Presentation is loading. Please wait.

Presentation is loading. Please wait.

562: Power of Single Sign-On in OpenEdge

Published byMerry Sanders Modified over 6 years ago

Similar presentations

Presentation on theme: "562: Power of Single Sign-On in OpenEdge"— Presentation transcript:

1 562: Power of Single Sign-On in OpenEdge
June 4th – June 7th Manchester, NH Srinivas Munigala – Principal QA Engineer Progress Software Progress

2 Agenda Introduction to Single Sign-On SSO in OpenEdge
SSO for ABL Applications SSO for Web Applications SSO for HTTP Clients SSO Security Best Practices Demo Questions & Answers Progress

3 Introduction to SSO

4 Problem: Login… Login… Login…
Progress

5 Solution: SSO Progress

6 SSO Definition Advantage
SSO is property of access control of multiple, related, but independent software systems Advantage Improved user productivity Progress

7 SSO in OpenEdge Progress

8 Major categories SSO for ABL Applications Client-Principal
Pre-Auth Filter SSO for Web Applications ( Progress Clients ) SSO support for HTTP Clients Progress

9 SSO for ABL applications Introduction to Client-Principal

10 The ABL Client-Principal (C-P)
OE 10.1A The ABL Client-Principal (C-P) Represents a user login session Sets user id for ABL application Database connection Two states Un-sealed Sealed Authentication System Data PRINCIPAL Domain: LDAP State: Login User-ID: NewUser Login-token: BW3G1&2G1836D872 Login-date: /03/06 08:15:33.12 Login-expires: 10/03/06 19: Roles: Accountant App-data: Company=Acme User Account Data User Account Restrictions Application Defined Data

11 Direct Login vs Single Sign-on
C-P is NOT sealed Authenticates every time Single Sign-on Authenticated already C-P is sealed Validates integrity Progress

12 Example: AppServer SSO
Physical user account storage ( OE-DB |LDAP |… ) CREATE CLIENT-PRINCIPAL hCP. hCP:INITIALIZE(c_uname,?,?,c_pwd). hCP:SEAL(domain-access-code) SESSION:CURRENT-RESPONSE-INFO:SETCLIENTPRINCIPAL(hCP) ABL SESSION:CURRENT-REQUESTINFO:GetClientPrincipal() VALIDATE-SEAL(domain-access-code) SESSION:CURRENT-REQUESTINFO:GetClientPrincipal() VALIDATE-SEAL(domain-access-code) Inventory Order Shared-secret Progress

13 SSO for Web Applications Introduction to Pre-Auth filter

14 Spring security: REST/Web application architecture
Pre-Auth Filter Progress

15 PRE-AUTH filter User has already been reliably authenticated by some external system prior to accessing the REST application Spring security: Identifies the user making the request. Obtains the authorities for the user. Progress

16 Pre-Authentication Filter configuration
Update “enabled” property to to “true” Progress

17 Example: Rollbase SSO sso OE Realm AppServer REST AppServer Tomcat 1
User account system library OE Realm server class User account system library Request for User account 1 Authn Process login 2 3 User account details 4 Sealed C-P SSO Pre-authenticated REST Request for OE Service 5 “X-OE-CLIENT-CONTEXT-ID” “OECP <base64(C-P)> ” REST AppServer Tomcat OpenEdge DB Business Entity 6 sso Pre-auth Filter OE Webapp hCP = SESSION:CURRENT-REQUEST-INFO:GetClientPrincipal(). Progress

18 SSO support for HTTP Clients

19 Use Case Travels.com Cars.com Hotels.com Airline.com Progress

20 Airline.com Cars.com Travels.com How does it work?
Form Login: PUG XXXXX Token Producer / Token Consumer / Both Travels.com (IfRequired or always) /static/auth/j_spring_security_check?OECP=yes { “token_type” : “oecp”,    “access_token” : “<b64-oecp-sso-token>”    , “refresh_token” : “<oecp-ref-token>”    , “expires_in” : <int-seconds> } Authorization: oecp <access token> Token Consumer Token Consumer Airline.com Cars.com /rest/airline /rest/cars Progress

21 OE Key Points Extended to Mobile / Browser clients for OE ABL web applications Standard, simple & secure way to generate a Client-Principal by Web Server Generate tokens based on configuration HTTP / HTTPS access control Ability to refresh security tokens when expired Authorize users based on Client-Type Progress

22

23 Security Best Practices

24 Security Best Practices
Verify valid Client-Principal with proper roles are coming or not Domain Access Key value should be in the form of “oech1::<hex-string>” Use Activate / De-activate procedures in your AppServer Use SSL/TLS for non-local network connections Progress

25 Summary Secure user authentication is necessary in today’s world
Distributed authentication presents many challenges Single Sign-On operations avoids password fatigue OpenEdge has solution Progress

26 Progress

27 Progress

Download ppt "562: Power of Single Sign-On in OpenEdge"

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Server Access The REST of the Story David Cleary

Server Access The REST of the Story David Cleary
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Client Principal in the wild

Client Principal in the wild
REST support for B2B access to your AppServer PUG Challenge Americas - 2014 Michael Jacobs : Senior Software Architect Edsel Garcia : Principal Software.

REST support for B2B access to your AppServer PUG Challenge Americas Michael Jacobs : Senior Software Architect Edsel Garcia : Principal Software.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.

1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.
OE Realm & Your Application’s Authentication Process

OE Realm & Your Application’s Authentication Process
Authenticating REST/Mobile clients using LDAP and OERealm

Authenticating REST/Mobile clients using LDAP and OERealm
DEV-14: Understanding and Programming for the AppServer™

DEV-14: Understanding and Programming for the AppServer™
A New Object Model for WebSpeed and HTTP

A New Object Model for WebSpeed and HTTP
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
DB-19: OpenEdge® Authentication Without the _User Table

DB-19: OpenEdge® Authentication Without the _User Table
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.

IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.
FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.

FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.
Developing Applications for SSO Justen Stepka Authentisoft, LLC www.authentisoft.com.

Developing Applications for SSO Justen Stepka Authentisoft, LLC
PAPI Points of Access to Providers of Information.

PAPI Points of Access to Providers of Information.

Similar presentations

Ads by Google