For use with the OpenEdge Authentication Gateway only. Use OS User (-OSUser), with or without the Domain (-domain) connection parameter, to enable a single sign-on (SSO) connection to an STS-enabled database using the OS credentials.
Operating system and syntax
UNIX / Windows
-OSUser
Use with
Maximum value
Minimum value
Single-user default
Multi-user default
Client Connection
—
—
—
—
When authentication is done via a client and you do not specify -U/-P at connection time, the client connects to the database using the blank user id or performs an SSO connection using the OS credentials. This method of authentication does not work with an STS-enabled database; instead, use -OSUser to generate an SSO token using the OS credentials, which will then be exchanged for a login token by the STS.
There are some additional requirements and considerations to be aware of when using -OSUser:
The domain configuration must be properly set up to allow SSO token exchange. See OpenEdge Getting Started: OpenEdge Authentication Gateway for more information.
When -OSUser is used alone (without -domain), the STS authenticates using the OS user credentials and the blank domain. Note that you must have the blank domain set up on the STS to allow the token exchange.
Caution: Use of the blank domain is not a recommended practice, particularly in multi-domain environments.
You can specify both -OSUser and -U, and if the user ID given by -U is fully qualified, the domain from that user ID is used. However, the user name specified by -U must match the OS user name exactly.
You can use -OSUser and -domain to use the OS user credentials and a specified domain to make an SSO connection. The domain specified by -domain is used instead of the default, unless -U is also used and contains a fully qualified user ID. See the Domain (-domain) parameter entry for more information.
The following table summarizes the combinations of parameters you can use for an SSO connection to an STS-enabled database:
Connection parameters
Credentials used for SSO connection
-OSUser
OS user ID, blank domain
-OSUser-U user[@domain]
OS user ID (which must match user), domain if specified, otherwise blank domain