managing user authentication

8/12/2019 Managing User Authentication

1/13


http://docs.oracle.com/cd/E38689_01/pt853pbr0/eng/pt/tiba/task_ManagingUserAuthentication-fe7e3f.html 1/13

Managing User Authentication

This section provides overviews of user

authentication, outbound user

authentication, inbound user

authentication, and discusses how to:

Act ivate user authentication on

service operations.

Set up user authentication on

sending systems.

Exclude Peoplesoft

authentication tokens in

outbound requests to PeopleSoft

nodes.

Understanding User Authentication

In PeopleTools 8.48 and later releases,

access to invoke service operations is

enforced at the user level.

When integrating with other PeopleSoft

systems, user authentication

determines the user ID to set on

outbound integrations. The receiving

system extracts this information and

uses the user ID to validate against the

permission list to which a serviceoperation is assigned. If the user ID is

assigned to the permission list, the

sender can invoke the service

operation.

When using Integration Broker for

integrations with other PeopleSoft

systems, you do not need to set up the

remote/target node as a trusted node

or implement single signon for user

authentication to be validated. Instead

you can simply define the sourcesystem user ID(s) on the target

system. The user IDs from the source

system can be provisioned on the

target system by Oracle Identity

Manager (OIM) or another third-party

provisioning application.

Note: User authentication can be

implemented on PeopleTools 8.48

and later systems only.

User IDs

The PeopleSoft system can use the

following methods to set the user ID in

an outbound transaction:


2/13



On inbound integrations from a

PeopleSoft node, the PeopleSoft

system looks for a user ID to associate

with the permission list set for a service

operation in the following order.

1. Authentication token.

2. Default User ID.

On inbound integrations not from aPeopleSoft node (External nodes and

third-party systems), the PeopleSoft

system looks for a user ID to associate

with the permission list set for a service

When the node is a

PeopleSoft (PIA) node type,

the PeopleSoft system

automatically generates an

authentication token and

includes the token in the

outbound transaction.

The authentication tokensets the user ID in the

outbound transaction to the

user ID that created the

service operation.

The Node Definition page

contains a Default User

IDfield. This is the user ID to

which the node defaults,

when no other user ID

described in this section isset.

You can programmatically

set an external name and

external password in the

outbound SOAP message

header or query string.

The Node Definitions page

contains an External User

IDand an External

Passwordfield. These fields

are used in conjunction with

WS-Security and are used

for user authentication and to

set the UsernameToken

credentials for WS-Security

processing.

The External Passwordvalue

is optional.

Authen

tication

Token

Default

User ID

Extern

al

Name/

Extern

al

Passw

ordExtern

al User

ID/Pass

word


3/13



operation in the following order.

1. External Name/External

Password.

2. External User ID/External

Password.

3. Default User ID.

Understanding Outbound User

Authentication

The outbound user authentication

process determines the user ID to

identify and attach to the outbound

service operation. If the receiving

system is a PeopleSoft system, the

system validates the user ID and if the

user ID belongs to the permission list

to which the service operation is

assigned, the service operation can beinvoked.

The PeopleSoft system sets the user

ID based on whether the sending node

type is a PeopleSoft node (PIA) and by

user ID information that may be defined

in the SOAP message included with

the service operation.

Outbound User Authentication:

Sending Node is PeopleSoft Node

Type

The following diagram illustrates the

user authentication process when the

local sending node is a PeopleSoft

node:

Image: Outbound User

Authentication Processing when

the Sending Node is a PeopleSoft

Node


user authentication process when thelocal sending node is a PeopleSoft

node.


4/13



When the sending node is a

PeopleSoft node, the userauthentication process creates an

authentication token to include in the

transaction. The token is used on the

receiving system to identify the sending

node.

Note that the sending node does not

need to be defined as trusted node on

the receiving system for the PeopleSoft

authentication token to be validated.

See Understanding User

Authentication.

Outbound User Authentication:

Sending Node is not PeopleSoft

Node Type



local sending node is not a PeopleSoft

node type:

Image: Outbound User

Authentication Processing whenthe Sending Node is Not a

PeopleSoft Node



local sending node is not a

PeopleSoft node type.
http://docs.oracle.com/cd/E38689_01/pt853pbr0/eng/pt/tiba/task_ManagingUserAuthentication-fe7e3f.html#UnderstandingUserAuthentication-fe7e3e


5/13



When the sending node is not a

PeopleSoft node, the system first looksat the SOAP message associated with

the service operation to see if an

external user ID or external user ID and

password have been provided

programmatically in the outbound

SOAP message header. If so, the

system uses that user ID/password

and the service operation passes user

authentication.

