Security (Setting Up Digital Certificates and Single Signon)

21/09/2016
SettingupDigitalCertificatesandSingleSignon
Thissectioncoversthefollowingtopics:
DigitalCertificates.
SingleSignon.
WorkingWithDigitalCertificates
PeopleSofttakesadvantageofHTTPS,SecureSocketsLayer(SSL),anddigitalcertificatestosecurethetransmissionofdatafromthewebservertoanenduser'swebbrowser
andalsotosecurethetransmissionofdatabetweenPeopleSoftserversandthirdpartyservers(forbusinesstobusinessprocessing)overtheinternet.
PeopleSoftcustomerscanimplementPeopleSoftusingHTTPorHTTPS.ThenativeSSLsupportincommerciallyavailablewebbrowsersandwebserversisusedtoprovide
HTTPScommunicationbetweenthewebbrowserandwebserver.
WhyImplementSSL?
Withbusinesstobusinessapplications,wheresystemscommunicatewitheachotherovertheinternet,datamustflowsecurely.Assuch,systemtosystemauthenticationis
critical.PeopleSoftusesHTTPSanddigitalcertificatesforsecuretransmissionofdatabetweensystemsandsystemtosystemauthentication.TheSSLimplementationforsecure
HTTPisprovidedthroughtheuseoftheEntrust/ToolkitforJavathatisembeddedwithinPeopleTools.ThisrequiresnoadditionalEntrustTechnologieslicensingbyPeopleSoft
customersandisdesignedforusewithdigitalcertificatesprovidedbypopularcertificateauthoritiesincludingEntrustandVeriSign.
PeopleSoftusesExtensibleMarkupLanguage(XML)messagingoverHTTPSforourIntegrationBrokerandBusinessInterlinktechnologiestodeliversystemtosystemintegration
overtheinternet.HTTPSisusedtoguaranteesecuretransmissionoftheXMLmessage.ThedigitalsignatureoftheXMLmessageisusedforauthenticationbetweensystems.
Withdigitalcertificates,XMLmessagesaredigitallysignedtoprovethatthemessagecamefromtheserverthatcreatedandsignedthemessageandtoprovethemessagehas
notbeenaltered.
ThefollowingtableshowsthePeopleSofttechnologiesthatuseHTTPS/SSLandhowitisimplementedinforeachtechnology.
Technology
How Used
How HTTPS/SSL is provided
PeopleSoftPortalSolutions
Securepagetransport
UseswebserverplatformtoprovideserversideSSL.
Secureaccesstoremotecontentproviders
ApplicationserverusestheembeddedEntrustSSLToolkitforJavatoprovidetheclient
sideofSSLconnectiontogateway.
IntegrationBroker/
ApplicationMessaging
Securemessagetransporttoremotenodes
ApplicationserverusestheembeddedEntrustSSLToolkitforJavatoprovideclientside
ofSSLconnectiontogateway.
BusinessInterlinks
Securecallstoremotedatasourcesormodules
ApplicationserverusestheembeddedEntrustSSLToolkitforJavatoprovideclientside
ofSSLconnectiontogateway.
UserAuthentication
Certificatebasedclientauthentication
UseswebserverSSLclientauthentication.Certificatedataispassedtoapplication
server.Theapplicationservertruststhewebserver'sauthentication.Distinguished
nameofthecertificateisusedtologontoPeopleSoftsystem.
CertificateAuthorities
AnytimeyouimplementSSLwithmutualauthentication(bothclientandserverauthenticateeachother)youneedthefollowingthreeitems:
ServerCertificate(issuedbysometrustedthirdpartyorcertificateauthority).
ClientCertificate(issuedbythesametrustedthirdpartyorcertificateauthority).
Clientandserverbothneedacopyofarootcertificateforthetrustedthirdparty.Therootcertificatehasthecryptokeys(publicandprivatekey)oftheauthority.Usingthese
keysandtheclientandservercertificates,eachpartyisabletoauthenticatetheother.
WhenyoulogontoanSSLserverusingyourbrowser,youdon'thavetoworryaboutaRootCertificatebecausetheycomebundledwiththebrowser.Youdon'thavetoworryabout
havingaclientcertificatebecausethewebserverdoesn'trequire"ClientSideAuthentication".
Important!Whenyouareimportingadigitalcertificate,youmayreceiveanerrormessageifyouattempttoimportthedigitalcertificateimmediatelyafterdownloadingitfroma
certificateauthority.Thisisduetoissuesrelatedto"validfrom"datesandtimes,andtheinconsistenciesintimesettingsbetweendifferentcomputers.PeopleSoftrecommends
savingthecertificatetoaWindows2000/NTworkstation,rightclickonitusingWindowsExplorer,andselectOpen.ThisopenstheCertificatedialogbox.Examinetheinformation
regardingthe"validfrom"and"to"dates.Makesurethosedatesarevalidontheapplicationserverthecertificatewillbeinstalledon.TheDetailstabontheCertificatedialog
presentsthemostthoroughinformation.
DigitalCertificatesPage(KeyManagement)
SelectPeopleTools,Security,SecurityObjects,DigitalCertificates.
TheDigitalCertificatespagedisplaysyourinventoryofserversidedigitalcertificates.Thispagealsoenablesyoutoimportnewcertificatesfromacertificateauthority.
Note.Forusercertificates,noredundantsetupofusercertificatesisrequired.WithafewlinesofSignonPeopleCode,youcanreusetheexistingPKIserveryouhaveinplace.
Toviewdetailsregardingaparticularcertificate,clickDetails.
http://notes02.ntc.edu/servunits/isit/PS8_peoplebooks/eng/psbooks/tsec/book.htm
1/10
21/09/2016
DigitalCertificatespage
Type
Selectthetypeofcertificate.
LocalNode.SelectthisoptionwhenyouaresettingupalocalnodeforthePeopleSoftmessagingsystem(IntegrationBroker).
RootCA.SelectthiswhenyouareaddinganewRootCAtoyourkeystore.
Remote.SelectthisoptionwhenyouaresettinguparemotenodeforthePeopleSoftmessagingsystem(IntegrationBroker).
Alias
Enablesyoutoaddacustomaliasforidentificationpurposes.
IssuerAlias
Containsthealiasoftheauthoritythatissuedthecertificate.
ValidTo
Showshowlongthecertificateisvalidforuse.
Detail
Launchesasubpagewithmorecertificateinformation.TheCertificateDetailpagerevealssubjectandcertificateinformationsoyoucan
determinesuchcharacteristicsastheserialnumber,thefingerprint,theencryptionalgorithm,andsoon.
Note.Dependingonthetypeofcertificateyouareaddingthis,linkcanreadAddRoot,Import,orRequest.
Note.WhenaddingaLocalNodecertificateandyouclicktheImportlink,theRequestNewCertificatepageappearsinwhichyouneedtoaddSubjectinformation(Organization,
Locality,andsoon)andKeyPairinformation(encryptionalgorithm,andkeysize).
