OpenEdge provides built-in user authentication support using the _oeusertable and _oslocal authentication systems anywhere OpenEdge accepts user credentials for authentication. This means that wherever an OpenEdge-supported user authentication operation is initiated:
1. OpenEdge identifies the authentication system from the asserted domain.
2. Delegates the user authentication operation to the appropriate security system.
3. Certifies or invalidates the security token to authorize access to the asserted domain, based on the result returned, and sealing the security token in the process.
This built-in user authentication occurs when connecting to a database or when setting the user identity for an ABL session or an existing database connection within an ABL application.
OpenEdge provides built-in SSO support within ABL applications, where a sealed security token can be used to set the user's identity for different ABL sessions and database connections. In general, if a domain is configured for built-in user authentication, it is also configured for built-in SSO. OpenEdge also provides limited user authentication support for database command-line utilities in order to access databases in certain offline states (see Pre-configured and reserved OpenEdge domains).
For the built-in _extsso and any user-defined authentication system that you enable for OpenEdge SSO only, an ABL application must implement its own user authentication operation to validate user credentials and seal a security token. The application can then use the sealed security token in an OpenEdge SSO operation to validate and establish the user identity for an ABL session or database connection.
For a user-defined authentication system that you enable for OpenEdge-performed user authentication, you configure an ABL authentication callback that validates the user credentials provided by an unsealed security token, which is input as part of an OpenEdge user authentication operation. Similar to an application-implemented user authentication, the authentication callback can perform the validation using any source of trusted user accounts, possibly including an external user account system such as LDAP, OpenID, or GoogleID. The callback then returns the result to OpenEdge, which certifies or invalidates the security token accordingly to authorize access to the asserted domain, sealing the security token in the process.
You can therefore effectively implement your own authentication system in ABL, which OpenEdge can use to authentic user credentials, much as it uses the built-in _oeusertable and _oslocal authentication systems. The main difference is that a user-defined authentication system only works within an ABL session that is initialized and running, and so cannot accept user credentials to connect a database on the command-line. However, it does work with user credentials specified in a CONNECT statement, among other OpenEdge user authentication operations in ABL.
ABL provides language elements to manage built-in OpenEdge user authentication and SSO operations, as well as to implement user authentication within the ABL application or within a user-defined authentication system enabled for user authentication using an ABL callback. For more information, see Authentication in ABL applications.
