Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Rupesh Kumar
Confidential
Page 1
26/05/2009
Table of Content
Table of Content................................................................................................................... 2 1. Introduction ...................................................................................................................... 3
1.1 Understanding SSO .................................................................................................................3 1.2 Understanding NTLM.............................................................................................................4 1.3 Understanding cookies............................................................................................................4
3. Appendix (SSO).............................................................................................................. 18
3.1 Roles with Special Uses .........................................................................................................18 3.2 Permission List with Special Uses .......................................................................................18 3.3 Further Reading .....................................................................................................................19
Confidential
Page 2
26/05/2009
1. Introduction
SSOL (Dummy Company Name) wants users to automatically signon to PeopleSoft Enterprise portal 9.0 using their Active Directory Credentials, bypassing Portal SignOn page. The entry point of the user will be the SSOL Intranet site. A link/button will be provided over this site that will take user directly into the Portal. Windows authentication uses Active directory as the user store.
In this document were discussing another form of SSO - Single Signon with Third Party Authentication (SSO b/w PeopleSoft and 3rd Party System [Non Oracle Application]). Reference: http://www.opengroup.org/security/sso/sso_intro.htm http://www.ibm.com/developerworks/websphere/library/techarticles/0108_botzum/botzum.html
Confidential
Page 3
26/05/2009
3. 4. 5. 6.
Persistent cookies: A persistent cookie is one stored as a file on users computer, and it remains there when user closes the browser for a period of time. This cookie can be read by the Web site that created it when user visits that site again and allows web application to track users web activity. Temporary/Non- Persistent cookies: A temporary or session or Non- Persistent cookie is stored in the browser memory for the current browsing session and allows web servers to track the user session. The Non-Persistent cookie disappears when the user closes the browser session.
Confidential
Page 4
26/05/2009
Confidential
Page 5
26/05/2009
From the picture shown above we can tell that the Single signon process goes through threes major phases: 1- The user opens a new browser session and redirects to SSOL intranet site. On the SSOL page user clicks on a PeopleSoft Portal link. The request is then sent to the same IIS server that interrogates the user workstation to get the userid and Active Directory domain.
Confidential
Page 6
26/05/2009
2- After The IIS server gets the user ID it strips it from the Active Directory Domain and put the result in a session cookie. This cookie is sent to the browser and stored only on the browser memory for a very short period of time to allow the redirect to PeopleSoft Web Server 3- The browser then gets redirected to the intended PeopleSoft Enterprise Portal Page. All cookies with the same domain will be sent to the PeopleSoft Web Server. Note: In order for cookies to be sent from a browser to a Web Server they need to be on the same domain as the target web server. Consequently the IIS Server and the PeopleSoft Enterprise Portal need to be on the same domain.
Confidential
Page 7
26/05/2009
2.2 Implementation
Capturing User Name in Cookies:
1. There should be a Link/Button on http:/my.ssol.com/employee_portal (Dummy URL), which will take user directly to the PeopleSoft Enterprise Portal page (Bypassing the SignOn page). We need to have ASP code behind the Link that will capture Users Login ID and pass it as a cookie.
2.
Code for ASP.Net [code should be similar to this one] Dim str1, username, url str1=Request.ServerVariables("LOGON_USER") The user credentials stored in the variable str1. username = Right(str1, Len(str1)-InStr(str1, "\")) Following step will create a cookie named udata: Cookie Name: udata Domain( Host): .test.ssol.gov.in Expires: Current Time + 5 Sec Path: /
Response.Cookies("udata")= username Response.Cookies("udata").Domain=" .test.ssol.gov.in" Response.Cookies("udata").Expires = dateadd("s",5,Now()) Response.Cookies("udata").Path = "/" Building URL of Portal Default Page and redirecting response to PeopleSoft Web Server: url= " http://portaldev.test.ssol.gov.in:5190/psp/por9dev/EMPLOYEE/EMPL/h/?tab=DEFA ULT" Response.Redirect(url)
Important Points: In order for IIS to be able to extract the user ID from the system we need to disable the anonymous logon. For the ASP page that we have created (Intranet Page) we need to do the following, and failure to do so will result is the variable USER_LOGON being inaccessible. 1. 2. 3. Change the authentication mode in the Web.config file to Windows as follows:<authentication mode="Windows" /> In the Internet Services Manager, right-click the .aspx file or the Web Project folder, and then click Properties. If you clicked Properties for the Web Project folder, click the Directory Security tab. If you clicked Properties for the .aspx file, click the File Security tab.
Confidential
Page 8
26/05/2009
4. 5.
Under Anonymous Access and authentication control, click Edit. In the Authentication methods dialog box, clear the Anonymous Access check box, and then select either the Basic, the Digest or the Integrated (NT Challenge/Response) check box. Click OK to close both dialog boxes.