ConfiguringSSLforIntegrationMessaging
ThefollowingsectionsdescribethestepsyouneedtocompletetoconfigureSecureSocketsLayer(SSL)securityforusewithapplicationmessaging.
ForSSLwithapplicationmessaging,werequireSSLwithclientsideauthentication.Thismeansthatyouneedallthreeofthecertificates.Thefollowinglistoutlinestheitemsthat
youneedtocompletetoimplementApplicationMessagingSSL.
Servercertificate.Youneedtogetawebservercertificateandimportitintothewebserver.Thecertificatecanbefromanycertificateauthority,includinganinternal
corporatecertificateauthoritythatissuesitsowncertificates.
Clientcertificate.Youalsoneedtogetaclientcertificate.InApplicationMessaging,theSSLclientisnotthebrowser.Theclientistheapplicationserverpostingthe
message.Fortherootcertificateontheclient(applicationserver)side,PeopleToolsbundlesrootcertificatesfromtheleadingcertificateauthorities,justlikewebbrowsers
andseversdo.YouhavetheoptionofgettingothercertificatesfortheapplicationserverandimportingthemintothedatabaseusingtheAdministerCertificatespagein
PeopleToolsSecurity.
Rootcertificate.Fortherootcertificate,yourwebservercamebundledwithcertificatesfromtheleadingcertificateauthorities.Youmayalsoimportarootcertificatefrom
yourowncertificateauthority.
Note.ThefollowingsectionsassumeageneralknowledgeofNodes,andPeopleToolsSecurity.Also,youshouldhaveworkingknowledgeofCertificateAuthorities(CA)anddigital
certificates.
SourceNode(LocalNode)
Thefollowingproceduredescribesthestepsyouneedtocompleteonthesourcenode,thenodemakingtheHTTPmessagepost.
To configure the source node for SSL
1. MakesureyouhavetheSunJavaRuntimeEnvironmentversion1.2(JRE1.2)installed.
2. Intheapplicationserverconfigurationfile,settheJavaVMSharedLibraryparameterinthePSTOOLSsection.
Forexample
<jreinstalllocation>\bin\classic\jvm.dll
3. Clearyourclasspathenvironmentvariable.
Forexample,fromthecommandprompt,enter:
setclasspath=
4. ConfigureyourapplicationserverusingPSADMIN,andincludetheapplicationmessaging(pub/sub)servers.
5. Boottheapplicationserver.
6. InPortal,NodeDefinitions,performthefollowing:
ConfirmthatthelocalnodeisdefinedandmarkedasDefaultLocal.
Createanodedefinitionforthetargetnode.SpecifytheURLofthegatewayservletfortheremotenodelocation.Forexample,
https://<webserver>/servlets/psft.pt8.gateway.GatewayServlet
Note.TouseSSL,theURLschememustbeHTTPS.
7. SelectPeopleTools, Security, Security Objects, Digital Certificates,andaddaRootCAforthecertificate.

CreateanewNodecertificate.IftherootcertificatefortheCAyouaregoingtoobtainthenodecertificatefromisnotalreadyinthekeystore,importit.
Addanewrow
SelectRootCAforthecertificatetype
Enterthecertificatealias
ClickontheRequestlink.
2/10
21/09/2016
Pastethebase64encoded,X509certificatedataintotheform.Itshouldlooksomethinglikethefollowingexample:
BEGINCERTIFICATE
MIICIDCCAcqgAwIBAgIQrDVQJKAAKLQR0/bIDJMSVDANBgkqhkiG9w0BAQQFADBy
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTClBsZWFzYW50b24x
FzAVBgNVBAoTDlBlb3BsZVNvZnQgSW5jMRMwEQYDVQQLEwpQZW9wbGVUb29sMRMw
EQYDVQQDEwpQZW9wbGVUb29sMB4XDTAwMDMxMDIxMTIzNVoXDTA1MDMxMDIxMTIz
NVowcjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpQbGVhc2Fu
dG9uMRcwFQYDVQQKEw5QZW9wbGVTb2Z0IEluYzETMBEGA1UECxMKUGVvcGxlVG9v
bDETMBEGA1UEAxMKUGVvcGxlVG9vbDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCy
o44wplb57M272GRP3sC4TtLm/MD1G9osRjG9BWnsjjTij9GNi6Rnf9cNxkj+AGQY
gnE3P7lp9rYN6GQxPldNAgMBAAGjPDA6MAsGA1UdDwQEAwIBxDAMBgNVHRMEBTAD
AQH/MB0GA1UdDgQWBBSkFZJ1Dtt5uE6muLRN3rwRPsUCsTANBgkqhkiG9w0BAQQF
AANBAJec3hFPS2SLSDtfLI9mSA7UL1Vgbxr5zZ4Sj9y4I2rncrTWcBqj7EBp9n/Z
U/EwDEljVbE8SSDYr1Emgoxsr4Y=
ENDCERTIFICATE
ClickOK.
8. AlsoontheDigitalCertificatespage,clicktheDetaillinkforthenewrootcertificate,andperformthefollowing:
Confirmthattheinformationiscorrect.
Addanewrow.
SelectLocalNodeforthecertificatetype.
Enterthenameofthelocalmessagenodeforthecertificatealias.
EntertherootCAaliasfortheissueralias,orselectonefromthedropdownlist.
ClicktheImportlink.
Fillinthecertificaterequestform.
ClickOK.
9. SendtherequestformtotheCA.
Copythegeneratedcertificatesigningrequest.Youmaywanttosaveittoafile.Ifyouloosethisinformation,youhavetodeletethecertificateandstartover.
ClickOK.
SubmitthecertificatesigningrequesttotheCAofyourchoice.ThisprocessvariesforeachCA.
TheCAverifiestheinformationinthecertificate,signsthecertificatewithitsprivatekey,andreturnsthesignedcertificatetoyou.
10. WhenyoureceivethesignedcertificatefromtheCA,gototheDigitalCertificatespageandperformthefollowing:
ClickImportforthenewnodecertificate.
Pastethebase64encoded,formattedX509certificatedataintotheform.
ClickOK.
ClicktheDetaillinkforthenewnodecertificate,andconfirmthattheinformationiscorrect.
TargetNode
Thefollowingproceduredescribesthestepsyouneedtocompleteforthetargetnode.
Note.Thefollowingstepsneedtobecompletedonthetargetnode.
To configure the target node for SSL:
1. InPortal,NodeDefinitionsconfirmthatthelocalnodeexists.
2. CreateaNodedefinitionforthesourcenode.
3. SettheDistinguishedName(DN)toreflectthesubjectDNforthesourcenodecertificate.
Forexample,
CN=cdodtx,OU=Appserv,O=My_organization,L=Pleasanton,ST=California,C=US
YoucanobtaintheDNinformationtwoways:
ViewingthecertificateinformationontheDigitalCertificatespage.
Importingthesourcenodecertificateusingyourbrowser.Thisapplieswhenyoudonothaveaccesstotheapplicationserverforthesourcenode.Otherwise,usethe
PeopleToolsSecurityinterface.
