For supported user account systems, OpenEdge performs user authentication using two built-in authentication systems. These built-in authentication systems provide OpenEdge access to either an internal user account system built into the OpenEdge RDBMS or the local operating system (OS) user account system where OpenEdge is installed. Using one of these built-in authentication systems, ABL clients, SQL clients, and the command-line database utilities can all authenticate users defined in either the OpenEdge RDBMS user accounts or the local OS user accounts.

OpenEdge also allows you to configure user-defined authentication systems for use by ABL clients only that allow OpenEdge to perform the user authentication. These user-defined authentication systems are configured with ABL authentication callbacks that either implement their own user account systems or manage access to external user account systems, such as LDAP or OpenID. When an OpenEdge authentication operation uses one of these user-defined authentication systems, OpenEdge invokes the associated ABL callback to perform the user authentication. Thus, OpenEdge can authenticate user identities against external user accounts in the same way that it uses built-in authentication systems to authenticate against the database internal and OS user accounts.

In addition, OpenEdge allows you to configure these built-in authentication systems with ABL authentication callbacks that extend the built-in user authentication operations executed against the built-in user account systems. This allows you to add additional criteria, such as times of day or other login limits, to further validate an otherwise successful user authentication. You can also configure both built-in and user-defined authentication systems with ABL callbacks that perform customized processing after any OpenEdge user-authentication or SSO operation establishes a user identity in an ABL session or database connection.