Question Enhance existing Windows ABL application to use single sign-on/LDAP

Cecil

19+ years progress programming and still learning.
The requirement is to update a Legacy Windows ABL application to have single sign-on. The use is able to logon the application without being prompted for a password.

I would like to know how would you implement it?

oe 11.7 +
 
Last edited:

RealHeavyDude

Well-Known Member
There are a lot of different answers - and most likely none might fit your requirements ...

Additionally to 2FA we are also required to perform location aware access control. For example when user crosses borders he might still need access to one of our applications but due to regulation certain data must not be visible across the border.

Nevertheless - we use 2FA with smartcard (SSL client certificates residing on those smartcards to be precise). When the users log onto a Windows system, they need to do so by putting their smartcard into the smartcard reader and enter the PIN. During a successfuly logon the SSL client certificate residing on the smart card gets copied into the Windows certificate store. Next any application can fetch it from the Windows certificate store and present it to any protected backend resource during the SSL handshake.

Our WebServers are utilizing a plug-in based on CA's site minder which authenticates the SSL client certificate and enriches the HTTP headers (alternatively creating an ASN.1 token) with the user's identity and the location information. These HTTP headers are then picked up by our authentication service running on WebSpeed which returns a serialized client principal object to the client application to be used to authenticate against the database.

Of course, this is a very specific implementation which have in place now for several years. But it might give you an idea which questions to ask.
 

RealHeavyDude

Well-Known Member
Forgot to add: I use .NET objects for the certificate fetching and the HTTP request from the ABL GUI client ...

The ABL, unfortunately, does not and maybe never will support SSL client certificates on socket connections. That's the why for the .NET objects.
 

Cecil

19+ years progress programming and still learning.
I have come to the conclusion that OpenEdge ABL is unable to consume any single sign on service.
 

TomBascom

Curmudgeon
I’m no expert on the details but I do know of at least one site successfully using OEAG to implement single sign on.
 

Cecil

19+ years progress programming and still learning.
So OE Authentication Gateway is an additional product that has to be installed?

Is it not possible to authenticate directly from the ABL client to a 3rd party LDAP/Active Directory?
 

TomBascom

Curmudgeon
As I understand it the OE auth gateway is just 4gl code. So, yes, you should be able to do it yourself.
 

RealHeavyDude

Well-Known Member
IMHO - if my understanding is correct then the concept of OEAG sucks in a big, big way: You have at least 2 separate connections - meaning the second connection is a separate SSL session ( if you use TLS to secure you connections which you should anyway ). This allows for attacks stealing whatever you get back from the OEAG to be used to authenticate against whatever type of Progress backend service.
 
Top