WebServer
ToenableSSLsecurityforintegrationmessagingyoualsoneedtoperformthefollowingtasksonyourwebserver:
ConfigureSSLforthewebserver.
EnableSSLwithclientauthentication.
Configurethegatewaylookupentryforthedestinationnode.
SettingUpSingleSignon
PeopleSoftsupportssinglesignonwithinPeopleSoftapplications.WithinthecontextofyourPeopleSoftsystem,singlesignonmeansthatafterauserhasbeenauthenticatedby
onePeopleSoftapplicationserver,thatusercanaccessasecondPeopleSoftapplicationserverwithoutenteringanIDorapassword.Althoughtheuserisactuallyaccessing
differentapplicationsanddatabases,theusernavigatesseamlesslythroughthesystem.RecallthateachsuiteofPeopleSoftapplications,suchasHRorCRM,residesinitsown
database.
Note.ThePeopleSoftsinglesignonsolutionappliesonlytoPeopleSoftapplications.
Afterthefirstapplicationserver/nodeauthenticatesauser,PeopleSoftdeliversawebbrowsercookiecontaininganauthenticationtoken.PIAuseswebbrowsercookiestostorea
uniqueaccesstokenforeachuseraftertheyareauthenticatedinitially.WhentheuserconnectstoanotherPeopleSoftapplicationserver/node,thesecondapplicationserveruses
thetokeninthebrowsercookietoreauthenticatetheuserbehindthescenessotheydon'thavetocompletethesignonprocessagain.
SinglesignoniscriticalforPeopleSoftportalimplementationsbecausetheportalintegratescontentfromvariousdatasourcesandapplicationserversandpresentstheminaunified
interface.Whentheuserssignonthroughtheportal,theyalwaystakeadvantageofsinglesignon.Usersneedtosignononceandbeabletonavigatefreelywithoutencountering
numeroussignonscreens.Becausesinglesignonissointegraltotheportal,youalwaysneedtoconfigureitbeforedeployingaliveportalsolution.
3/10
21/09/2016
Note.Thebrowsercookieisaninmemorycookieandisneverwrittentodisk.Thecookieisalsoencryptedtopreventsnoopinganddigitallysignedusingachecksumtoprevent
tampering.
ThefollowingtablepresentsthefieldsthatappearinthePeopleSoftauthenticationtoken.
Field
Description
UserID
ThisfieldcontainstheuserIDoftheusertowhichtheserverissuedthetoken.Whenthebrowsersubmitsthistokenforsinglesignon,thisistheuserthattheapplication
serverlogsontothesystem.
LanguageCode
Thisfieldspecifiesthelanguagecodeofuser.Whenthesystemuseshistokenforsinglesignon,itsetsthelanguagecodeforthesessionbasedonthisvalue.
DateandTimeIssued
Thisfieldspecifiesthedateandtimethetokenwasfirstissued.Thesystemusesthisfieldtoenforceatimeoutintervalforthesinglesignontoken.Anyapplicationserver
thatacceptstokensforsignonhasa"timeoutminutes"parameterconfiguredatthesystemlevel.AsystemadministratorsetsthisparameterusingthePeopleTools
Security,SingleSignonpage.ThevalueisinGreenwichMeanTime(GMT)soitdoesnotmatterwhichtimezonetheapplicationserverisin.
IssuingSystem
Thisfieldshowsthenameofthesystemthatissuedthetoken.Whenitcreatesthetoken,theapplicationserverretrievesthisvaluefromthedatabase.Specifically,it
retrievesthedefinedLocalNode.Singlesignonisnotrelatedtointegrationbrokermessaging,exceptforthefactthatsinglesignonfunctionalityleveragesthemessaging
conceptofnodes,andlocalnodes.Youconfigureanodeonlyto"trust"singlesignontokensfromspecificnodes.Consequently,anapplicationserverneedsavalueof
"issuingsystem"sothatitcancheckagainstitslistoftrustednodestoseeifit"trusts"theissuedtoken.
Signature
Thisfieldcontainsadigitalsignaturethatenablestheapplicationserverusingatokenforsinglesignontoensurethatthetokenhasn'tbeentamperedwithsinceitwas
originallyissued.Thesystemissuingthetokengeneratesthesignaturebyconcatenatingthecontentsofthetoken(allthefieldsthatappearinthistable)withthemessage
nodepasswordforthelocalnode.ThenthesystemhashestheresultingstringusingtheSHA1hashalgorithm.Forexample("+"meansconcatenation),
signature=SHA1_Hash(UserID+Lang+DateTimeissued+IssuingSystem+LocalNodePswd)
Thereisonlyonewaytoderivethe160bitsofdatathatmakeupthesignature,andthisbyhashingexactlythesameUserID,Language,DateTime,IssuingSystem,and
nodepassword.
Note.Ifyouareusingdigitalcertificateauthentication,thesignatureofthedigitalcertificateoccupiesthisspace.Theabovedescriptionappliestousingpassword
authenticationonly.
Note.SinglesignondoesnotdependonLDAPdirectoryauthentication.YoucanimplementsinglesignonandnotLDAP,youcanimplementLDAPandnotsinglesignon,oryou
canimplementbothLDAPandsinglesignon.
Thekeysecurityfeaturesofthecookieauthenticationtokenare:
Thecookieexistsinmemoryitisnotwrittentodisk.
Thereisnopasswordstoredinthecookie.
Youcansettheexpirationofthecookietobeamatterofminutesorhours,whichishardlyenoughtimeforahackertodecrypttheinformation.
WorkingwiththeSingleSignonPage
Thefollowingtopicsdescribethesettingsyoumodifywhenimplementingsinglesignon.
SingleSignonPage
Expirationtimeinminutes
Youneedtosetanexpirationtimefortokensthissystemacceptsforauthentication.Otherwise,theuser,onceauthenticatedcouldbe
authenticated,andsignedontothesystemwiththetoken,foraslongasitstaysupandrunning.Youcansettheauthenticationintervaltobe
minutes,hours,ordaysdependingonyoursignonstrategy.
Thevalueisinminutes.Forexample,480minutesis8hours.ThisisglobalsettingforallusersofyourPeopleSoftsystemthatgetissuedthe
cookie.Ashortexpirationperiodismoresecure,butlessconvenientbecauseusersneedtoentertheirpasswordsmorefrequently.
Thesystemacceptingthetokencontrolstheexpirationtime,nottheissuingsystem.Forinstance,supposeNodeHRMS_WEST,whichhasan
expirationtimeof100minutes,issuesatokentoauser.Thenlet'ssaytheuserattemptstousethattokentosignontoNodeFIN_EAST,which
hasanexpirationtimesetto60minutes.Insuchasituation,ifaperiodgreaterthan60minuteshastranspired,thenNodeFIN_EASTrejectsthe
token.Whenanoderejectsasinglesignontoken,thesystempromptstheusertoenterauserIDandpasswordonthestandardsignonscreen.
