To implement SAML in PAS for OpenEdge, you need to perform two tasks:

Since a PAS for OpenEdge web application does not act as a direct-login service provider, you need to develop a PAS for OpenEdge client application that can communicate with end users and work with identity providers.

The common use case is to develop a client application (for example, a Kendo UI Builder application) that provides HTML pages that end users access via a browser. When the end user clicks a link or URL that requires a protected OpenEdge resource, the PAS for OpenEdge client initiates a SAML workflow. This resource could be, for example, an ABL business entity wrapped in a Data Object Service, in which case you would want your PAS client to call a URL such as http://host:port/OpenEdgeApplication/rest/DataObjService/ABLBusinessEntity.

To implement this use case, you must develop your PAS client application and set it up to work with an identity provider of your choice. The important thing to remember is that the PAS client application must send the SAML assertion that it receives from an identity provider to the PAS for OpenEdge web application.

To obtain a protected resource from PAS for OpenEdge, the client application must send a valid SAML assertion to the PAS for OpenEdge web application. This assertion must be sent in the Authorization header of the HTTP request with the prefix SAML.

Also, the HTTP method that your PAS client uses to send SAML assertions must match the samlToken.httpBinding.allowedMethods property set in the oeablSecurity.properties file. It must also match a method defined for the resource URL in the oeablSecurity.csv file.

In addition, you need to generate a metadata file for your PAS client application. This task is performed either by an application developer or a system administrator. There are tools available online (such as this one) that can help generate this metadata. The metadata is useful not only when you are configuring the identity provider to communicate with your PAS for OpenEdge client application, but also when you are configuring SAML properties in the PAS for OpenEdge web application.

After you have set up your client application, configure the following properties in your PAS for OpenEdge web application's oeablSecurity.properties file located in the WEB-INF folder.

Client login model

Set the value of the client.login.model property to saml.

Metadata

Set the path to the PAS client application's (service provider's) metadata.

Set the path to the identity provider's metadata.

HTTP Method Validation

Set the allowed HTTP methods for incoming HTTP requests that contain the SAML assertion. If the only allowed method is GET, and the SAML assertion is part of a POST message, PAS for OpenEdge rejects the request.

ACS URL Validation

The Audience restriction URL, a field in the SAML assertion that Identity Provider returns, must match the location value of the AssertionConsumerService URL in the Service Provider’s metadata file. If not, the Service Provider rejects the SAML response from the Identity Provider. This property is optional and the URL matching can be skipped. However, if you need to check ACS endpoint, set this property to true.

Validity period

PAS for OpenEdge rejects a request if the SAML assertion's NotOnOrAfter timestamp has passed. However, you can set the following property to extend the duration of the assertion's validity period.

Roles

If the incoming SAML assertion's attribute statements define user roles, you can set the attribute names as comma-separated values in the following property. This enables PAS for OpenEdge to populate the ROLES attribute when creating the Client-Principal object.

Note that PAS for OpenEdge authorizes a user to access a resource only if the role values in the SAML assertion's attributes map to roles defined for resource URLs in the oeablSecurity.csv file. By default, these roles have a ROLE_ prefix. If the incoming role values do not contain the prefix, you an use the following property to add it:

Domains

If the NameID passed in the SAML assertion is an email address (for example johndoe@hisdomain.com), PAS for OpenEdge extracts the domain name using the '@' separator and assigns it to the DOMAIN-NAME attribute of the Client-Principal object that it creates. However, if the NameID is not an email address, you can use the following property to set a default domain name:

You may want to specify a domain name that has minimal access rights to your ABL application.

To create a sealed Client-Principal object, PAS for OpenEdge requires a domain access code that corresponds to the domain name. Typically, a CSV file is created containing a list of key-value pairs (for example, domain, domain-access-code) and then encrypted into a Java keystore file. To specify this keystore file, use the following property: