from other SSO operations.

OESSOTokenManager Policies

Policy Name	Description
disabled	The web application will not generate OE SSO tokens. This policy must be used in all web applications that do not support the Spring Security HTTP Form direct-login to user accounts.
ifRequired	The web application will only produce an OE SSO token if the client application requests it by using adding a URL option during a successful direct-login operation. For more information refer to the OESSOTokenManager.tokenURLOption property This policy should be used only in OE SSO token producer web applications that support the Spring Security HTTP Form type of direct-login to user accounts
always	The web application will always produce a OE SSO token if the client completes a successful direct-login operation. This policy should be used only in OE SSO token producer web applications that support the Spring Security HTTP Form type of direct-login to user account. Note: This is an extremely dangerous policy setting and should only be used in cases where the web application’s authentication process is protected by other controls such as client types, IP addresses, etc.