Note.ThisexpirationtimeisseparatefromthetimeoutsyouspecifyinthePermissionListsandthewebserverconfigurationfiles.
MessageNodename
ShowsthenameoftheMessageNode.Inorderto"share"authenticationtokensbetweennodes,thenodesneedto"trust"eachother.Byadding
anodetothisgrid,youindicatethataparticularnodeisknowntothesystemandtrusted.Whenanodeistrusted,thelocalnodeacceptstokens
issuedbyit.
Bydefault,nonodesappearinthe"trusted"nodeslist.Ifyouwanttoimplementsinglesignon,youneedtoexplicitlyconfigureyoursystemto
supportitbyaddingtrustednodes.
First,youneedtoaddthelocalnodetothegridasanodemustbeabletotrustitsowntokens.Whenyousignontotheportal,thesystem
authenticatesuserswithasinglesignontokenissuedbythelocalsystem.Theportalwon'tbeabletosignonunlessthelocalnodeistrusted.
Thenyouaddthenamesofothernodesinthesystemthatshouldbetrusted.
Note.YoudefinenodesinPortal,NodeDefinitions.
LocalNode
Indicateswhetherthenodeislocalornot.
Note.Afteryouupdatethelistoftrustednodes,thesystemautomaticallyrecognizesthenewlist.Rebootingtheapplicationserverisnotrequired.
DefiningNodesforSingleSignon
YousetupnodedefinitionsusingthePortal,NodeDefinitionsinterface.
4/10
21/09/2016
Definingnodesforsinglesignon
Thetwooptionsrelatedtosinglesignonare:
AuthenticationOption
Determineshownodesinasinglesignonconfigurationauthenticateothernodesinthesameconfiguration.Youhavethefollowingoptions:
None.Specifiesnoauthenticationbetweennodes.
Password.Indicatesthateachnodeinthesinglesignonconfigurationauthenticatesothernodesbywayofknowingthepasswordforeachnode.
ForexampleiftherearethreeNodes(A,B,andC),thepasswordforNodeAneedstobespecifiedinthenodedefinitiononNodeA,B,andC.
Certificate.Indicatesthatadigitalcertificateauthenticateseachnodeinthesinglesignonconfiguration.PeopleSoftrecommendsusingcertificate
authenticationforsinglesignon.Forcertificateauthentication,youneedtohavethefollowinginthekeystoreinthedatabaseforeachnode:
Certificateforeachnode.
RootcertificatefortheCAthatissuedthecertificate.
Important!Forsinglesignon,thealiasforthecertificateofanodeneedstobethesameasthenodename.
And,youmustsetupyourdigitalcertificatesbeforeyousettheAuthenticationOptiontocertificateauthentication.
DefaultLocalNode
Thedefaultlocalnodeisusedspecificallyforsettingupsinglesignon.Thisindicatesthatthecurrentnoderepresentsthedatabaseyou'resigned
onto.Theoptionsyousetforsinglesignonshouldbemadeonthedefaultlocalnode.
SampleSingleSignonTransaction
NowthatyouhaveageneralunderstandingofwhyasinglesignonimplementationisusefulandsomeofthedetailsinvolvedwithPeopleSoftsinglesignon,thissectionpresentsan
exampleofhowthePeopleSoftsinglesignonschemeworks.
Supposetherearetwodatabases,ornodes:anHRMSdatabaseandFinancialsdatabase.Recallthatthetermsdatabaseandnodearesynonymous.Eachdatabasehasone
applicationserverandonewebserver.Thefollowingstepsdescribethe"underthecovers"eventsthatoccurwhenausersignsontotheHRMSdatabase,completesa
transaction,andthenclickalinkthattargetsapageintheFinancialsdatabase.
Step1:UserSignsontoHRMSApplication
UserPTDMOgoestolinkhttp://HRMS.peoplesoft.com/peoplesoft8/signon.html
UserentersIDandPasswordatthesignonpage,clickslogin.
Step2:ApplicationServerAuthenticatesUser
WebserverrelaysloginrequesttoHRMSapplicationserver.
Applicationserverauthenticatestheuser.
Step3:ApplicationServerGeneratesSingleSignonToken
IfthesignonattempttotheHRMSapplicationserverissuccessful,theapplicationservergeneratesasinglesignontoken.Thistokencontainsthefollowingfields:UserID,
LanguageCode,DateandTimeIssued,IssuingSystem,andSignature.
Applicationserverencryptsandencodesthetoken(base64).
Applicationserversendsthetokentothewebserver,alongwithareturncodeindicatingthatthesystemauthenticatedtheuser.
Step4:WebServerCreatesCookieinUser'sBrowser
Whenthewebserverreceivesthesinglesignontokenfromtheapplicationserver,itcreatesacookieandinsertsacookieintheuser'sbrowser.
IfthebrowserisconfiguredtoshowtheSecurityAlertdialog,thentheuserseesamessagesimilartothefollowingexample.Inmostcases,youdon'tconfigurebrowserstoshow
thisdialogthisdialogboxisjustanexampleofthedatathat'sthebrowserreceives.
MessageAlertingUserabouttheCookie
ThecookiethatthewebserverdistributesforPeopleSoftsinglesignonisnamedPS_TOKEN.Inthiscasethedomainrtsun23.peoplesoft.comsetthecookie.
Noticethatthecookieexpiresattheendofsession.Thisindicatesthatthesystemneverwritesthecookietodisk,thecookieexistsinthememoryofthebrowserfortheduration
ofthesession.
Thewebserverinsertsthesinglesignontokenwithinthe"Data"fieldofthecookie.SothatthesystemcansendthebinarydataacrosstheHTTPprotocol,thetokendatais
encryptedandbase64encoded.
Step5:UserNeedstoAccessFinancialApplication
AftertheusercompletesafewtransactionsintheHRMSsystem,supposetheyarriveatapagecontainingalinktotheFinancialsystem.Theuserclicksthelink,andbecause
they'vealreadysignedon(enteredtheirIDandPassword)totheHRMSsystemtheydon'tneedtosignonagain.
Theuser'sbrowsersendsthePS_TOKENcookietotheFinancialswebserver.
Step6:FinancialsWebServerReceivesPS_TOKENCookie
TheFinancialswebserverdetectsthattheuserhasn'tbeenauthenticatedbytheFinancialssystemyet,however,becausethewebserverreceivedthesignoncookieitdoesnot
displaythesignonpage.
Toretrievethepagetheuserrequested(bywayofthelinkintheHRMSapplication),theFinancialswebserverattemptstoconnecttotheFinancialsapplicationserver.Itonly
passestheDatafieldfromthePS_TOKENcookietheapplicationserveronlyneedstheinformationintheDataportion.
Step7:FinancialsApplicationServerAuthenticatesPS_TOKEN
TheFinancialsapplicationserverperformsthefollowingchecksagainstthePS_TOKENDatafieldbeforeallowingtheusertoconnect:
5/10
21/09/2016
TrustedNode?Theapplicationservercheckstoseethatthemessagenodenamelistedasthe"IssuingSystem"isa"trusted"node.Thelistoftrustednodesforthe
FinancialssystemresidesinthePSTRUSTNODEStable.YouconfigurethelistusingPeopleTools,SecurityObjects,SingleSignon.TheSingleSignonpageenablesthe
administratoroftheFinancialssystemto"trust"authenticationtokensgeneratedfromHRMSaswellasanyothernodesdeemed"trusted."
Hasthetokenexpired?Theapplicationserverchecksthattheauthenticationtokenhasn'texpired.UsingtheIssuedDateandTimefieldwithinthetoken,theFinancials
applicationservermakessurethatthetokenwasissuedwithintheintervalbetweenthe"timeoutminutes"valueandthecurrenttime.Youconfigureatoken'sexpiration
timeontheSingleSignonpage.
Note.ItisimportanttonotethattheexpirationparameterspecifiedintheFinancialssystemistherelevantvalue,nottheexpirationvaluespecifiedinHRMS.Thisenables
theFinancialsadministratortocontrolthemaximumageofanacceptabletoken.It'salsoimportanttoconsiderthatalltimesareinGreenwichMeanTime(GMT),soit
doesn'tmatterwhattimezonesthesystemsarein.
Hasthesignaturebeentamperedwith?Theapplicationserverchecksthatthesignatureisvalid.TheFinancialsapplicationservertakesallthefieldsinthetokenandthe
Nodepasswordfortheissuingnodeandgeneratesahash.Thetokenisvalidonly,ifthesignaturewithinthetokenexactlymatchestheonegeneratedbytheFinancials
applicationserver.Becauseanexactmatchistheonlyacceptablesituation,FinancialscanbesurethatHRMSgeneratedthetoken,andthatithasn'tbeentamperedwith
sinceitwasgenerated.IfahackerinterceptedthetokenintransitandchangedtheUserID,Language,andsoon,thesignatureswouldn'tmatchandasaresultthe
Financialsapplicationserverwouldrejectthetoken.
Note.PeopleSoftrecommendsusingdigitalcertificateauthenticationwhenimplementingsinglesignon.
SeeAlso
SingleSignonConfigurationExamples
Thefollowingtopicsdescribeexamplesofsinglesignonconfigurationsandthestepsrequiredtoimplementthem.
OneDatabaseandTwoWebServers
Inthisscenariothereisonedatabase,twoormorewebservers.Whilesinglesignonisconfiguredatthedatabaselevel,thatisyouspecifytimeoutminutesandtrustednodesfor
theentiredatabase,it'sactuallyusedanytimetwodifferentPeopleSoftservletsconnecttothesamedatabase.
To set up single signon with one database and multiple web servers:
1. SelectPeopleTools,Portal,NodeDefinitionsandmakesurethatatleastonenodeisdefinedastheDefaultLocalNode.
Intheresultsonthesearchpage,youcandeterminethisbylookingforaYintheDefaultLocalNodecolumn.
2. SelectPeopleTools,Security,SecurityObjects,SingleSignonandsetthefollowing:
MakesuretheDefaultLocalNodeappearsinthelistunderTrustAuthenticationTokensissuedbytheseNodes.
Setthetimeoutminutestoanappropriatevalue(thedefaultis720).
3. Opentheconfiguration.propertiesfileforeachwebserverandmodifytheAuthTokenDomainproperty.
Becausesinglesignonisimplementedusingbrowsercookies,itmustbeconfiguredsothattheuser'sbrowsersendsthesinglesignoncookietoeachwebservermachine
involved.Bydefault,thebrowseronlysendscookiesbacktothemachinethatsetthecookie.Soifwebservera.peoplesoft.comsetsacookieaftertheuserisauthenticated,the
browser(bydefault)onlysendsthecookietoa.peoplesoft.com.Bydefault,thebrowserwouldnotsendthecookietob.peoplesoft.com.Tomakethebrowsersendthesinglesignon
cookietoallserversatinadomain(peoplesoft.com),modifytheAuthTokenDomainpropertyasfollows.
AuthTokenDomain=.peoplesoft.com
Note.Youneedtheleadingperiod(.)beforethedomain.Itshouldappearas".peoplesoft.com",not"peoplesoft.com".
Also,ifyouonlyuseonewebserver,thenyoudon'tneedtomodifytheAuthTokenDomainproperty.Awebserverisdesignedtoacceptthecookiesitdistributes.
TwoDatabasesandTwoWebServers
To set up single signon with multiple databases and multiple web servers:
1. SelectPeopleTools,Portal,NodeDefinitionsforeachnodethatyouwanttoinvolveinthesinglesignonconfigurationandcheckthefollowing:
MakesurethatatleastonenodedefinitionisdefinedastheDefaultLocalNodeforeachdatabase.Intheresultsonthesearchpage,youcandeterminethisby
lookingforaYintheDefaultLocalNodecolumn.
Makesurethateachdatabasecontainsanodedefinitionfortheothernodesinthesinglesignonconfiguration.
MakesurethattheAuthenticationOptionissetcorrectly.Forexample,ifyouareusingpasswordauthenticationmakesurethatthenodepasswordfornode'X'isthe
sameineachnodedefinitionfornode'X'ineachdatabase.
Note.PeopleSoftrecommendsusingdigitalcertificateauthentication.MakesurethecertificatesareproperlyinstalledinthePeopleSoftKeystorebeforesettingthenode's
AuthenticationOptiontoCertificate.
2. SelectPeopleTools,Security,SecurityObjects,SingleSignonandsetthefollowing:
MakesuretheDefaultLocalNodeappearsinthelistunderTrustAuthenticationTokensissuedbytheseNodes.
Setthetimeoutminutestoanappropriatevalue(thedefaultis720).
3. Opentheconfiguration.propertiesfileonyourwebserverandmodifytheAuthTokenDomainproperty.
Becausesinglesignonisimplementedusingbrowsercookies,itmustbeconfiguredsothattheuser'sbrowsersendsthesinglesignoncookietoeachwebservermachine
involved.Bydefault,thebrowseronlysendscookiesbacktothemachinethatsetthecookie.Soifwebservera.peoplesoft.comsetsacookieaftertheuserisauthenticated,the
browser(bydefault)onlysendsthecookietoa.peoplesoft.com.Bydefault,thebrowserwouldnotsendthecookietob.peoplesoft.com.Tomakethebrowsersendthesinglesignon
cookietoallserversatinadomain(peoplesoft.com),modifytheAuthTokenDomainpropertyasfollows.
SeeAlso
IncorporatingLDAPDirectoryServices
SingleSignonwithThirdPartyAuthentication
Thissectionpresentsasimpleexampleofhowtoimplementsinglesignonwhenyouhaveimplementedathirdpartyauthenticationsystematthewebserverlevel.Thisappliesto
bothportalandintranetwebservers.
Note.Thisexampledoesnotcoverauthentication.Thisexampleassumesthatyouhavesetupyourthirdpartyauthenticationcorrectly.Thirdpartyauthenticationisoutofthe
scopeforPeopleSoftsupportanddocumentation.
