Release 10.1A: OpenEdge Getting Started:
Core Business Services

Authentication in OpenEdge

OpenEdge supports two different methods of user authentication:

Internal, with the OpenEdge database _User table.
External, with a 4GL procedure serving as an authentication system.

Using the _User table to establish a database user ID

Authentication to the _User table requires one of the following:

A user name and password that match those in an existing user account.
The 4GL language CONNECT statement.
The use of the SETUSERID function to authenticate a specified user ID and password to the user IDs and passwords stored in the OpenEdge database. If the user ID is authenticated, this function also asserts the user ID as the current database user ID.

Using an external authentication system

You can set up external authentication systems by setting up your own authentication system implemented through the 4GL language and then configuring OpenEdge to recognize that system. The authentication system implemented by the 4GL application can use any source of user accounts, which it can access through an API to an external security system or internally through its own database tables.

The primary components involved in setting up your own 4GL-based authentication system are:

The 4GL procedure or procedures that perform the user account validation.
A user login-session object that represents a successfully authenticated user-account and can contain additional account and application data.
A configuration that controls how OpenEdge will validate login-session objects that have been generated by the 4GL authentication procedures and set their user IDs as the current Progress session’s default user ID.
A configuration that controls how OpenEdge will validate login-session objects that have been generated by the 4GL authentication procedures and set their user IDs as the OpenEdge database’s current user ID.

You create and manage user login-session objects through the 4GL client-principal object. You pass, or assert, that login-session object to OpenEdge through SECURITY-POLICY methods of 4GL functions. OpenEdge Progress sessions and database connections use the configuration information contained in a domain registry to validate the login-session for origin and integrity before using the login-session’s user ID. The domain registry configuration essentially establishes a trust relationship between the 4GL procedures that implement an authentication system and OpenEdge, which is responsible for assuring user identity before using it to access application operations and data.

The source of the Progress sessions’s domain registry information can be the 4GL application or an OpenEdge database. The source for an OpenEdge database’s domain registry can be its database tables or a copy of the Progress sessions’s domain registry.

Any 4GL application can implement, configure, and use any number of user authentication systems and domains, which end users can configure and use at their discretion. For more information, see the "Trusted authentication systems and domains" section and the "Trusted domain registry" section.