peoplesoft secureauth idp deployment · introduction 1 deployment and configuration of the...
Post on 09-Oct-2019
24 Views
Preview:
TRANSCRIPT
Value-Added Module (VAM)
PeopleSoft SecureAuth IdP Deployment
Copyright Information
©2018. SecureAuth® is a registered trademark of SecureAuth Corporation. SecureAuth’s IdP software, appliances, and other products and solutions are copyrighted products of SecureAuth Corporation.
Version 2.2
December 2018
Revision History
Version Date Notes
0.1 2017-03-16 Initial draft
1.0 2018-05-25 First draft completed
2.1 2018-09-25 Second version (largely rewritten)
2.2 2019-01-11 Fixes, enhancements, deployment changes
For information on supporting this product, contact your SecureAuth sales representative:
Email: support@secureauth.com inside-
sales@secureauth.com
Phone: +1.949.777.6959 or +1.866- 859-1526
Website: https://www.secureauth.com/Support
https://www.secureauth.com/contact
Table of Contents
Deployment and Configuration of the Value-Added Module ................................................................................................. 1
System Prerequisites ........................................................................................................................................................................................... 1
System Development Parameters ....................................................................................................................................................................... 1
Intended Audience............................................................................................................................................................................................... 1
Deploying & Configuring Peoplesoft ...................................................................................................................................... 2
Deployment & Configuration for PeopleSoft ....................................................................................................................................................... 2 Importing the PROJECT_SA2FA Project ........................................................................................................................................................ 2
Creating the SALOGIN User Profile ...................................................................................................................................................................... 6
Update Web Profile ........................................................................................................................................................................................... 11
PeopleSoft PSCIPHER Encryption Key and Version Retrieval ............................................................................................................................. 15
Updating PeopleSoft to Default Requiring SecureAuth Authentication (SP-Initiated) ...................................................................................... 19
Setting Up Signon PeopleCode .......................................................................................................................................................................... 20
PeopleSoft Server Pages Restriction .................................................................................................................................................................. 23
Deploying & Configuring the SecureAuth Appliance ............................................................................................................ 24
Deployment & Configuration for SecureAuth Appliance ................................................................................................................................... 24 Setting Up the SecureAuth Realm .............................................................................................................................................................. 24
Validating Workflows ......................................................................................................................................................................................... 25
‘Deep Linking’ .................................................................................................................................................................................................... 26 Default Behavior ........................................................................................................................................................................................ 26 Linking Behavior ......................................................................................................................................................................................... 26
Troubleshooting the Peoplesoft VAM .................................................................................................................................. 26
Troubleshooting ................................................................................................................................................................................................. 26
References & Release Notes ................................................................................................................................................ 27
References ......................................................................................................................................................................................................... 27
Release Notes .................................................................................................................................................................................................... 27
Upgrade Information ......................................................................................................................................................................................... 28
Indemnity ........................................................................................................................................................................................................... 28
Introduction 1
Deployment and Configuration of the Value-Added Module
This document details the deployment and configuration of the PeopleSoft Value-Added Module (VAM) on a
SecureAuth IdP appliance. The addition of the Peoplesoft VAM in your environment will enable authentication and
authorization of applications on PeopleSoft.
System Prerequisites The Peoplesoft Value-Added Module (VAM) and this documentation have been built using the systems outlined
below.
+ PeopleSoft 9.2 running on Linux 4.x
+ PeopleSoft should be previously installed and operational
+ PeopleTools should be configured to support a two-tier connection to complete all required
deployment steps. A three-tier connection cannot be used.
+ IdP Version 9.1 or above
+ Oracle Database 12c (However, all versions compatible with PeopleTools should be supported)
System Development Parameters The following systems were used in the development and testing of this product. Older versions of PeopleSoft and
PeopleTools/PeopleCode have not been verified.
+ PeopleSoft 9.2
+ PeopleTools 8.56.09
+ Tested with PeopleSoft Fluid user interface
Intended Audience This guide will walk a system engineer through the necessary steps to perform the following:
+ Import a project from file to the PeopleSoft system to support encryption of the user name between
SecureAuth and PeopleSoft and install PeopleCode
+ Creating a user profile in PeopleSoft
+ Update the web profile to accept the new user profile
+ Obtain the encryption key and version used by PeopleSoft to be used between systems
+ Configure a SecureAuth realm to validate a credential and redirect the user to PeopleSoft server for
seamless login
Release Notes 2
Deploying & Configuring Peoplesoft
Please read this section to become familiar with the steps required to deploy and configure the PeopleSoft Value-
Added Module.