Also,thisdiscussionassumesthatyouhavesetthebyPassSignon,defaultUSERID,anddefaultPWDpropertiesintheconfiguration.propertiesfilefortheappropriatesite.
ForPeopleSoftapplicationsinglesignon,thePeopleSoftsystemneedstoknowtheuserIDtobeusedforthewebsession.Ifimplementingthisconfiguration,youarerequiredto
addressthefollowing:
1.Authenticatethewebuser.
6/10
21/09/2016
2.DeterminewhichPeopleSoftUserIDtouseforthiswebuser.
3.SendtheUserIDtothePeopleSoftapplicationserver.
4.WritesignonPeopleCodetoretrievetheUserIDfromwhereverstep3sentit.
5.ReauthenticatetheUserIDduringsignonPeopleCode.
6.IndicatedtothePeopleSoftapplicationservertousetheUserIDforallsubsequentservicerequests.
Thefollowingexamplesaddressitems3,4,and6.
ThefollowingHTMLappliestostep3above.YoucanchangetheJavaScriptfunctiontosetthecookienameandvaluethatyouwant.Also,changethelocationtopointtothe
PeopleSoftpagetowhichyouwanttoredirectusers.Forexample,
<html>
<head>
<title>PeopleSoft8SingleSignOnExample</title>
</head>
<!
PeopleSoft8SingleSignOnExample
Inthisexample,securityisnonexistent.Inaproduction
system,theUserIdcouldcomefromyoursite'ssinglesignon
tool.Otherinformationcouldalsobeincluded.Forthis
example,onlytheUserIdissavedintocookie.Thiscookiethen
getssenttothePIAWebServletwhichpassesitontothe
PeopleSoftApplicationServer.ApieceofsignonPeopleCodeis
neededtoextracttheUserIdfromthecookieandcall
SetAuthorizationResultinorderto"signon"theuser.
oChangethedomainvalueofthecookietoyourdomain.
oChangethelocationreftothetargetURLwithinyourPeopleSoftsite.
//>
<body>
<scriptlanguage=JavaScript>
varcookie="ThirdPartyUserId=PSDomain=.peoplesoft.compath=/MaxAge=1"
document.cookie=cookie
location="https://hrms.peoplesoft.com/servlets/iclientservlet/hrdb/?ICType=Panel&Menu=ROLE_EMPLOYEE&Market=GBL&PanelGroupName=IT_TIME_OFF&RL=&target=main1"
</script>
</body>
</html>
ThefollowingSignonPeopleCodeexampleappliestosteps4and6above.TheSignonPeopleCodeneedstoretrieve&UserIDfromwherethethirdpartyportalputitintheHTTP
Request.Forexample,
FunctionSSO_EXAMPLE()
/*Thisisstep4*/
&TPUserId=%Request.GetCookieValue("ThirdPartyUserId")
/*Thisisstep6*/
If&TPUserId<>""Then
SetAuthenticationResult(True,&TPUserId,"",False)
EndIf
EndFunction
Afteryouwritetheprogram,youneedtoenabletheprogramusingtheSignonPeopleCodepage.(PeopleTools,Security,SecurityObjects,SignonPeopleCode.
SingleSignonConfigurationConsiderations
Thefollowingtopicsdescribesomeitemsyoumaywanttoconsiderasyouimplementyoursinglesignonconfiguration.
SingleDomainLimitation
Webserversmustbepartofthesamedomain,andtheservernameintheURLsusedtoaccessthemmustcontainthedomainname.Browsersonlysendcookiesbacktothe
samedomainfromwhichitreceivedthecookie.
Furthermore,theserverthatgeneratesthecookieneedstohavethedomainthatsharesthePS_TOKENcookiespecifiedintheconfiguration.propertiesofthelocalPIAwebsite.
Forexample,inthecontextofourHRMStoFinancialsexample,theconfiguration.propertiesfileinthepeoplesoft8directoryfortheHRMSwebservermustcontainthefollowing
valuefortheAuthTokenDomainparameter:
AuthTokenDomain=.peoplesoft8.com
Note.Youmustspecifytheleadingdot(.).
Thesingledomainissuesoccurinthefollowingsituations:
You'reusingstraightPIA,asinyouaredeployingapplicationsbutnotbywayoftheportal.
You'reusingtheportalwithframebasedtemplates.AllPeopleSoftportalsolutionsproducts(Enterprise,Employee,Customer,Supplierportals)arebuiltusingframebased
templates.
Framebasedtemplatesaren'tproxiedautomatically.ProxyingreferstowhenthesystemrewritestheURLtopointtoalocationontheportalservlet,ratherthantheoriginallocation
oftheURL.
SingleSignonBetweenMachineswithoutDNSEntries
Ifyou'resettingupsinglesignonbetweenmachinesthatdon'thaveDNSentries,youneedtomodifythe"hosts"fileonthemachinethat'srunningthewebbrowser.Forexample,
let'ssaythatyouareusingmachinea.peoplesoft.comtosignontothewebservera.peoplesoft.com,andthenaccessb.peoplesoft.comusingsinglesignon.Inthissituation,you
wouldneedtoupdatethe"hosts"fileona.peoplesoft.comasfollows.
#Copyright(c)19931999MicrosoftCorp.
#
#ThisisasampleHOSTSfileusedbyMicrosoftTCP/IPforWindows.
#
#ThisfilecontainsthemappingsofIPaddressestohostnames.Each
#entryshouldbekeptonanindividualline.TheIPaddressshould
#beplacedinthefirstcolumnfollowedbythecorrespondinghostname.
#TheIPaddressandthehostnameshouldbeseparatedbyatleastone
#space.
#
#Additionally,comments(suchasthese)maybeinsertedonindividual
#linesorfollowingthemachinenamedenotedbya'#'symbol.
#
#Forexample:
#
#102.54.94.97rhino.acme.com#sourceserver
#38.25.63.10x.acme.com#xclienthost
7/10
21/09/2016
127.0.0.1localhost
216.131.221.88a.peoplesoft.com
216.131.221.33b.peoplesoft.com
SeeAlso
PeopleSoftPeopleBooks:"PortalTechnology"
DomainNames
Youneedtouseafullyqualifieddomainnamewhenaddressingthewebserverinyourbrowser.Forexample,youwouldneedtoenterthefollowing:
http://hrms.peoplesoft.com/peoplesoft8/signon.html
asopposedtothefollowing:
//hrms/peoplesoft8/signon.html
Whenusingtheportal,thedomainnamethatyouspecifiedinthePortalURITexteditboxontheContentProvideradministrationpages,needstomatchthefullyqualifieddomain
nameyouenteredforauthtokendomain.Forinstance,asshowninthefollowingexample,youwouldneedtospecifyserverX.peoplesoft.com,notserverX/servlets.
