Did this article resolve your question/issue?


Your feedback is appreciated.

Please tell us how we can make this article more useful. Please provide us a way to contact you, should we need clarification on the feedback provided or if you need further assistance.

Characters Remaining: 1025



How to configure SAML authentication with PASOE?

« Go Back


Article Number000093581
EnvironmentProduct: OpenEdge
Version: 11.7.4
Other: PAS
Question/Problem Description
How to configure SAML authentication with PASOE?
Steps to Reproduce
Clarifying Information
Error Message
Defect/Enhancement Number
PAS SAML implementation needs an intermediate client application that acts as a mediator between an IdP and a PAS server. This article uses a node.js application as mediator.

Authentication flux:

Requests made to a PAS server reach the node.js application first. Then the request will be redirected to an IdP login page (SAML request) by the node.js application.
Authentication is successful when the user provides valid credentials and SAML response is sent to the node.js application.
The response contains a SAML assertion which is extracted and sent to the PAS server in the request header by the node.js application.
On receiving the SAML assertion from the node.js client, the PAS server validates the assertion (optional) and sends the response back. In this scenario, the PAS server also generates a ClientPrincipal object with the user information.

Identity Provider Configuration:

This article uses Okta as the Identity Provider (IdP). An account has been created and the following information set:
Single Sign-On URL, Recipient URL and Destination URL:

Audience Restriction:

Then under “Assignments” in Okta,  assign the current user to this application which makes the application accessible to the user.
Download the Identity Provider Metadata (idp.xml) and X.509 Certificate from Okta (okta.cert).
Place the certificate in the node.js application folder and the Identity Provider Metadata (idp.xml) in PAS instance’s metadata folder

Service Provider Configuration:

sp.xml file created using the website:
EntityID, Attribute Consume Service Endpoint (HTTP-POST) and Single Logout Service Endpoint (HTTP-REDIRECT):  http://localhost:8080/spring-security-saml2-sample/saml/metadata

PS: remove the XML tag from the metadata file (i.e.  " <?xml version="1.0"?>"). The validation fails if this tag exists once it is not returned in Okta's SAML assertion response.

Node.js Application

Prior to executing the Node.js program, install the libraries below:
  • saml2-js
  • fs
  • express
  • body-parser
  • json-beautify
  • sync-request
(i.e. command:  npm  install saml2-js)

This application does the following:
  • When a particular URL is hit (http://localhost:8080/pasoe/GetCustName/<any_number>), it redirects to IdP (Okta) login page
  • After entering a username and a password, Okta sends the SAML response (which contains SAML assertion) to the ACS endpoint (Single Sign-On URL) URL configured in Okta.
  • The node.js application extracts the assertion using on the ACS endpoint URL and forwards it to PAS with the actual PAS resource URL.
  • The PAS server validates the assertion and sends the response back to the node.js application.
  • The node.js application then redirects to another URL with the intended response from PAS.

PAS configuration
  1. Change client.login.model to saml
  2. Place service provider (sp.xml)  and IdP (idp.xml) metadata files in the instance’s metadata folder (WEB-INF/metadata).
Deploy a REST application.
For test purposes, dump ClientPrincipal details and configure sessionActivateProc as activate.p. (This procedure dumps ClientPrincipal attribute details to cp_details.out file under the instance’s work directory.)

SAML assertion length can be large to accommodate that length in the request header. Configure maxHttpHeaderSize in conf/server.xml file accordingly. For now, modified it as 65536. 

To test a simple roundtrip:

  1. Start node.js in the node.js prompt  (I.e node NodeJS_ServiceProvider_Custname.js)
  2. Start PAS instance
  3. Open a browser and hit the following URL:  http://localhost:8080/pasoe/GetCustName/1
  4. It will prompt for credentials. Enter credentials and see the response from the PASOE server as customer name with customer number as 1 (Lift Tours)
Attached files used to test the roundtrip and how to retrieve idp.xml (Okta) and create sp.xml.

References to Other Documentation:

“Authentication Using SAML.” Progress Community, June 2018, Authentication using SAML. <>
"Overview of SAML in PAS for OpenEdge",

Last Modified Date9/11/2019 2:52 PM