Implementing PeopleSoft SSO

1. Implementing PeopleSoft SSO Computing And Communications UC Riverside 2005

2. 1 4 6 UCR SSO Overview CAS Server http://auth.ucr.edu 2 5 7 3 PeopleSoft Application Server Oracle Stored Function (1) https://auth.ucr.edu/cas/login?service=http://ora02.ucr.edu/psp/UCRTM3/?cmd=start (2) CAS redirects URL: http://ora02.ucr.edu/psp/UCRTM3/?cmd=start&ticket=ST-9-rroTVKeuNy3v… (3) Signon PeopleCode requests validation of ticket via a a SQL stored function (4) SQL stored function requests validation of ticket via a URL request using the Oracle Wallet for a secure connection (5) CAS returns validation results (either “no” or “yes <user_id>”) to the stored function (6) Stored function returns the ticket validation results to the Signon PeopleCode (7) Signon PeopleCode sets the SetAuthenticationResult() to true and redirects the browser to our main PeopleSoft page. UC Riverside 2005

3. Web Profile Configuration – Security Turn on public access for the default user UC Riverside 2005

4. Web Profile Configuration – Look and Feel Place these files in: ~webserv/peoplesoft/applications/peoplesoft/PORTAL/WEB-INF/ psftdocs/<portalname>/ Create a simple HTML file that does a META redirect, ie: <META HTTP-EQUIV=Refresh CONTENT="0; URL=https://auth.ucr.edu/cas/…> Create a simple HTML file that closes the webpage when the user logs out, ie: <script language="JavaScript" type="text/javascript"> function closeme(){window.opener = null;window.close();} </script> <BODY onload="javascript:closeme();"> UC Riverside 2005

5. Enabling Signon PeopleCode Create a special Function Library (FUNCLIB_) with your signon peoplecode and enable it here UC Riverside 2005

6. Signon PeopleCode at a glance Function UCR_Signon() … /* Get the CAS ticket and service */ &TICKET = RTrim(%Request.GetParameter("ticket")); &SERVICE = &FULLURI | "?cmd=start"; … /* Create a SQL statement that will send the ticket "out of band" for validation */ &sqlCASValidate = CreateSQL("select sso_validation_ticket('" | &SERVICE | "', '" | &TICKET | "') from dual"); … /* Execute the SQL and fetch the result, which should be either "no" or "yes <user>" */ &sqlCASValidate.Fetch(&RESULT); … &YES_NO = Substring(&RESULT, 1, 3); … If &YES_NO = "yes" Then /* Additionally, need to validate the resulting userid with operdefn table */ /* and check to see if account is locked out */ SetAuthenticationResult( True, Upper(&Result_userid), "", False); Else /* If NOT valid, then fail the user's login attempt and redirect back to the CAS page */ SetAuthenticationResult( False, &Result_userid, "", False); End-If; End-Function; Just a brief overview of the custom signon peoplecode UC Riverside 2005

7. Oracle Stored Function create or replace function SSO_Validation_Ticket(service in varchar2, ticket in varchar2) return varchar2 is /********************************************************************************/ /* Title: Single Signon Validate Ticket (SSO) */ /* Purpose: Validate a SSO ticket receive via a URL */ /********************************************************************************/ newservice varchar2(2000); returndata varchar2(2000); Begin newservice := replace(service, ':', '%3a'); newservice := replace(newservice, '?', '%3f'); newservice := replace(newservice, '&', '%26'); newservice := replace(newservice, '=', '%3d'); SELECT utl_http.request('https://auth.ucr.edu/cas/validate?service=' || newservice || chr(38)||'ticket=' || ticket, null, 'file:/etc/ORACLE/WALLETS/DATABASES', '<wallet_password>') into returndata FROM dual; return(returndata); exception when others then returndata := sqlerrm; return(returndata); end SSO_Validation_Ticket; The stored function that checks the wallet UC Riverside 2005

