PeopleSoft SSO: Overview, Architecture, and Setup
What Is PeopleSoft Single Sign-On (SSO)?
PeopleSoft is an eCommerce tool suite from Oracle. It provides an integrated enterprise resource planning (ERP) package, helping users conduct various everyday business operations. PeopleSoft single sign-on (SSO) authenticates users and sessions to enable users to log in to multiple services and applications via a single set of credentials (i.e., username and password). SSO is useful for individuals, small businesses, and large organizations, making it easier to manage usernames, passwords, and other types of credentials.
This is part of our series of articles about Oracle Cloud Security.
PeopleSoft SSO with Azure AD and Oracle Identity Cloud Service
The following diagram illustrates the architecture of an SSO setup using an Oracle application like PeopleSoft. Oracle Identity Cloud Service provides the connection between Azure Active Directory (Azure AD) and the applications. This setup allows users to host an Oracle database using Oracle Cloud Infrastructure (OCI), with Azure AD serving as the identity provider.
As depicted above, the PeopleSoft application tier resides in Azure, while the database tier resides in the Oracle Cloud infrastructure. OHS (Oracle HTTP Server) is the reverse proxy for the application tier, processing all requests to the applications at the end. The Oracle Access Manager WebGate is a web server plugin intercepting all requests sent to an end application, ensuring that users are logged in and have the right authorization to access the application.
Authentication for PeopleSoft is the responsibility of Oracle Identity Cloud Service. If a user attempts to access a protected resource requiring an authenticated session, the WebGate triggers the OpenID Connect authentication flow using Oracle Identity Cloud Service via the user’s browser.
Oracle Identity Cloud Service uses the SAML 2.0 protocol to redirect users to Azure Active Directory for authentication. Once Azure AD authenticates the user, it redirects the user to the target application via Oracle Identity Cloud Service.
Oracle recommends that customers deploy the WebGate when deploying PeopleSoft on Azure, providing a web-tier interface for application servers. Customers must configure the appropriate security controls to support secure traffic flows, ensuring that PeopleSoft only accepts HTTP traffic through WebGate.
Related content: Read our guide to Oracle IAM
Enable Single Sign-On for PeopleSoft
Before implementing SSO in Oracle PeopleSoft, the customer must create a user profile, modify the PeopleCode function, and enable the PeopleCode single sign-on.:
Step 1: Create a User Profile
The first step is to create a new user profile in the PeopleSoft app and link it to a low-security role like (i.e., User). Administrators can create user profiles with the following steps:
1. Sign in to the PeopleSoft module as an administrator.
2. Click on PeopleTools in the menu on the right of the screen, select Security, User Profiles, and Add a New Value.
3. Enter IDCSPSFT in the User ID field and select Add.
4. Select General on the User Profiles page, enter a new password and confirm it. Choose SYSADM1 as your Symbolic ID.
5. Select the ID tab and select None under ID Type.
6. Select Roles and type in PeopleSoft User under User Roles. When done, click on Save.
Step 2: Adjust the Web Profile
The web profile’s property settings are editable via the PeopleSoft Web Profile Configuration component, including the portal security page. This component enables the configuration of PeopleSoft to allow public access using the following steps:
1. Sign in to PeopleSoft as an administrator.
2. Click on PeopleTools in the menu on the right and then select Web Profile, followed by Web Profile Configuration.
3. Select Search on the web profile configuration page and choose the appropriate web profile for the PeopleSoft environment.
4. Open the Security tab and select, Allow Public Access.
5. Set IDCSPSFT as the user ID, entering the same password when creating the user profile. When done, click on Save.
Step 3: Modify the PeopleCode Function
It is possible to use the user ID specified in the web profile’s getWWWAuthConfig() function to modify the default user ID:
1. Go to FUNCLIB_LDAP on the PeopleSoft Application Designer page.
2. Right-click on LDAPAUTH and then click on View PeopleCode.
3. Replace the value assigned to he &defaultUserId in the getWWWAuthConfig() function, using IDCSPSFT. Save the function definition:
&defaultUserId = “IDCSPSFT”;
4. Search the OAMSSO_AUTHENTICATION() function, edit it to switch the header value to PSUSER, and save the new function definition.