CrossDomainSingleSignon
ThecurrentPeopleSoftsinglesignonsolutiondealsmainlywithsystemswherethereisonlyoneDNSdomain.ManysitesneedtodeploythePeopleSoftPortalinmultidomain
environments.Forinstance,youmightwanttohavetheportalinonedomainwww.PSFT_ecenter.com,forexampleandtheHRMSdatabaseinanotherdomain,suchas
www.yourcompany.com.
Whilethereisno"outofthebox"solutionforthisimplementationcurrently,youcanconfigureyourenvironmenttosupportcrossdomainsinglesignonbycompletingthefollowing
configurationtasks.
SetupathirdpartywebsecurityproductthatsupportsmultidomainsinglesignonandsupportsLDAPuserprofiles.Thereareseveralindustrystandardproductsonthe
market.
Configuretheportalandcontentproviderwebserversto"trust"thewebserverforauthentication.ForPeopleSoft,thisinvolvesenablingtheByPassSignonfeature.
SetupthePeopleSoftsystemstodownloadtheuserprofilesfromthesameLDAPserverthatthewebsecurityproductuses.ThismeansthattheDNthatcomesfromthe
subjectfieldofthecertificatehastobeavalidDNforthedirectorythattheLDAP_profilesynch()functionreferences.Becauseofthisyouneedtobuildauserprofilecache
mapthatpointstothesamedirectorythatgeneratedthesubject'sDN.
Note.ThiscrossdomainlimitationdoesnotapplytotheportalifthecontentfromtheproviderinadifferentdomainiswrappedinanHTMLtemplate.However,thislimitationdoes
applyforanycontentintheportalthatiswrappedinaframetemplate.BecausetheEnterprise,Customer,Supplier,andEmployeeportalsshippedwithPeopleToolsallinclude
frametemplatesasdefaults,you'llneedtoperformtheextraconfigurationstepstosupportcrossdomainsinglesignoninmultidomainenvironments.Thislimitationalsoappliesto
PIAtoPIA(iClienttoiClient)singlesignon.
MakingthePeopleSoftSingleSignonTokenSecure
PeopleSoftsinglesignonfunctionalityalsoappliesatthewebserverlevel.Forexample,let'ssaythatyouhavetwowebservers:serverXandserverY.AssumethatwebserverX
isaSecuredSocketsLayer(SSL)site,andassumethatwebserverYisnot.Inthesesituations,manysiteswantserverYto"trust"theauthenticationtoken,PS_TOKEN,issued
byserverX.ThisrequiresthatthePS_TOKENbesettobe"secure."
IfthePS_TOKENisnotmarkedas"secure,"thenwhenausersignsonthroughserverY,thebrowsersendsPS_TOKENtoserverYovertheunencrypted,nonSSLlink.Thisis
typicalbehaviorforbrowserswhendealingwith"nonsecure"cookies.Potentially,inthissituationahackercould"sniff"thistokenfromtheclearnetworkanduseittosignontothe
SSLsecureserverX.
AnotherimportantuseofthisfeaturerelatesspecificallytothePeopleSoftPortal.WhentheportalproxiescontentwithanHTMLtemplate,itshouldonlyforwardPS_TOKEN
cookiesthataremarked"secure"overSSLconnections.
Toresolvethispotentialsecurityissue,PeopleSoftoffersanewparameterintheconfiguration.propertiesfiletomakethePS_TOKENcookiessecure.Thenewparameterappears
inthePortalsettingsoftheconfiguration.propertiesfile.
UseSecureCookieWithSSL=true
Thevalidvaluestoassigntothisparameterare"true"or"false".Youuseittocontrolthe"secure"attributeofthesinglesignoncookie.Ifyousetthisto"true"andtheschemeof
thecurrentrequestisHTTPS(anSSLserver),thesystemsetsthe"secure"attributeofthesinglesignoncookie(PS_TOKEN)to"true".Thispreventsthesinglesignontokenfrom
travellingoveraninsecurenetwork.
Note.IfyousetUseSecureCookieWithSSLtotrue,youareeffectivelydisablingsinglesignontoanynonSSLservers.
If,atyoursite,youwantuserstosignontoanHTTPSserver,andthenwanttodosinglesignonwithHTTPservers,setthispropertytofalse,whichallowssinglesignonbetween
HTTPSandHTTPservers.
Note.Ifyoucantoleratethesecurityrisk,andwantsinglesignonbetweensecureandnonsecurelinks,youcansetthisflagto"false".However,beforedoingthisyouneedto
makesureyouareawareofallthesecurityimplications,suchasthesecurityoftheHTTPSservermaybecompromised.
SingleSignonAPISupport
PeopleSoftdeliversacomponentinterfacenamedPRTL_SS_CIthatenablesexternalapplicationstoseamlesslyintegrateasinglesignonsolutionwiththePeopleSoftportal
applications.Thismakessurethatuserswhohavealreadysignedontotheportaltheydon'thavetosignonagainforeverysystemyoureferenceinyourportal.
TotakeadvantageoftheSingleSignonAPI,youneedtocreateacustomAPI,whichincludesbuildingthedynamiclinklibraries,classes,andregistrysettingsnecessarytoenable
anexternalapplicationtocommunicatewithPeopleSoft.Onlyexternalapplications,suchasCOMorC/C++programs,requireacomponentinterfaceAPI.PeopleCodeprograms
donotrequireacomponentinterfaceAPI,andinfact,wedonotrecommendbuildingacomponentinterfaceAPIifthecomponentinterfaceistobeaccessedfromPeopleCode
only.
ThefilesofyourcustomAPIneedtoresideontheclientmachinethatis,thewebserverforASP,andthemachinerunningtheJavaprogramforJava.Theregistryfilemayalso
needtobeexecutedtoupdatetheregistrywiththenewlibraries.
UnderstandingtheSignonProcesswiththeAPI
ThePRTL_SS_CIComponentInterfacecontainstwouserdefinedmethods:
Authenticate().Yourexternalauthenticationprogramdistributesanauthenticationtokenthatcanberetrievedfromacookieinthebrowser.TheAuthenticatefunction
determinesifanauthenticationtokenisvalid.
GetUserID().Ifthetokenisvalid,youusetheGetUserIDfunctiontoretrievetheUserIDassociatedwiththeauthenticationtoken.
BeforewedescribethedevelopmentrequirementsofyourAPI,PeopleSoftrecommendsthatyoutakeamomenttoexaminethestepsthatoccurinternallywhenyouusetheAPIin
conjunctionwiththedeliveredPRTL_SS_CI.
Step
Description
TheuserenterstheUserIDandpasswordintothePeopleSoftPortalsignonpage.
Iftheloginonportalapplicationserverissuccessful,theservergeneratesasinglesignontoken.Thewebserverreceivesthesinglesignontokenfromtheapplicationserver,andissuesacookieto
thebrowser.
Theusernavigatesintheportalandencountersahyperlinktotheexternalsystem.Theuserclicksonthelink.
ThebrowserpassesthePS_TOKENcookietoyourexternalwebserver.
