1 / 16

PeopleSoft Single Sign-On & Shibboleth

PeopleSoft Single Sign-On & Shibboleth. Gary Windham Senior Enterprise Systems Architect University Information Technology Services. Why Single Sign-On?. Use institutional credentials (username/password users already know)

kina
Download Presentation

PeopleSoft Single Sign-On & Shibboleth

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. PeopleSoft Single Sign-On & Shibboleth Gary Windham Senior Enterprise Systems Architect University Information Technology Services

  2. Why Single Sign-On? • Use institutional credentials (username/password users already know) • Avoid headache of maintaining password security policies, expirations, etc • Login once, gain access to multiple services • Portal integration

  3. Signon PeopleCode • PeopleSoft provides the ability to integrate with external authentication providers via Signon PeopleCode • Signon PeopleCode is record PeopleCode • FUNCLIB_LDAP is the delivered record for signon peoplecode; functions are tied to the LDAPAUTH field • Signon PeopleCode runs whenever a user signs onto PeopleSoft via PIA or 3-tier client/server • Primary job is to authenticate the user and copy user profile data from an external source to the local database

  4. Signon PeopleCode (cont) • Various external authentication solutions can be accessed via signon PeopleCode: • LDAP • X509 client certificates • PS SSO (PS_TOKEN) • Oracle SSO • Windows NTLM authentication • Web Server Security (used for Shibboleth) • Overloaded use of “SSO”—can be confusing!

  5. Configuring SignOn PeopleCode • Signon Peoplecode is configured and administered through a dedicated screen (SIGNONPPC_PAGE), located at PeopleTools->Security->Security Objects->Signon PeopleCode • Different signon peoplecode functions can be stacked in sequence and enabled/disabled • “Exec Auth Fail” allows a function to run only if authentication did not succeed • For Web Server Authentication, all initial sign-on to PeopleSoft is done through a “default public user” • set-up in PeopleTools->Web Profile->Web Profile Configuration->Security • no permissions • establishes initial user context such that signon PeopleCode can execute (chicken and egg problem)

  6. Signon PeopleCode Configuration

  7. What is Shibboleth? • An open software system for web single sign-on • Developed by Internet2 • Enables web applications deployed in most typical web server environments to authenticate and authorize users via a single protocol • Facilitates federated identity • Enables fine-grained assertion of identity data to federated and external partners • privacy and security are key elements

  8. What is Shibboleth? (cont) • The "currency" of the Shibboleth software is attributes. • named set of values about an authenticated user • values are typically strings, but can be more complex XML-based data. • When a user attempts to authenticate to your service, Shibboleth obtains a set of attributes for that user and maps them to environment variables and/or HTTP headers for your application to consume • Attributes not stored within Shibboleth itself • pulled from other sources (e.g. LDAP directory or database) • EDS in our case

  9. 1. User requests resource WebAuth The Shibboleth Protocol 2. You are not authenticated, redirect to IdP SSO 3b 3. I don’t know you. Authenticate using WebAuth 3c Client Web Browser 4. I know you now. Send client (via form POST) to resource’s ACS 7b 3a 4a 1a Credentials 2 Resource Provider Web Site Identity Provider Web Site 2 Web Resource Assertion Consumer Service (ACS) SSO Service 7a 1b 4c EDS Handle 4b Resource Manager (RM) Handle Handle Attribute Authority (AA) Attributes 5 Attribute Requester • 6b Attributes 6a 5. I don’t know your attributes. Ask the attribute authority 7. Based on attribute values, allow access to resource 6. Return the attributes allowed by release policy Source: Kathryn Huxtable, Internet2

  10. Wiring-up Shibboleth to PS • Shibboleth infrastructure resides on the web tier • e.g. uaz-sa-w02.mosaic.arizona.edu • Shibboleth software runs under Apache or IIS web containers • consists of two components: • web-server plugin (mod_shib for Apache, or an ISAPI filter for IIS) • standalone UNIX daemon (shibd) or Windows service • Our PeopleSoft app server infrastructure is Linux-based, so we use the Apache version • PeopleSoft web tier runs on WebLogic

  11. Wiring-up Shibboleth to PS (cont) • How to bridge Apache and WebLogic? • mod_weblogic – Apache module delivered with WLS, similar in concept to mod_jk / mod_proxy_ajp (Tomcat) • All requests routed through Apache • mod_shib directives enforce authentication and manage session authentication context • Shibboleth attributes inserted into HTTP request headers • mod_weblogic proxies request to WebLogic (PIA) via back-end connection

  12. ACE Browser https://sa-dev.mosaic.arizona.edu http://uaz-sa-w02.mosaic.arizona.edu:8080 Shib IdP PS App Server Apache WLS mod_weblogic mod_shib

  13. Accessing Shibboleth AttributesIn Signon PeopleCode • Once the Shibboleth authentication sequence is complete, attributes about the user are available • Attributes can be retrieved from %Request object (HTTP Request headers) • All attributes contained in EDS are available • named according to EDS schema, except prefaced by “Shib-” (to disambiguate namespace)

  14. Signon PeopleCode Examples

  15. Signon PeopleCode Examples (cont)

  16. Demo…

More Related