Try OpenEdge Now
skip to main content
New Information
Progress Application Server for OpenEdge : Using the OpenEdge Authentication Gateway for authentication : The STS AuthenticationProvider
 

The STS AuthenticationProvider

The STS AuthenticationProvider in PAS for OpenEdge is a plug-in that enables the use of the OpenEdge Authentication Gateway as the source for user authentication and client-principal token generation.
The STS AuthenticationProvider:
*Takes user credentials (i.e. user name and password) as input
*Connects to the Authentication Gateway via a secure HTTPS connection
*Sends user credentials to the Authentication Gateway for authentication
If the authentication is successful, the STS AuthenticationProvider:
*Receives a sealed client-principal token from the Authentication Gateway
*Passes the client-principal (unaltered) to the Spring Security URL authorization process
Spring Security URL authorization:
*Performs Role-Based Authorization (RBA)
*Passes the client-principal token (if RBA is successful) to ABL applications
Note: The client-principal's ROLES attribute serves as input to the Spring Security URL RBA process. Therefore, the ROLES attribute must contain at least one role name that meets Spring Security's URL access control requirements.
Like other Spring Security components in PAS for OpenEdge, the STS AuthenticationProvider is configured in an oeablSecurty.properties file on the instance, ABL application, or web application levels. (For more information about the hierarchy of these oeablSecurty.properties files, see the Security properties files topic in Progress Application Server for OpenEdge: Administration Guide.)
On the instance level (../conf/oeablSecurity.properties, the file contains a complete set of STS AuthenticationProvider properties. For example:
## OpenEdge Authentication Gateway client configuration
## for direct user logins to a PASOE server
##
sts.AuthProvider.multiTenant=true
sts.AuthProvider.userDomain=
sts.UserDetails.stsURL=https://host:port
sts.UserDetails.stsKeystore=
sts.UserDetails.clientHeaderName=x-oests-token
sts.UserDetails.noHostVerify=false
sts.UserDetails.certLocation=${psc.as.oe.dlc}/certs
sts.UserDetails.tlsCipherSuites=
sts.UserDetails.tlsProtocols=
sts.UserDetails.userAgent=PASOE (Spring)
The files on the ABL application (../ablapps/abl-app-name/oeablSecurity.properties) and the web application levels (../webapps/web-app-name/WEB-INF/oeablSecurity.properties) contain the properties that can override the properties specified on the instance level. For example:
## OpenEdge Authentication Gateway client configuration
## for direct user logins to a PASOE server
##
sts.AuthProvider.multiTenant=true
sts.AuthProvider.userDomain=
sts.UserDetails.stsURL=https://host:port
sts.UserDetails.stsKeystore=
sts.UserDetails.noHostVerify=true
See the ../conf/oeablSecurity.properties.README file for a description of the STS AuthenticationProvider properties and an explanation of their valid values.
* Configuration and Testing