8/10
21/09/2016
TheexternalwebserverchecksforthePS_TOKENcookiebeforedisplayingasignonpage.
OnceitisdeterminedthattheuserisaccessingyourapplicationthroughthePeopleSoftportal,youretrievetheauthenticationtokenandsendittothePRTL_SS_CIcomponentinterfacetoverify
authentication.Forinstance,
CallPRTL_SS_CI.Authenticate(Auth.tokenstring)
Afterthesystemauthenticatesthetoken,thesystemcanthenmakecallstothePRTL_SS_CI.Get_UserID()functiontoreturntheappropriateUserID.
DevelopingyourExternalApplicationtoSupportSingleSignon
Developersoftheexternalapplicationsneedtoalterthesignonprocesstoconformtothefollowingrequirements.
1.CheckforthePS_TOKENcookie.Ifthecookiedoesn'texist,continuewithyournormalsignonprocess.Otherwise,bypassthesignonscreen.
2.RetrievetheauthenticationtokenfromthePS_TOKENcookie.
3.MakeaconnectiontoPeopleSoftthroughthePRTL_SS_CIAPI.
4.PasstheauthenticationtokentotheAuthenticate()functionoftheAPI.
5.IfAuthenticate()returnsTrue,youthenretrievetheUserIDassociatedwiththeauthenticationtokenbyusingtheGet_UserID()function.
Forexample,thefollowingPeopleCodewalksthroughtheprocessofvalidatingyourauthenticationtokenandretrievingtheuser'sUserID.Thefollowingsampleisdesignedto
provideageneralideaoftheprocessinvolvedandhelpyoutoincorporatethePRTL_SS_CIAPIintoyoursignonprocess.
LocalApiObject&THISSESSION
LocalApiObject&THISCI
Localstring&AUTHTKN
/*AssignstheAuthenticationTokentoavariable*/
&AUTHTKN=%AuthenticationToken
/*Openasessionandmakeaconnection*/
&THISSESSION=GetSession()
If&THISSESSION.connect(1,"EXISTING","","",0)<>TrueThen
WinMessage(MsgGet(30000,1,"SessionConnectFailed."))
Exit(1)
EndIf
/*RetrievesthecomponentinterfacePRTL_SS_CI*/
&THISCI=&THISSESSION.GetCompIntfc(CompIntfc.PRTL_SS_CI)
/*CheckstoseeifthecomponentinterfaceisNULL*/
If&THISCI=NullThen
WinMessage("ComponentInterfacePRTL_SS_CInotfound.PleaseensureComponentInterfaceSecurityaccessisgrantedtothisuser.")
Exit(1)
EndIf
/*KeyfieldswouldusuallybesetbeforetheGet()functioniscalledinordertomapthecomponentinterfacetoaparticularsetofdata.Thiscomponentin
&THISCI.get()
PRTL_AUTH=&THISCI.Authenticate(&AUTHTKN)
PRTL_USER_ID=&THISCI.Get_UserID()
Note.Thecomponentinterfaceisnotmappedtodatabecausethekeyfieldforthedatawouldbetheauthenticationtoken.Thistokenisdynamicallyassignedwhentheusersigns
ontotheportal,anditisnotstoredanywhereinthesystemasdata.Therefore,therearenokeyfieldsandthetokenispasseddirectlytotheuserdefinedfunctions.
ConfiguringSingleSignoff
Inadditiontosinglesignon,PeopleSoftalsosignstheuseroffofcontentproviderswhentheusersignsoff.However,therearesomeexceptionstothesignofffunctionality.
Theportalonlysignsoffcontentprovidersthatmeetthefollowingcriteria:
ContentprovidersareaccessedonlythroughHTMLtemplates.
ContentprovidersareallPeopleSoft8.xapplications.
Thismeansthatforcontentprovidersaccessedthroughframetemplates,singlesignoutisnotautomaticallyenabledwhenyouconfiguresinglesignon.Thissectiondescribesthe
stepsyouneedtocompletetoconfiguresinglesignoffforcontentprovidersbeingaccessedthroughframetemplates,whichincludesallofthePeopleSoftPortalsolutions
(Employee,Customer,andsoon).
ThefollowingprocedurecoversinsertinganHTMLimagetag("img")containingalogoutcommandintoasetoffilesonthewebserver.Whentheusersignsoff,thebrowser
attemptstodownloadtheimagesusingan"HTTPget,"whichcausesthesystemtosendthelogoutcommandtoeachspecifiedcontentprovider.
Thisprocedureisnotappropriateforcontentthatisneveraccessedusingaframe,asinitisaccessedfromthecontentsourceusinganiScriptandabusinessinterlink,suchas
LotusNotesintegration.
To configure single signoff for frame content:
1. Onyourwebserver,locateandopensignin.html.
2. Opensignin.html,selectSaveAs,andenterthenamesignout.html.
3. Opensignout.html,expire.html,andexception.html.
4. Addthefollowingimagetagstothesefiles.
Youneedtoaddoneimagetagtoeachofthesefilesforeachcontentproviderthatrequiressinglesignoff.
Addthetagsjustbeforetheclosingbodytag,asshowninthefollowingexample.
<!addtagshere>
</body>
Ifyouhavethreecontentprovidersthatrequiresinglesignoff,suchasHRMS,FINandHTMLAccess,youneedtoaddthreeimagetagstoeachfile.
Forexample:
<IMGsrc="http://hrms.peoplesoft.com/servlets/psp/ps/hrdb/?cmd=logout"height=0width=0border=0>
<IMGsrc="http://fin.peoplesoft.com/servlets/psp/ps/hrdb/?cmd=logout"height=0width=0border=0>
<IMGsrc="http://htmlaccess.peoplesoft.com/html_access/system/init_asp/logout.asp?cmd=dummy"height=0width=0border=0>
Thepreviouscodemerelyshowsasample.TodeterminetheexactURLyouneedtoaddforyourimplementation,rightclickonthe"logout"linkofeachcontentprovider.
Youcanusuallyviewthelogoutlinkwhenaccessingtheapplicationoutsideoftheportal.Examinethe"properties"ofthislink,andaddthespecifiedURLtotheimagetag.
Note.The"cmd=dummy"isrequiredintheimagetagforHTMLAccesstomakesurethatthebrowserdoesn'tattempttocachetheimage,whichwouldpreventitfrom
issuingthelogoutcommand.
5. Opentheconfiguration.propertiesfileonyourwebserver.
Changethe"logout_page"topointtosignout.html.Forexample,
logout_page=signout.html
9/10
21/09/2016
Security
Copyright19882002PeopleSoft,Inc.AllRightsReserved.
10/10

Security (Setting Up Digital Certificates and Single Signon)

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Security (Setting Up Digital Certificates and Single Signon)

Hochgeladen von

Copyright:

Verfügbare Formate

21/09/2016

How HTTPS/SSL is provided

7. SelectPeopleTools, Security, Security Objects, Digital Certificates,andaddaRootCAforthecertificate.

Das könnte Ihnen auch gefallen