implementing peoplesoft sso l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Implementing PeopleSoft SSO PowerPoint Presentation
Download Presentation
Implementing PeopleSoft SSO

Loading in 2 Seconds...

play fullscreen
1 / 12

Implementing PeopleSoft SSO - PowerPoint PPT Presentation


  • 356 Views
  • Uploaded on

Implementing PeopleSoft SSO. Computing And Communications. 1. 4. 6. UCR SSO Overview. CAS Server http://auth.ucr.edu. 2. 5. 7. 3. PeopleSoft Application Server. Oracle Stored Function. ( 1 ) https://auth.ucr.edu/cas/login?service=http://ora02.ucr.edu/psp/UCRTM3/?cmd=start

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Implementing PeopleSoft SSO' - paul


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
implementing peoplesoft sso

Implementing PeopleSoft SSO

Computing And Communications

UC Riverside 2005

ucr sso overview

1

4

6

UCR SSO Overview

CAS Server

http://auth.ucr.edu

2

5

7

3

PeopleSoft Application Server

Oracle Stored Function

(1) https://auth.ucr.edu/cas/login?service=http://ora02.ucr.edu/psp/UCRTM3/?cmd=start

(2) CAS redirects URL: http://ora02.ucr.edu/psp/UCRTM3/?cmd=start&ticket=ST-9-rroTVKeuNy3v…

(3) Signon PeopleCode requests validation of ticket via a a SQL stored function

(4) SQL stored function requests validation of ticket via a URL request using the Oracle Wallet for a secure connection

(5) CAS returns validation results (either “no” or “yes <user_id>”) to the stored function

(6) Stored function returns the ticket validation results to the Signon PeopleCode

(7) Signon PeopleCode sets the SetAuthenticationResult() to true and redirects the browser to our main PeopleSoft page.

UC Riverside 2005

web profile configuration security
Web Profile Configuration – Security

Turn on public access for the default user

UC Riverside 2005

web profile configuration look and feel
Web Profile Configuration – Look and Feel

Place these files in: ~webserv/peoplesoft/applications/peoplesoft/PORTAL/WEB-INF/ psftdocs/<portalname>/

Create a simple HTML file that does a META redirect, ie:

<META HTTP-EQUIV=Refresh CONTENT="0; URL=https://auth.ucr.edu/cas/…>

Create a simple HTML file that closes the webpage when the user logs out, ie:

<script language="JavaScript" type="text/javascript">

function closeme(){window.opener = null;window.close();}

</script>

<BODY onload="javascript:closeme();">

UC Riverside 2005

enabling signon peoplecode
Enabling Signon PeopleCode

Create a special Function Library (FUNCLIB_) with your signon peoplecode and enable it here

UC Riverside 2005

signon peoplecode at a glance
Signon PeopleCode at a glance

Function UCR_Signon()

/* Get the CAS ticket and service */

&TICKET = RTrim(%Request.GetParameter("ticket"));

&SERVICE = &FULLURI | "?cmd=start";

/* Create a SQL statement that will send the ticket "out of band" for validation */

&sqlCASValidate = CreateSQL("select sso_validation_ticket('" | &SERVICE | "', '" | &TICKET | "') from dual");

/* Execute the SQL and fetch the result, which should be either "no" or "yes <user>" */

&sqlCASValidate.Fetch(&RESULT);

&YES_NO = Substring(&RESULT, 1, 3);

If &YES_NO = "yes" Then

/* Additionally, need to validate the resulting userid with operdefn table */

/* and check to see if account is locked out */

SetAuthenticationResult( True, Upper(&Result_userid), "", False);

Else

/* If NOT valid, then fail the user's login attempt and redirect back to the CAS page */

SetAuthenticationResult( False, &Result_userid, "", False);

End-If;

End-Function;

Just a brief overview of the custom signon peoplecode

UC Riverside 2005

oracle stored function
Oracle Stored Function

create or replace function SSO_Validation_Ticket(service in varchar2, ticket in varchar2) return varchar2 is

/********************************************************************************/

/* Title: Single Signon Validate Ticket (SSO) */

/* Purpose: Validate a SSO ticket receive via a URL */

/********************************************************************************/

newservice varchar2(2000);

returndata varchar2(2000);

Begin

newservice := replace(service, ':', '%3a');

newservice := replace(newservice, '?', '%3f');

newservice := replace(newservice, '&', '%26');

newservice := replace(newservice, '=', '%3d');

SELECT utl_http.request('https://auth.ucr.edu/cas/validate?service=' || newservice || chr(38)||'ticket=' ||

ticket, null, 'file:/etc/ORACLE/WALLETS/DATABASES', '<wallet_password>')

into returndata FROM dual;

return(returndata);

exception

when others then

returndata := sqlerrm;

return(returndata);

end SSO_Validation_Ticket;

The stored function that checks the wallet

UC Riverside 2005

signon peoplecode page 1 5
Signon PeopleCode (Page 1/5)