8. Signon PeopleCode (Page 1/5) Global string &TICKET, &USERID, &RESULT; Global File &LOG_FILE; Local SQL &sqlCASValidate; Function UCR_Signon() /*** Steps to set up single signon: 1) Web Profile Configuration - PSDEV - Security tab - Allow Public Access = YES; User ID = XYZ 2) Report Node - UCR_REPORT_NODE - URL: http://ora02.ucr.edu/psreports/ps; Login ID: XYZ; etc 3) Signon PeopleCode: FUNCLIB_UCR.SSOAUTH.FieldDefault.UCR_Signon 4) Ensure that the two files: logout_ucrsso.html and redirect_ucrsso.html are located in the following directory (or similiar) /u06/PT8.44.10/webserv/peoplesoft/applications/peoplesoft/PORTAL/WEB-INF/psftdocs/UCRTM2/ These two file are used in step 1) 5) Compile this stored function sso_validation_ticket(), You will have to check it out via SourceSafe. 6) Restart the App and Web Server. Take several minutes between shutting down and restarting. Delete some cache files too. 7) Change the Disable Signon user from XYZ to another user with no privileges. ***/ /* Get the CAS ticket and service */ &FULLURI = RTrim(%Request.FullURI); &TICKET = RTrim(%Request.GetParameter("ticket")); &QUERYSTRING = RTrim(%Request.QueryString); &SERVICE = &FULLURI | "?cmd=start"; UC Riverside 2005

9. Signon PeopleCode (Page 2/5) &SERVICE = Substitute(&SERVICE, ":", "%3a"); &SERVICE = Substitute(&SERVICE, "?", "%3f"); &SERVICE = Substitute(&SERVICE, "&", "%26"); &SERVICE = Substitute(&SERVICE, "=", "%3d"); /* In order to view reports from inside the portal, this Signon PeopleCode will run a second time for the user. The first time, a user is signed on as XYZ with a null %AuthenticationToken and then authenticated as themselves (Look for &sqlCASValidate). The second time (by clicking on a report link), they are signed on as themselves (not XYZ) with the %AuthenticationToken now not null. We then just sign them in as themselves. */ /* Determine if the user entered via the web or the application designer using the app server. */ &Entered_Via_Http = Find("http", &SERVICE); If %SignonUserId <> "XYZ" And (%AuthenticationToken <> "" Or &Entered_Via_Http = 0) Then SetAuthenticationResult( True, Upper(%SignonUserId), "", False); Return; End-If; /* Create a SQL statement that will send the ticket "out of band" for validation */ &sqlCASValidate = CreateSQL(); UC Riverside 2005

10. Signon PeopleCode (Page 3/5) try &sqlCASValidate = CreateSQL("select sso_validation_ticket('" | &SERVICE | "', '" | &TICKET | "') from dual"); catch Exception &c1 SetAuthenticationResult( False, Upper(&USERID), "", False); end-try; /* Execute the SQL and fetch the result, which should be either "no" or "yes <user>" */ If &sqlCASValidate.Fetch(&RESULT) Then &RESULT = RTrim(&RESULT); End-If; &sqlCASValidate.Close(); &YES_NO = Substring(&RESULT, 1, 3); If &YES_NO = "yes" Then /* If valid, then authenticate the user */ /* Step 1: Validate the resulting userid with operdefn table. */ /* Step 2: Check to see if account is locked out. */ &Result_len = Len(&RESULT); &Result_userid = Clean(Substring(&RESULT, 5, &Result_len - 4)); UC Riverside 2005

11. Signon PeopleCode (Page 4/5) /* Step 1: Validate &userid with operdefn table. */ /* Step 2: Check to see if account is locked out. */ &sqlCASValidate = CreateSQL(); try /* Convert the resulting user id to upper case. The user IDs from the upgrade process are already upper case, but UCR Net IDs are always lower case and must be equated using the Upper() function */ &sqlCASValidate = CreateSQL("select 'Y' from psoprdefn where oprid = '" | Upper(&Result_userid) | "' and acctlock = 0"); catch Exception &c2 SetAuthenticationResult( False, &USERID, "", False); end-try; /* Execute the SQL and fetch the result, which should be either "no" or "yes <user>" */ If &sqlCASValidate.Fetch(&RESULT) Then SetAuthenticationResult( True, Upper(&Result_userid), "", False); Else /* Execute the SQL and fetch the result, which should be either "no" or "yes <user>" */ SetAuthenticationResult( False, &USERID, "", False); End-If; UC Riverside 2005

12. Signon PeopleCode (Page 5/5) Else /* If NOT valid, then fail the user's login attempt and redirect back to the CAS page */ SetAuthenticationResult( False, &Result_userid, "", False); End-If; End-Function; UC Riverside 2005