Deployment & Configuration for PeopleSoft Importing the PROJECT_SA2FA Project Before starting this task, the PeopleTools Application Designer must be configured to connect to the PeopleSoft database using 2-tier. An Application Server connection cannot be used for database modifications. This project contains:
+ Application Package SA_CIPHER
This package is a temporary addition to the PeopleSoft system to retrieve the server specific encryption key used to encrypt data passed from an appliance realm and PeopleSoft. Steps to remove it are outlined later in this document.
+ Record SA_SIGNON.SA_AUTH
This record contains the function Validate_User() used during the login process when a user is passed by an appliance realm to PeopleSoft.
1. Log into the PeopleSoft database using PeopleTools Application Designer
1. Select Tools | Copy Project | From File…
Release Notes 3
2. Navigate to the location where the PeopleSoft Value Added Module was decompressed and drill down to
\PeopleSoft\Application Designer subfolder
3. Click PROJECT_SA2FA and then the Select button
Release Notes 4
4. Click Select All then Copy
5. “Expand ‘Records’, then expand ‘SA_SIGNON’, then ‘SA_AUTH’, then double click ‘FieldDefault’.
Update the local object &LogFile to a valid path. This is where the imported PeopleCode will log to for audit purposes. In the above screen shot it defaults to the root/tmp (on a Linux system). Note: the directory path references the PS Server, not the machine that the person is working on.
Release Notes 5
2. By default, the PeopleCode includes an optional feature to force a redirection to an appliance realm if a user
attempts to log into the PeopleSoft system directly. If the feature is left enabled, it will be necessary to update the
URL of the appliance realm that is stored in the local string variable &SecureAuthLoginUrl. If the feature is to be
disabled so users can both sign in using the PeopleSoft sign on page and an appliance realm, the value can be left
as-is and the code section show below commented out. If left enabled, not even the designated admin can login
using the PeopleSoft login page. To accommodate that, create an Active Directory user account with the same
name as the PeopleSoft admin and log in using the appliance realm.
Release Notes 6
1. Save changes to cause a recompile of the PeopleCode.
This completes the import of PeopleCode to the PeopleSoft system.
Creating the SALOGIN User Profile
1. Log in to PeopleSoft using a web browser
2. Navigate to User Profiles. This can be found by using the Navigation bar (compass icon located at the top-
right)
Release Notes 7
Release Notes 8
Release Notes 9
3. Select the Add New Value tab
4. Enter SALOGIN in the User ID field and click Add.
1. Note: SALOGIN is used throughout the remainder of this document for demonstration purposes. I can be
any valid user name. If the default is changed it is necessary to return to the PeopleCode function
Validate_User() and update the local string &WebProfileUser. Be sure to save changes to cause a
recompile of the PeopleCode.
Release Notes 10
5. Enter the password for the new User ID
Release Notes 11
6. Select the ID tab and choose None for the ID Type
7. Click Save
8. Accept this Warning by clicking OK
Update Web Profile 1. Navigate to PeopleTools | Web Profile | Web Profile Configuration
Release Notes 12
Release Notes 13
2. Leave Profile begins with blank and click Search to query for a list of web profiles
3. Select the active web profile.
4. If you do not know which web profile is active, and because the location of configuration.properties which
determines which web profile is used varies from system to system, you can determine the active web profile
by searching Web Profile History.
Release Notes 14
Click Search and note the profile name.
Release Notes 15
5. In the Public Users section, check Allow Public Access and set User ID to SALOGIN and provide the password
for the account created in a previous step.
6. Click Save.
PeopleSoft PSCIPHER Encryption Key and Version Retrieval
1. Navigate to Enterprise Components -> Component Configurations -> Application Class Tester
Release Notes 16
Release Notes 17
2. Enter SA_CIPHER:cipher in *Classpath and getKey in Class Method then click Submit
Release Notes 18
3. Copy the key and Version values and save them. You will need it while configuring the SecureAuth realm later
in this document
4. After you have copied the key and version values you should delete the SA_CIPHER package from PeopleSoft
for security purposes. For this task, return to Application Designer.
Release Notes 19
5. Select File | Open | Definition of type Project
6. Enter PROJECT_SA2FA and select Open
7. Expand Application Packages
8. Right-Click SA_CIPHER and select Remove From Project
Updating PeopleSoft to Default Requiring SecureAuth Authentication (SP-Initiated) To implement the optional feature documented earlier to support redirection to SecureAuth when a user attempts to navigate to and log in directly to the PeopleSoft server using their web browser.