6.
PeopleSoft Configuration
Step 1 Create Permission List for Default User Step 2 Create Role for Default User Step 3 Creating a default user profile Step 4 Configure PeopleSoft Web Profile Step 5 Create custom Single Signon PeopleCode Step 6 Configure Single Signon PeopleCode Step 1: Create and Modify Permission List for Default User We will create a new Permission List AS_SSO_PTPT1000 for Single SignOn. Its a copy of existing Permission List PTPT1000 with a slight modification that this permission List has got no Page access.
Confidential
Page 9
26/05/2009
We will modify (or create a clone) the permission list PTPT1400 as follow: In the Personalizations Tab of permission List, Deselect All the personalization for PS Internet Architecture.
Step 2 Create Role for Default User A new role AS_SSO has been created for Default User. This role will have following Permission list associated with it: AS_SSO_PTPT1000, PAPP0000, PAPP0001, PAPX0000, and PTPT1400
Confidential
Page 10
26/05/2009
Step 3: Creating a default user profile Create a default user ID using PeopleTools Security. The user ID you specify is just a temporary value used to initiate a secure connection to the application server. The application server then determines the real user ID using signon PeopleCode. The real user ID is contained in the request object, and all the other user information, such as language code, roles, and so on, is already stored in the PeopleSoft system or an LDAP directory server. For this example, we create the following user profile and password: User ID: DEFAULT Password: You should consider creating a long password that is difficult to guess. Navigate to the menu: PeopleTools > Security > User profiles > User Profiles Select the tab Add a New Value and enter the User ID (i.e. DEFAULT)
Confidential
Page 11
26/05/2009
On the first tab General, you must setup the following fields: Symbolic ID -(por9dev) Password- Current Password (por9dev_ssol$$)
Confidential
Page 12
26/05/2009
When connecting to PeopleSoft using the DEFAULT, you should get an empty homepage with no links.
Confidential
Page 13
26/05/2009
Step 4: After youve created the default user (STEP 1), you can modify the web profile to include the default user signon information. Navigate to the menu: PeopleTools > Web Profile > Web Profile Configuration And choose the Web profile currently used by your Web Server. In General tab please verify that Authentication Domain is same as SSOL Intranet Domain.
On the Security tab, to prevent a user ID from being the default user on the signon page, set the Days to Autofill User ID property on the Web Profile Configuration Security page to 0.
To modify the web profile to include the default user signon information (STEP 1), you first must enable public access to the portal. In the Public Users section of the Web Profile Configuration - Security page, select Allow Public Access to indicate that the system should not prompt users to sign on when they click a direct link to a page. When this is selected, the PeopleSoft system does not display the password page to the user. Instead, the system authenticates
Confidential
Page 14
26/05/2009
users with the values specified in the User ID and Password fields in the same section of the page. Enter the UserID and password created in Step 1 of this document.
Step 5: Create custom Single Signon PeopleCode Open Application Designer, and create a new PeopleSoft definition: a Work Record
Confidential
Page 15
26/05/2009
Add a Field to the Derived/Work Record (i.e. OPRID), this field is used to store the SSO PeopleCode.
In FieldDefault event of OPRID write following peoplecode: Function SSO_DCD() &UID = %Request.GetCookieValue("udata"); If &UID <> "" then SetAuthenticationResult( True, Upper(&UID), "", False); End-If; End-Function;
Step 6 : Configure Single Signon PeopleCode Once the custom SSO PeopleCode method is created, you need to configure it in PeopleSoft in order to initiate it on a authentication connection. Navigate to the menu: PeopleTools > Security > Security Objects > Signon PeopleCode Add a new line to the grid by click on the (+) button and configure it as follows: Invoke as : Enter a Super User ID and password (e.g PS)
Sequence: Add a sequence number Enabled: Make sure that this checkbox is selected Record: Enter the name of the custom record you created in STEP 3 (i.e. SSO_AUTH_WRK)
Confidential
Page 16
26/05/2009
Fieldname: Enter the name of the field where youve stored the Peoplecode method (i.e. OPRID) Event Name: Enter the event name where the SSO Peoplecode is stored (i.e. FieldDefault) Function name: Enter the name of the PeopleCode Function youve created in step 3 of this document (i.e. SSO_DCD) Exec. Auth. Fail: Leave this checkbox empty.
Save the component and Restart your Application Server and Web Server. (PS: To implement higher degree of Security one can pass users credential ( userid) in encrypted form and later that should be decrypted in PeopleCode before passing that value to SetAuthenticationResult function. )
Confidential
Page 17
26/05/2009
3. Appendix (SSO)
Use section 3.1 and 3.2 to create DEFAULT users Role.
Confidential
Page 18
26/05/2009
Confidential
Page 19
26/05/2009