Global string &TICKET, &USERID, &RESULT;

Global File &LOG_FILE;

Local SQL &sqlCASValidate;

Function UCR_Signon()

/***

Steps to set up single signon:

1) Web Profile Configuration - PSDEV - Security tab - Allow Public Access = YES; User ID = XYZ

2) Report Node - UCR_REPORT_NODE - URL: http://ora02.ucr.edu/psreports/ps; Login ID: XYZ; etc

3) Signon PeopleCode: FUNCLIB_UCR.SSOAUTH.FieldDefault.UCR_Signon

4) Ensure that the two files: logout_ucrsso.html and redirect_ucrsso.html are located in the following directory (or similiar)

/u06/PT8.44.10/webserv/peoplesoft/applications/peoplesoft/PORTAL/WEB-INF/psftdocs/UCRTM2/

These two file are used in step 1)

5) Compile this stored function sso_validation_ticket(), You will have to check it out via SourceSafe.

6) Restart the App and Web Server. Take several minutes between shutting down and restarting. Delete some cache files too.

7) Change the Disable Signon user from XYZ to another user with no privileges.

***/

/* Get the CAS ticket and service */

&FULLURI = RTrim(%Request.FullURI);

&TICKET = RTrim(%Request.GetParameter("ticket"));

&QUERYSTRING = RTrim(%Request.QueryString);

&SERVICE = &FULLURI | "?cmd=start";

UC Riverside 2005

signon peoplecode page 2 5
Signon PeopleCode (Page 2/5)

&SERVICE = Substitute(&SERVICE, ":", "%3a");

&SERVICE = Substitute(&SERVICE, "?", "%3f");

&SERVICE = Substitute(&SERVICE, "&", "%26");

&SERVICE = Substitute(&SERVICE, "=", "%3d");

/* In order to view reports from inside the portal, this Signon PeopleCode will run a second time for the user. The first time, a user is signed on as XYZ with a null %AuthenticationToken and then authenticated as themselves (Look for &sqlCASValidate). The second time (by clicking on a report link), they are signed on as themselves (not XYZ) with the %AuthenticationToken now not null. We then just sign them in as themselves. */

/* Determine if the user entered via the web or the application designer using the app server. */

&Entered_Via_Http = Find("http", &SERVICE);

If %SignonUserId <> "XYZ" And

(%AuthenticationToken <> "" Or

&Entered_Via_Http = 0) Then

SetAuthenticationResult( True, Upper(%SignonUserId), "", False);

Return;

End-If;

/* Create a SQL statement that will send the ticket "out of band" for validation */

&sqlCASValidate = CreateSQL();

UC Riverside 2005

signon peoplecode page 3 5
Signon PeopleCode (Page 3/5)

try

&sqlCASValidate = CreateSQL("select sso_validation_ticket('" | &SERVICE | "', '" | &TICKET | "') from dual");

catch Exception &c1

SetAuthenticationResult( False, Upper(&USERID), "", False);

end-try;

/* Execute the SQL and fetch the result, which should be either "no" or "yes <user>" */

If &sqlCASValidate.Fetch(&RESULT) Then

&RESULT = RTrim(&RESULT);

End-If;

&sqlCASValidate.Close();

&YES_NO = Substring(&RESULT, 1, 3);

If &YES_NO = "yes" Then

/* If valid, then authenticate the user */

/* Step 1: Validate the resulting userid with operdefn table. */

/* Step 2: Check to see if account is locked out. */

&Result_len = Len(&RESULT);

&Result_userid = Clean(Substring(&RESULT, 5, &Result_len - 4));

UC Riverside 2005

signon peoplecode page 4 5
Signon PeopleCode (Page 4/5)

/* Step 1: Validate &userid with operdefn table. */

/* Step 2: Check to see if account is locked out. */

&sqlCASValidate = CreateSQL();

try

/* Convert the resulting user id to upper case. The user IDs from the upgrade process are already upper case, but UCR Net IDs are always lower case and must be equated using the Upper() function */

&sqlCASValidate = CreateSQL("select 'Y' from psoprdefn where oprid = '" | Upper(&Result_userid) | "' and acctlock = 0");

catch Exception &c2

SetAuthenticationResult( False, &USERID, "", False);

end-try;

/* Execute the SQL and fetch the result, which should be either "no" or "yes <user>" */

If &sqlCASValidate.Fetch(&RESULT) Then

SetAuthenticationResult( True, Upper(&Result_userid), "", False);

Else

/* Execute the SQL and fetch the result, which should be either "no" or "yes <user>" */

SetAuthenticationResult( False, &USERID, "", False);

End-If;

UC Riverside 2005

signon peoplecode page 5 5
Signon PeopleCode (Page 5/5)

Else

/* If NOT valid, then fail the user's login attempt and redirect back to the CAS page */

SetAuthenticationResult( False, &Result_userid, "", False);

End-If;

End-Function;

UC Riverside 2005