If an external user ID or external user

ID and password are not specifiedprogrammatically in the SOAP

message header, the system looks on

the external node definition for user ID

and password information. The system

first looks for user ID and password

information in the External User ID and

External Password fields on the Node

Definition page. If no External User ID

or no External User ID/External

Password is set, the system uses the

Default User ID set on the Node

Definitions page.

To summarize, when the sending node

is not a PeopleSoft node type, the

system follows this precedence for

setting the user ID in the outbound

service operation:

User ID/password set in SOAP

message header.

User ID and password set in

External User ID and ExternalPassword fields on the local

external node definition.

User ID set in the External User

ID field on the local external


6/13



node definition.

User ID set in the Default User

ID field on the local external

node definition.

Understanding Inbound User

Authentication

The inbound user authenticationprocess determines the user ID that

has been sent with an inbound service

operation and determines if the sender

is able to invoke the service operation.

The inbound user authentication

process depends on whether the

sender is a PeopleSoft node, the

sender is an external node, or if the

sender is not associated with any

node. This section discuss user

authentication processing for each ofthese situations.

Inbound User Authentication:

PeopleSoft Node is the Sending

Node


inbound user authentication process

when a PeopleSoft node type is the

sending node:

Image: Inbound User


the Sending Node is a PeopleSoft

Node


inbound user authentication process

when a PeopleSoft node type is the

sending node.

If the sending node is a PeopleSoft

node, the system determines if an

authentication token has been sent


7/13



with the transaction. The system uses

the authentication token to verify the

sending node.

Note that the sending node does not

need to be defined as trusted node on

the receiving system for the PeopleSoft

authentication token to be validated.

See Understanding User

Authentication.

If authentication passes, the service

operation has passed user

authentication. If the authentication

cannot be validated an error message

is generated.

If no authentication token is included

with the service operation, the system

uses the default user ID on the external

PeopleSoft node as the user ID.

Inbound User Authentication:

External Node is the Sending Node

The following diagram illustrates user

authentication processing when the

sending node is an external node:

Image: Inbound User


the Sending Node is an External

Node

The following diagram illustrates userauthentication processing when the

sending node is an external node.

If the sending node is an external node

type, the system first looks for a user

ID and password set in the SOAP

message header included with the

inbound service operation. If both a
http://docs.oracle.com/cd/E38689_01/pt853pbr0/eng/pt/tiba/task_ManagingUserAuthentication-fe7e3f.html#UnderstandingUserAuthentication-fe7e3e


8/13



user ID and password are not found,

the system looks in the SOAP

message header for a user ID only. If

no user ID/password or no user ID are

found in the SOAP message header,

the system uses the user ID set in

theDefault User IDfield in the remote

node definition.

Inbound User Authentication: ThirdParty System Sending the Service

Operation


authentication processing when a third-

party system sends a service

operation:

Image: Inbound User


the Sending Node is a Third-Party

System


authentication processing when a

third-party system sends a service

operation.

Because third-party systems do not

understand the concept of a node as

defined and used within the context of

PeopleSoft systems, PeopleSoft

assigns transactions that have no node

specified to a PeopleSoft-delivered

Anonymous node.

If the PeopleSoft system first checks

the SOAP message header for anexternal name and password set

programmatically.

If none is found or if the system cannot

validate the user ID or password that


9/13



was set programmatically, it uses

theDefault User IDset on the Node

Definitions page on the remote

Anonymous node definition.

Activating User Authentication on

Service Operations

To activate user authentication on a

service operation:

1. Access the Service Operations-

General page

(PeopleTools,Integration

Broker, Integration

Setup, Service Operations and

click the General tab.

2. Check the User/Password

Required check box.

3. Save the changes.

Setting Up User Authentication on

Sending Systems

This section discusses how to:


remote PeopleSoft nodes.


remote external nodes.

Set up user authentication forthird-party systems.

Understanding Setting Up User

Authentication on Sending Systems

To set up user authentication on a

sending system you must define the

user ID on the remote node for the

outbound transaction.


Remote PeopleSoft Nodes

No set up is required to set up user

authentication on a remote PeopleSoft

(PIA) node type. An authentication

token is automatically included in the

outbound transaction. If the receiving

system fails to authenticate the token

an error message is returned. .


Remote External Nodes

You can set the user ID for user

authentication in any of the following

ways on an external node:

External Name/Password. Set


10/13



programmatically in the SOAP

message header or query s tring.

