Try OpenEdge Now
skip to main content
Customization Guide
Single Sign-on for Business Process Server : SSO support for Business Process Server
 

SSO support for Business Process Server

Progress OpenEdge Business Process Server supports single sign-on (SSO). Using the SSO mechanism a user who is authenticated in an OpenEdge application can also sign into Business Process Server without the need for re-authentication. SSO is an access control feature for multiple related systems. The SSO mechanism validates a user's identity to sign into one system if the user has been authenticated by another system within the same security domain.
For more information about user authentication using SSO, see the OpenEdge Getting Started: Identity Management guide.
The ABL methods, Connect( ) and GetClientPrincipal( ), enable a user of an OpenEdge client to perform a SSO into the Business Process Server using a sealed Client-Principal object as an identity token. These methods are public methods of the Progress.BPM.UserSession class. Each Client-Principal object is an ABL security token. A security token contains credentials that is used to establish a user's identity for an ABL session. For more information on using the ABL methods of the Progress.BPM.UserSession class, see the OpenEdge Development: ABL Reference guide.
For SSO into the Business Process Server, an OpenEdge client must do the following:
*Use the Register-Domain( ) method on the SECURITY-POLICY system handle to create and load a domain into the session registry.The default registry supports only the "bpm" domain and the access code "oebpm".
*Access Business Process Server using the built-in UserSession object.
*Connect to the Business Process Server using the UserSession:Connect(hCP) method, where hCP is a handle to the Client-Principal object.
*The Client-Principal object specified in the Connect(handle) method must contain the credentials of the user who has been authenticated by an OpenEdge application.
*The Client-Principal object must specify a domain ID of the current domain registry. The default registry supports only the "bpm" domain.
*The Client-Principal object must be sealed with a domain access code. The "bpm" domain specified in the default domain registry requires the access code "oebpm".
Note: The authenticated user identified by the sealed client-principal need not be defined as a valid user in the Business Process Server authentication system such as in the JDBC or OEHybrid realms.