Release Notes 20
1. Navigate to Web Profile Configuration | Look & Feel (located at the bottom of the page as a hyperlink)
2. Change Signon Result Doc Page from signonresultdoctext.html to signonresultdocredirect.html. Notice the
change is from doctext to docredirect.
3. The web server(s) must be restarted for this to take effect.
Setting Up Signon PeopleCode The record associated with PeopleCode has to be configured for the Signon PeopleCode page. The code is triggered using the public guest credentials (that is, SALOGIN). The code has to be enabled along with the function, that is Validate_User(), as shown below.
1. Navigate to PeopleTools | Security | Security Objects | Signon PeopleCode
Release Notes 21
Release Notes 22
1. Add a new row by clicking the + button on the last row to the far-right
2. Enter the next incremental value available in Sequence. In this example the number 7
Release Notes 23
3. In the Record field, type SA_SIGNON. It should auto populate as you type
4. In Field Name enter SA_AUTH
5. In Event Name enter FieldDefault
6. In Function Name enter Validate_User
7. Check Exec Auth Fail
8. Click Save
PeopleSoft Server Pages Restriction Under copyright restriction, SecureAuth Corporation cannot provide documentation that outlines modifications to PeopleSoft pages that redirects a user to a SecureAuth appliance for the following pages, expire.html, signon.html, signin.html, and start.html, to bypass the standard PeopleSoft user sign on experience. Please consult with Oracle Corporation for assistance with modifying these pages. <!-- Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. --> <!-- * *************************************************************** * This software and related documentation are provided under a * license agreement containing restrictions on use and * disclosure and are protected by intellectual property * laws. Except as expressly permitted in your license agreement * or allowed by law, you may not use, copy, reproduce, * translate, broadcast, modify, license, transmit, distribute, * exhibit, perform, publish or display any part, in any form or * by any means. Reverse engineering, disassembly, or * decompilation of this software, unless required by law for * interoperability, is prohibited. * The information contained herein is subject to change without * notice and is not warranted to be error-free. If you find any * errors, please report them to us in writing. * * Copyright (C) 1988, 2017, Oracle and/or its affiliates. * All Rights Reserved. * *************************************************************** -->
Release Notes 24
Deploying & Configuring the SecureAuth Appliance Deployment & Configuration for SecureAuth Appliance Setting Up the SecureAuth Realm
1. Follow default rules for defining the Data and Workflow information for the realm.
2. Copy the files PeopleSoft.aspx and PeopleSoft.aspx.vb located under \SecureAuth from the decompress zip
file to the SecureAuth IdP realm to be used for SSO into PeopleSoft. For example, copy the files to
D:\SecureAuth\SecureAuth1\Customized
3. On the Post Authentication page of the PeopleSoft realm, change Authenticated User Redirect to Use Custom
Redirect and assign the page PoepleSoft.aspx
4. Update the realm settings (web.config) to include the following settings. Do not replace <appSettings>
<appSettings>
/* obtained from PeopleSoft server. see deployment guide */
<add key="PSVersion" value="{V1.1}" />
/* obtained from PeopleSoft server. see deployment guide */
<add key="PSKey" value="T0qn4IaSDYoxTFflL0wcoaKXV6FDQ8Fr" />
/* example: http://<<FQDN>>:<<port>>/psc/ps/EMPLOYEE/HRMS/c/NUI_FRAMEWORK.PT_LANDINGPAGE.GBL?
<add key="PSRedirectURL" value="https://<<FQDN>>" />
</appSettings>
Release Notes 25
Validating Workflows 1. Launch a browser session and direct to the SecureAuth realm used for PeopleSoft. Example:
https://localhost/secureauth1/secureauth.aspx
2. Log in with the user account you want to verify the workflow with. This account must be a valid account that is
in the user store configured for the realm and accessible by the PeopleSoft system database.
3. The browser will redirect to PeopleSoft and log the user in taking them to the page specified in the
PSRedirectURL configuration of the realm.
4. This example is displaying the home page for the user GMILES that was verified by the SecureAuth realm after
redirection from SecureAuth and successful login to PeopleSoft.
Release Notes 26
If an error is encountered during the process this screen will display. Further information will be available to the cause in the log file outlined below for troubleshooting.
‘Deep Linking’ The SecureAuth appliance realm can redirect a user to a page other than the default landing page specified in the web.config entry described earlier. This is often used for portal links or personalized links users may receive in an email to review a specific report for example. This functionality is built into the post-authentication page installed earlier in this document.
Default Behavior By default, all users will be redirected to the landing page specified in PSRedirectUrl.
