Confirming User Identity

[asimhg]

We have an application written in Progress 4GL that we want to lauch without asking the user for credentials.

Here is the scenario :

User logs into their Windows machine and clicks on our application icon.

Now the application need to verify if the user is a genuine user, and if yes, then show the app UI.

How can this be acomplished? Has anyone implemented a similar solution?

Any ideas or suggestion would be appreciated.


Thanks.

 

[RealHeavyDude]

You don't say anything abount your Progress/OpenEdge version and the OS this should run on.

There are many, many, many ways to achieve something like this. Your way is depending on your requirements.

If you don't do the authentification in your application then it must be ensured that the user is authentificated in another system - which may or may not be the OS itself on which the client is running. Do you need to deal with weak or strong user authentification ( weak, user is authenticated only by something he knows, strong, user is authenticated by something he has and something he knows )? Strong authentification for example could be a SSL client certificate.

You need to be more specific on your requirements in order to give an adice.

Depending on which version of Progress/OpenEdge the thing is running on you are tied to _User table or you are able to use the client principal object to authenticate then user against the database.

Regards, RealHeavyDude.

 

[asimhg]

The user is already authenticated when he/she logs on to their Windows machine against Active Directory, but the requirement is that we should verify if it is a genuine user before launching our Progress 4GL app (OpenEdge 10.1C).

If ActiveDirectory issues some kind of a unique token to every logged in user, then we would like to pass that token to Progress and let Progress contact ActiveDirectory to verify the authenticity of that token before that user is granting permission to launch the app.

Or if there is a way Progress could contact ActiveDirectory to confirm if the currently logged in user is a genuine user, that would work too.

I hope I have provided detailed information this time.


Thanks,

 

[TomBascom]

You are contradicting yourself -- if the user has already been authenticated by AD how can they be anything other than a genuine user when they launch Progress?

Or is the problem just that you have defined users in the Progress _User table and you are, therefore, being prompted for redundant credentials at login? If this is the case then you could use the -U (and optionally the -P) startup parameter to pass a userid to Progress.

Or you could write your own logic in the -p startup procedure to call the SETUSERID() function.

Or, maybe, there is a particular DLL or other API that you would like to call and you need some help figuring it out?

 

[Casper]

It seems like you have the requirment that not all users who are logged into windows are authorized to the Application? Or are there more requirements?
Maybe having a look at this article give you some insight in ways you can incorporate authentication and authorization in your application: http://communities.progress.com/pcom/docs/DOC-45878

Casper

 

[RealHeavyDude]

What's not clear to me, is every user that has been authenticated by Windows AD authorized to use the application?


There are two possibilities to authenticate a user against the database:

1. Using the built-in _User table in the database in conjunction with the SETUSERID () function of the ABL. This way the database accepts the user as a "trusted" user.
2. New from 10.1A on (I think, but it's definately available in 10.1C) using the client principal object the database will accept the application itself as "trusted" and you don't need to have the user names/passwords stored in the _User table in the database. The application itself authenticates itself against the database using the shared key to seal the principal object.

If the authentification of the user's identity is done outside of the ABL (for example with the login into the Windows AD) then all the application needs to know is the user credentials (user name) and whether they are valid. AFAIK, you can not use Windows AD api directly from the ABL unless there are COM objects available which you can wrap in the ABL. But it could be as simple as read the user name which is provided on an environment variable in Windows (%USERNAME%). You could do this with the OS-GETENV () function of the ABL.

Again, I get the feeling that your goal is to avoid having the user to enter his/her credentials more than once but you need to have a security concept for your application which might involve more than just "getting" the user crendentials from somewhere.

Regards, RealHeavyDude.