Did this article resolve your question/issue?



How to configure SAML authentication with PASOE?


TitleHow to configure SAML authentication with PASOE?
URL NameHow-to-configure-SAML-authentication-with-PASOE
Article Number000129120
EnvironmentProduct: OpenEdge
Version: 11.7.4
Other: PAS
Question/Problem Description
How to configure SAML authentication with PASOE?
Steps to Reproduce
Clarifying Information
Error Message
Defect/Enhancement Number
PAS SAML implementation needs an intermediate client application that acts as a mediator between an IdP and a PAS server. This article uses a node.js application as mediator.

Authentication flux:

Requests made to a PAS server reach the node.js application first. Then the request will be redirected to an IdP login page (SAML request) by the node.js application.
Authentication is successful when the user provides valid credentials and SAML response is sent to the node.js application.
The response contains a SAML assertion which is extracted and sent to the PAS server in the request header by the node.js application.
On receiving the SAML assertion from the node.js client, the PAS server validates the assertion (optional) and sends the response back. In this scenario, the PAS server also generates a ClientPrincipal object with the user information.

Identity Provider Configuration:

This article uses Okta as the Identity Provider (IdP). An account has been created and the following information set:
Single Sign-On URL, Recipient URL and Destination URL:

Audience Restriction:

Then under “Assignments” in Okta,  assign the current user to this application which makes the application accessible to the user.
Download the Identity Provider Metadata (idp.xml) and X.509 Certificate from Okta (okta.cert).
Place the certificate in the node.js application folder and the Identity Provider Metadata (idp.xml) in PAS instance’s metadata folder

Service Provider Configuration:

sp.xml file created using the website:
EntityID, Attribute Consume Service Endpoint (HTTP-POST) and Single Logout Service Endpoint (HTTP-REDIRECT):  http://localhost:8080/spring-security-saml2-sample/saml/metadata

PS: remove the XML tag from the metadata file (i.e.  " <?xml version="1.0"?>"). The validation fails if this tag exists once it is not returned in Okta's SAML assertion response.

Node.js Application

Prior to executing the Node.js program, install the libraries below:
  • saml2-js
  • fs
  • express
  • body-parser
  • json-beautify
  • sync-request
(i.e. command:  npm  install saml2-js)

This application does the following:
  • When a particular URL is hit (http://localhost:8080/pasoe/GetCustName/<any_number>), it redirects to IdP (Okta) login page
  • After entering a username and a password, Okta sends the SAML response (which contains SAML assertion) to the ACS endpoint (Single Sign-On URL) URL configured in Okta.
  • The node.js application extracts the assertion using on the ACS endpoint URL and forwards it to PAS with the actual PAS resource URL.
  • The PAS server validates the assertion and sends the response back to the node.js application.
  • The node.js application then redirects to another URL with the intended response from PAS.

PAS configuration
  1. Change client.login.model to saml
  2. Place service provider (sp.xml)  and IdP (idp.xml) metadata files in the instance’s metadata folder (WEB-INF/metadata).
Deploy a REST application.
For test purposes, dump ClientPrincipal details and configure sessionActivateProc as activate.p. (This procedure dumps ClientPrincipal attribute details to cp_details.out file under the instance’s work directory.)

SAML assertion length can be large to accommodate that length in the request header. Configure maxHttpHeaderSize in conf/server.xml file accordingly. For now, modified it as 65536. 

To test a simple roundtrip:

  1. Start node.js in the node.js prompt  (I.e node NodeJS_ServiceProvider_Custname.js)
  2. Start PAS instance
  3. Open a browser and hit the following URL:  http://localhost:8080/pasoe/GetCustName/1
  4. It will prompt for credentials. Enter credentials and see the response from the PASOE server as customer name with customer number as 1 (Lift Tours)
Attached files used to test the roundtrip and how to retrieve idp.xml (Okta) and create sp.xml.

References to Other Documentation:

“Authentication Using SAML.” Progress Community, June 2018, Authentication using SAML. <>
"Overview of SAML in PAS for OpenEdge",

Last Modified Date9/21/2020 9:58 PM
Files 1.
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.