Step 4: Enable Signon PeopleCode
The Signon PeopleCode feature allows administrators to enable the OAMSSO_AUTHENTICATION function, which provides SSO using Signon PeopleCode for Oracle Access Manager:
1. Sign in to PeopleSoft as an administrator.
2. Select PeopleTools in the menu on the right, followed by Security, then Security Objects, and then Signon PeopleCode.
3. Enable the OAMSSO_AUTHENTICATION function and select Save.
Step 5: Edit the Configuration for Oracle WebLogic Server
When using Oracle WebLogic Server, it is important to disable standard authentication:
1. Go to Oracle WebLogic Server and find the config.xml file in the <PIA_HOME>\webserv\peoplesoft\config folder.
2. Edit the file by adding the following element:
<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials> element to the <security-configuration>
3. Restart Oracle WebLogic Server.
Set Up Federation Trust Between Azure AD and Identity Cloud Service
Federation trust makes it possible to enable SSO between PeopleSoft and other services using the Oracle Identity Cloud Service. Federation trust requires adding Oracle Identity Cloud Service (IDCS) to Azure AD tenant as a gallery app. Once the tenant has an application added to it, it is possible to specify Azure AD as the identity provider in Oracle Identity Cloud Service—this enables the configuration of SSO in Azure AD.
Step 1: Add Oracle IDCS to Azure AD
This step requires administrator credentials to add the Oracle Identity Cloud Service tenancy to Azure AD as a gallery application. The metadata file will be important for later steps, so the administrator should download it from the tenancy-specific URL in IDCS. The metadata URL should look like this:
An administrator can add IDCS via the Azure Active Directory page in the Azure portal, add a new application under the Enterprise applications, and go to Add from the gallery to specify IDCS for PeopleSoft. After selecting the application, the admin can configure SSO in the management tab of the Single sign-on section. SAML is the recommended SSO method option.
The Set up Single Sign-On with SAML page includes a configuration section where the admin can select the Upload metadata file option. The administrator can then add the relevant metadata file and specify the IDCS URL in the Sign-on URL box. It is important to check the SAML configuration and ensure it contains the IDCS Logout URL.
The Azure AD federation metadata is available for download in XML format under SAML Signing Certificate.
Step 2: Set Azure AD as the Identity Provider
Adding an identity provider in Oracle Identity Cloud Service is a prerequisite for importing the identity provider’s metadata content. An administrator can sign into the IDCS console to adjust security settings and add the identity provider via a wizard. This step involves importing the XML file and configuring the NameID format and attribute.
The wizard allows the admin to set the user attribute and establish an identity provider policy for multiple applications.
Step 3: Configure SSO in Azure AD
The last step involves configuring SSO to establish a connection between Azure AD and the Oracle Cloud infrastructure. Admins can set this up via the Azure portal by creating security groups and test users and then assigning the groups (with the users) to the Oracle IDCS SSO app.
The Oracle IDCS admin console allows administrators to create or sync an Azure AD user in IDCS manually. The user’s principal name in Azure AD should match the specified attribute (e.g., an email address) in IDCS. The Oracle Identity Cloud Service SSO enterprise application in Azure AD lets admins use a test account to verify SSO functioning.
PeopleSoft SSO with Pathlock
Pathlock delivers the SAML integration layer required to seamlessly connect PeopleSoft, an Identity Provider, and your enterprise Single Sign-On (SSO). This solution is natively installed into PeopleSoft and does not require the use of customizations or proxy servers.
The PeopleSoft SSO Connector is designed to create a simple, extensible, and easy-to-maintain approach to the implementation of modern authentication and SSO technologies. The PeopleSoft SSO Connector supports identity federation through the implementation of related rules capable of responding to assertions/claims from SAML-based id providers.
Contact Us today for a demo to learn how we develop native integrations between Oracle and SAP ERP applications and some of the top SSO providers in the market.