Try OpenEdge Now
skip to main content
New Information
Progress Application Server for OpenEdge : Extending OpenEdge SSO to Web Applications : PAS for OpenEdge SSO Configuration Guide : Configuring the Validation and Use of Native OpenEdge SSO Token in Client Requests
 
Configuring the Validation and Use of Native OpenEdge SSO Token in Client Requests
The following table is a list of properties in oeablSecurity.properties that control if and how OE SSO tokens can be used to gain access to the data services.
PropertyName
DataType
Default
Value Range
Description
OESSO.error.detail
integer
0
0 (none)
1 (terse)
2 (debug)
Controls the amount of error detail returned to a client for all SSO operations. The default (0) meets security best practices in returning little of value a hacker can make use of. But it does not supply an administrator or end-user with useful information for problem solving. Higher levels provide more information to administrators for problem resolution, but can also provide information usable by a hacker to attack your application.
This property is used to set
OESSOFilter.authErrorDetail
OESSO.require.https
boolean
true
true|false
When true controls the requirement for all SSO operations to require a client request to be made using the HTTPS URL scheme. When set to false allows HTTP ( not recommended for operating a secure web application ).
This property is used to set the property OESSOFilter.authSecurity
OESSOFilter.authPolicy
string
disabled
See the following section, OE SSO Token Consumer Policies.
OESSOFilter.authmanager
string
string
Control which Authentication Manager is used to validate the OECP SSO token passed by the HTTP client. This property is mapped to the http.all.authmanager property and should only be changed when the OECP SSO Authentication-Manager must be different than the one used in the OECP SSO provider.
See the http.all.authmanager property for valid settings.
OESSOFilter.authScheme
string
OECP
valid string
The HTTP Authorization header's authentication scheme field name that identifies the presence of an OECP SSO token value
Caution: OpenEdge recommends that you do not change this value.
Format: Authorization: auth-scheme base64-sso-token-value
OESSOFilter.authClientType
string
*
regex
Adds the ability to require the HTTP request's User-Agent: header to contain a specific value as defined by a Java RegEx pattern. The default "*" value disables User-Agent: header checking
OESSOFilter.authErrorDetail
int
---
---
Mapped to the property OESSO.error.detail. Explicitly defines a value if the error detail for consuming SSO tokens should be different from other SSO operations.
OESSOFilter.authSecurity
boolean
---
---
Mapped to the property OESSO.require.https Explicitly define a value if the requirement to use HTTPS should be different from the other SSO operations.
OESSOTokenManager.ssoAllowScope
string
blank
blank or list
When non-blank this property is used to control which OE SSO tokens may be used by this web application. If the OE SSO token passed by a client does has not been granted one of the scope values in this list, the token is rejected and the request fails. See the OE SSO token provider property OESSOTokenManager.ssoGrantScope for additional information.

OE SSO Token Consumer Policies

Policy Name
Description
disabled
The web application will not look for, or handle OE SSO tokens. If a native SSO token is passed in an Authorization header by a client it will be ignored
sufficient
The web application will look for an HTTP Authorization header containing an authentication-scheme specified by the OESSOFilter.authScheme property (OECP) and a native SSO token.
*If no HTTP Authorization header is present the authentication process continues with the next configured filter, which allows other SSO filters to operate.
*If an HTTP Authorization header is present, but does not contain an authentication-scheme field matching the OESSOFilter.authScheme property, the authentication process continues with the next configured filter, which allows other SSO filters to operate.
*If an HTTP Authorization header is present,and contains an authentication-scheme field matching the OESSOFilter.authScheme property, it will validate the contained OE SSO token value.
If a validation error occurs, a 401 error will be returned to the client and no other SSO filters will be invoked.
If validation is successful the native token will be extracted, the remaining authentication filters will be skipped, and the native token’s ROLEs will be used to perform URL authorization.
This policy is best used in the OE SSO token producer and OE SSO token consumer web applications that also support other forms of Spring Security direct-logins to user accounts.
required
The web application will look for an HTTP Authorization header containing an authentication-scheme specified by the OESSOFilter.authScheme property (OECP) and a native SSO token.
A 401 error response will be returned to the client and no other SSO filters will be invoked if any of the following conditions fail:
*No Authorization header is found
*An Authorization header is found, but is blank
*An Authorization header is found but its authentication-scheme does not match the OESSOFilter.authScheme property
*An Authorization header is found, has an authentication-scheme that does not match the OESSOFilter.authScheme property
*An Authorization header is found, has an authentication-scheme that does match the OESSOFilter.authScheme property but does not have a SSO token value
*An Authorization header is found, has an authentication-scheme that does match the OESSOFilter.authScheme property but does not have a valid SSO token value
If successful the native token will be extracted, the remaining authentication filters will be skipped, and the native token’s ROLEs will be used to perform URL authorization.
This policy is best used in the OE SSO token consumer web applications that do not support any other forms of Spring Security direct-login to user accounts.