Linking Behavior To support redirecting a user to a specific page other than the default, when formatting a published link to PeopleSoft, format the URL to point to the appliance realm and append the parameter ‘RedirectUrl’.
Example link: http://secureauthserver/realmnumber/secureauth.aspx?RedirectUrl=https://peoplesoftserver/specificpage?optionalparamter1=”value”&optionalparamter2=”value”
Troubleshooting the Peoplesoft VAM Troubleshooting
1. If you experience any difficulty, close all browser sessions and attempt the workflow again. If this does not
solve the issue, restart the PeopleSoft system.
Release Notes 27
2. Credential validation is handled by standard SecureAuth realm functionality. Contact SecureAuth Technical
Support if you encounter an issue with logging a user in at the SecureAuth realm level.
3. If you encounter the issue noted above where the user is logged in as SALOGIN, contact SecureAuth Technical
Support and arrange for an online support session with your local PeopleSoft administrator that has access to
PeopleSoft administrative functions as well as access to the operating system file system to retrieve log files.
The log file for Signon PeopleCode can be found at the location specified in the Validate_User function
described earlier in this document. A copy of the audit can be retrieved. By default the file name will be
SECUREAUTH_SA_SIGNON_SA_AUTH.FieldDefault.txt.
References & Release Notes References Oracle: Employing Signon PeopleCode https://docs.oracle.com/cd/E26239_01/pt851h3/eng/psbooks/tsec/chapter.htm?File=tsec/htm/tsec09.htm
Release Notes
Version 2.2 – 11/23/2018 • Fix: PeopleCode was calling Error before logging resulting in some error conditions not being included in the
audit file
• Fix: Deep link feature was truncating parameters
• Fix: Log fie was not being closed at the end of Validate_User
• Maintenance: Explicitly defined all variables in PeopleCode
• Enhancement: Migrated creation of the function Validate_User and SA_CIPHER to a single project file that can
be imported to simplify deployment
• Enhancement: Switched to form POST to send user credentials to PeopleSoft
• Enhancement: Post-authentication page now supports User ID mapping based on realm configuration
Version 2.1 – 10/22/2018 • Fix: expiry tolerance now support +/- between servers instead of just +
• Enhancement: Added support for redirection after login to support ‘deep links’
Version 2.0 – 09/25/2018 • Enhancement: Replaced secure cookie with querystring parameter to support both on-premises and SaaS
implementations
• Enhancement: Added support for SP-Initiated workflow so when a user enters their credentials at a PeopleSoft
login they will be redirected to SecureAuth
• Enhancement: Added expiration to encrypted token
• Maintenance: Redesigned the PeopleCode distribution to use a new Record instead of adding to
FUNCLIB_LDAP2 for PeopleCode Signon
Version 1.0 – 6/15/2018 • Initial release supporting IdP-Initiated from SecureAuth to PeopleSoft using a secure cookie for authentication
Release Notes 28
Upgrade Information Prior to upgrading your IdP appliances, please open a Support ticket so that SecureAuth may evaluate and ensure the Value-Added Module’s availability for that upgrade.
Indemnity This product has been designed using guidelines published by the manufacturer for modification to the sign-on
process for PeopleSoft. In the event the manufacturer revokes the ability to continue to integrate with other
vendors, all documentation and installation instructions are declared null and void. Any attempts to alter or modify
the code base of this Value-Added Module will create an unsupportable version due to alterations outside of
SecureAuth’s control.
This document is for informational purposes only. SecureAuth makes no warranties, express or implied, in this
document. SecureAuth is a registered trademark of the SecureAuth Corp. in the United States and/or other
countries. The names of other companies and products mentioned herein may be the trademarks of their respective
owners.
The information contained in this document, or any addendum or revision thereof is proprietary of SecureAuth and
is subject to all relevant copyright, patent and other laws and treaties protecting intellectual property, as well as any
specific agreement protecting SecureAuth Inc. rights in the aforesaid information. Any use of this document or the
information contained herein for any purposes other than those for which it was disclosed is strictly forbidden.
SecureAuth Inc. reserves the right, without prior notice or liability, to make changes in equipment design or
specifications. All specifications are subject to change without prior notice. SecureAuth Inc. assumes no
responsibility for the use thereof nor for the rights of third parties, which may be affected in any way by the use
thereof.
This document may contain flaws, omissions or typesetting errors; no warranty is granted nor liability assumed in
relation thereto unless specifically undertaken in SecureAuth Inc.’s sales contract or order confirmation. Information
contained herein is periodically updated and changes will be incorporated into subsequent editions. If you have
encountered an error, please notify SecureAuth Inc.
top related