External User IDand External

Password. Set using the Node

Definitions page.

Default User ID. Set on the

Node Definitions page.

Note: The user ID you specify must

have access to the permission list to

which a service operation is

assigned to invoke the operation on

the receiving system.

To access the Node Definitions page

select PeopleTools, Integration

Broker,Integration Setup, Nodes.

Setting Up User Authentication for

Third-Party Systems

As discussed previously in this

section, all inbound transactions that

do not have PeopleSoft (PIA) node or

external (External) node type specified

are assigned to an Anonymous node.

You can set the user ID in requests

from third-party systems

programmatically in the external

name/password elements in the

outbound SOAP message header.

If the system does not find an external

name or password in these locations, it

uses the Default User ID field that you

define on the remote Anonymous node.

Related Links

Defining Node Parameters

Excluding PeopleSoft Authentication

Tokens in Outbound Requests toPeopleSoft Nodes

This section discuss how to exclude

PeopleSoft authentication tokens in

outbound requests to PeopleSoft

nodes.

Understanding Excluding

PeopleSoft Authentication Tokens

in Outbound Requests to

PeopleSoft Nodes

A PeopleSoft authentication token in

an outbound request to a PeopleSoft

target node signifies to the target

PeopleSoft target system that the

sender is a valid user on its system.
http://docs.oracle.com/cd/E38689_01/pt853pbr0/eng/pt/tiba/task_ConfiguringNodes-fe7eb5.html#DefiningNodeParameters-fe7eb4


11/13



However, for some integrations there

can be many users or validating users

may not be warranted. In such cases

you can exclude the PeopleSoft

authentication token from inclusion in

outbound requests to PeopleSoft target

nodes.

When the PeopleSoft authentication

token is excluded in a request, thedefault user ID for the sending node on

the target system is the user ID used

for integration authentication.

Viewing Service Operations where

PeopleSoft Authentication Tokens

Have Been Excluded

Use the Exclude PSFT Auth Token

page (IB_SVCSETUP5) to view service

operations where PeopleSoft

authentication tokens have beenexcluded.

To access the page,

selectPeopleTools, Integration

Broker,Configuration, Service

Configurationand click the Exclude

PSFT Auth Token tab.

Image: Service Configuration

Exclude PSFT Auth Token page

This example illustrates the Services

Configuration Exclude PSFT AuthToken page.

To view service operation where

PeopleSoft authentication tokens havebeen excluded:

1. Access the Exclude PSFT Auth

Token page



Configuration and click the

Exclude PSFT Auth Token tab).

2. Select the Exclude PSFT Auth

Token box under

the Operationfield.

3. Click the Search button.

The system displays all service

operations where the PeopleSoft

authentication token has been


12/13



excluded and will not be included in the

service operation transaction.

Excluding PeopleSoft

Authentication Tokens in Outbound

Requests

Use the Exclude PSFT Auth Token

page to exclude authentication tokens

in outbound requests:

To access the page,

selectPeopleTools, Integration


Configurationand click the Exclude

PSFT Auth Token tab.

Image: Services Configuration

Exclude PSFT Auth Token page

This example illustrates the Services

Configuration Exclude PSFT Auth

Token page. The example shows thatthe PeopleSoft authentication token

has been excluded from

theQE_ROUTE_ARRandQE_ROUTE_SYNCservice

operations

In the example shown, a search was

performed on the service QE_PO.

TheQE_ROUTE_ARRandQE_ROUTE_SYNCserviceoperations have been selected, and

therefore the PeopleSoft authentication

token will be excluded from those

service operations. Scrolling to the right

would reveal a Results column that

indicates the selection was successful.

To exclude a PeopleSoft authentication

token in an outbound request:

1. Access the Exclude PSFT Auth

Token page



Configuration and click the

Exclude PSFT Auth Token tab).


13/13


2. Select one or more service

operations from which to

exclude the PeopleSoft

authentication token:

To select one service

operation, click

theService and Operationlookup

buttons to locate the

service operation. Clickthe Exclude PSFT Auth

Token box.

To select multiple service

operations, enter all or

part of the service name

or service operation

name. Click

the Searchbutton. A list

of results displays in the

Service Operations

section. Checkthe Exclude Tokenbox

next to each service

operation that should not

include a PeopleSoft

authentication token.

Note that you can also

click the Search button to

display all service

operations in the

database.

3. Click the Save button.

managing user authentication

Documents