Relying solely on SAP Access Control is like having a heavy...
PeopleSoft SSO: Why You Should Avoid Customizing to Enable SAML
Don’t Risk the Security of your Data with Customized SSO SAML/ADFS Integration for PeopleSoft
On a recent discovery call, a Senior Software Engineer shared how they’re “ripping out” a custom-built PeopleSoft single sign-on solution (SSO). After acquiring an enterprise SSO, they attempted to build a custom integration with PeopleSoft that presented far more challenges than benefits – especially when users attempted to access with a deep link. Now they’re looking to remove the solution along with the additional infrastructure that was required.
And here’s the sad part: they’re not the first organization we’ve encountered that is experiencing the same challenge. Across all verticals, including healthcare, higher education, government, retail, and more – PeopleSoft customers are rethinking their decision to enable their enterprise SSO solutions with custom coding, external gateway agents, and reverse proxies. Alternatively, implementing solutions that feature native SAML/ADFS authentication handlers.
Your Custom Single Sign-On Integration Was Not Designed with ERP Data Security in Mind
These projects often start with the IT department recognizing that it can solve a business requirement by building the solution themselves or by using a generic gateway with copy-and-paste code off an internet forum. The main motivation? They possibly save the company some money, bypass the need for approvals or budget, and check a project off their list. Easy-peasy, right? As highlighted in the example above, it’s not always that straightforward.
Often, these projects lack a thoughtful mindset and instead leverage code that is many years old, unsupported, and public to developers and hackers alike. Here lies one of the biggest problems with customizing PeopleSoft for SSO authentication. Getting the integration to work “well enough” is often the goal, and since developers are not information security professionals – they may not have considered the ramifications of using code that hackers can reverse engineer, potentially exploiting loopholes to gain unauthorized access. Between IT wanting to be a good partner to the business and drowning in long-haul projects, “good enough” is often the goal.
The “Typical” Custom PeopleSoft Single Sign-On Approach
There are a few ways to approach building a custom SSO solution. You could try linking SAML open-source code libraries, using reverse proxies, or having an external agent handle it. These solutions seem relatively simple at the outset, but the introduced vulnerabilities are often not obvious or ignored. The end result is that the SSO “works” but is plagued by technical, functional, and security issues once in production.
Linking SAML Open Source Code Libraries
A custom coding project typically begins with a review of PeopleBooks and a Google search to find a relatively quick way to write the code. PeopleCode allows you to link external open-source Java libraries inside PeopleSoft. This is code that you’re literally pulling from an old blog and has not been reviewed since the author first published it. Imagine using code from 2007 to secure your custom PeopleSoft single sign-on project. It would never pass a security review!
Secondly, developing a solution yourself is tricky. It isn’t easy to write software that deals with passwords, identity, and authentication. Reputable IdPs spend tens of thousands of man-hours designing, coding, and testing, then supporting their solutions. The lone developer who built your custom solution is now responsible for supporting, maintaining, and upgrading the code. That’s excellent job security for him but a security liability for you.
Reverse Proxies, Gateways, and External Authentication Agents
This one is probably a favorite with system administrators who want to support a multitude of non-SAML apps with a one-size-fits-all solution. The short version of how this works is that the authentication is offloaded to a reverse proxy, an agent, or a gateway, that sits outside PeopleSoft. Once the authentication process is successfully completed, only then is a connection made to PeopleSoft, and the authenticated user ID is passed to the HTTP header. Then that request has to be trusted by a custom Sign-on PeopleCode.
Aside from the risky firewall configuration, another issue here is that it needs to be scaled carefully for bandwidth because all of the requests will now go through a new server and several new applications to complete the process. Now you have additional hardware, software, and customizations to maintain and patch in addition to your regular PeopleSoft duties.
Why a Native SAML/ADFS Handler is Best Practice
SSO is critical to help you increase your security posture within your organization while keeping your customers happy, so we don’t want to sound negative, and we’re not trying to put you off on installing an SSO solution in your environment. Instead, we want to make sure you do it correctly and aligned with security best practices.
We recommend using a solution that natively supports a SAML/ADFS authentication handler and seamlessly and securely passes the token to PeopleSoft built-in authentication without customizations. The term “native” is extremely important here! The lack of native support is a critical issue that plagues custom solutions, creating more hoops to jump through to complete the project.
Fortunately, Pathlock delivers the SAML/ADFS integration layer required to connect PeopleSoft, an IdP (Okta, Azure AD, Ping Identity, etc.), and your enterprise Single Sign-On. This solution is natively installed right into the PeopleSoft Internet Architecture (PIA) and does not require the use of proxy servers, agents, or gateways. Furthermore, there are zero customizations, simple configuration with extensive support for SAML/ADFS attributes, user-mapping, and the support and maintenance are offloaded from your team.
There is Beauty in Customization but Comfort in ERP Data Security
Part of PeopleSoft’s beauty and power is that you can customize the system to improve your business processes. However, one thing you shouldn’t take into your own hands is authentication and, indirectly, security. Your IT team, system admins, and developers should spend their time supporting and customizing your system to provide outstanding service to the business units and keep the system running smoothly. Why add more hardware, software, applications, and customization than necessary?
Request a demo today to learn how Pathlock solves the SAML/ADFS integration challenge by providing the only configurable SSO for PeopleSoft.