Try OpenEdge Now
skip to main content
New Information
Progress Application Server for OpenEdge : Extending OpenEdge SSO to Web Applications : PAS for OpenEdge SSO Configuration Guide
 

PAS for OpenEdge SSO Configuration Guide

Configuring PAS for OE SSO tokens is accomplished by updating the following files:
File path
Description
instance-name/conf/oeablSecurity.properties
Spring configuration defaults for all web applications
instance-name/webapps/web-app-name/WEB-INF/oeablSecurity.properties
Spring configuration settings for an individual web application
instance-name/webapps/web-app-name/WEB-INF/oeablSecurity.csv
URL access controls (Spring Security intercept-url settings) for individual web applications
Note: The oeablSecurity.properties files are where you configure the OEClientPrincipalFilter bean which manages all aspects of translating Spring tokens to Client-Principal tokens, the sealing of Client-Principal tokens, and the validation of Client-Principal tokens across all methods of direct-login and SSO.
There are two SSO configurations, one for web applications that produce SSO tokens and one for web applications that consume SSO tokens.
Table 2. Overview of SSO Producer Configuration
Configure Client-Principal creation
*Add single/multi Domain and Access code(s)
*Include Spring Authentication Provider granted Roles
*Optional static Spring Role(s) for authorization to URLs
Configure SSO token creation
*Enable SSO token creation
*Optionally change initial expiration time from 3600 seconds
*Optionally enable SSO Token Refresh operations
*Optionally change refresh delta time of 3600 seconds
*Optionally define a SSO Token scope to filter which PAS for OE services are allowed to accept a SSO token generated by this service
*Optionally configure error level detail returned to the client
*Optionally allow HTTP messages instead of the required HTTPS
Note: Because of the security risks, PAS for OpenEdge web applications should not produce SSO tokens unless there are deployed clients capable of using the SSO that is produced. Therefore, the default setting for authentication and generation of native OpenEdge SSO tokens is disabled. In most cases, you can simply enable authentication or generation, or both.
Table 3. Overview of SSO Consumer Configuration
Configure Client-Principal validation
Add single/multi Domain and Access code(s)
Configure SSO Token use & validation
*Enable accepting SSO tokens for access to service URLs
*Optionally configure error level detail returned to the client
*Optionally allow HTTP messages instead of the required HTTPS
* Configuring the Validation and Use of Native OpenEdge SSO Token in Client Requests
* Configuring the Generation of OpenEdge Native SSO Tokens
* Configuring Refresh of OpenEdge Native SSO Tokens