peoplesoft single sign-on & shibboleth
DESCRIPTION
PeopleSoft Single Sign-On & Shibboleth. Gary Windham Senior Enterprise Systems Architect University Information Technology Services. Why Single Sign-On?. Use institutional credentials (username/password users already know) - PowerPoint PPT PresentationTRANSCRIPT
PeopleSoft Single Sign-On & ShibbolethGary WindhamSenior Enterprise Systems ArchitectUniversity Information Technology Services
Why Single Sign-On?Use institutional credentials (username/password
users already know)Avoid headache of maintaining password security
policies, expirations, etcLogin once, gain access to multiple servicesPortal integration
Signon PeopleCodePeopleSoft provides the ability to integrate with
external authentication providers via Signon PeopleCode
Signon PeopleCode is record PeopleCodeFUNCLIB_LDAP is the delivered record for signon
peoplecode; functions are tied to the LDAPAUTH field
Signon PeopleCode runs whenever a user signs onto PeopleSoft via PIA or 3-tier client/serverPrimary job is to authenticate the user and copy user
profile data from an external source to the local database
Signon PeopleCode (cont)Various external authentication solutions can be
accessed via signon PeopleCode:LDAPX509 client certificatesPS SSO (PS_TOKEN)Oracle SSOWindows NTLM authenticationWeb Server Security (used for Shibboleth)
Overloaded use of “SSO”—can be confusing!
Configuring SignOn PeopleCode Signon Peoplecode is configured and administered through a
dedicated screen (SIGNONPPC_PAGE), located at PeopleTools->Security->Security Objects->Signon PeopleCode
Different signon peoplecode functions can be stacked in sequence and enabled/disabled
“Exec Auth Fail” allows a function to run only if authentication did not succeed
For Web Server Authentication, all initial sign-on to PeopleSoft is done through a “default public user” set-up in PeopleTools->Web Profile->Web Profile Configuration-
>Security no permissions establishes initial user context such that signon PeopleCode can
execute (chicken and egg problem)
Signon PeopleCode Configuration
What is Shibboleth?An open software system for web single sign-on
Developed by Internet2Enables web applications deployed in most typical
web server environments to authenticate and authorize users via a single protocol
Facilitates federated identity
Enables fine-grained assertion of identity data to federated and external partners privacy and security are key elements
What is Shibboleth? (cont)The "currency" of the Shibboleth software is attributes.
named set of values about an authenticated user values are typically strings, but can be more complex
XML-based data.When a user attempts to authenticate to your service,
Shibboleth obtains a set of attributes for that user and maps them to environment variables and/or HTTP headers for your application to consume
Attributes not stored within Shibboleth itself pulled from other sources (e.g. LDAP directory or
database) EDS in our case
The Shibboleth Protocol
9
Identity ProviderWeb Site
Resource Provider Web Site
ClientWeb Browser
1. User requests resource
Assertion ConsumerService(ACS)
EDS
Web Resource
Attribute Requester
SSOService
AttributeAuthority (AA)
Resource Manager(RM)
Credentials
AttributesAttributes
HandleHandle
Handle
1a
3a
4a
4b
56a
4c
6b
7b
5. I don’t know your attributes. Ask the attribute authority 6. Return the attributes
allowed by release policy
7. Based on attribute values, allow access to
resource
7a
22
2. You are not authenticated,
redirect to IdP SSO 3. I don’t know you.
Authenticate using WebAuth
4. I know you now. Send client (via form POST)
to resource’s ACS
WebAuth
3b
3c
1b
Source: Kathryn Huxtable, Internet2
Wiring-up Shibboleth to PSShibboleth infrastructure resides on the web tier
e.g. uaz-sa-w02.mosaic.arizona.eduShibboleth software runs under Apache or IIS web
containersconsists of two components:
web-server plugin (mod_shib for Apache, or an ISAPI filter for IIS)
standalone UNIX daemon (shibd) or Windows serviceOur PeopleSoft app server infrastructure is Linux-
based, so we use the Apache version PeopleSoft web tier runs on WebLogic
Wiring-up Shibboleth to PS (cont)How to bridge Apache and WebLogic?
mod_weblogic – Apache module delivered with WLS, similar in concept to mod_jk / mod_proxy_ajp (Tomcat)
All requests routed through Apachemod_shib directives enforce authentication and
manage session authentication contextShibboleth attributes inserted into HTTP request
headersmod_weblogic proxies request to WebLogic (PIA) via
back-end connection
Browser ACEhttps://sa-dev.mosaic.arizona.edu
http://uaz-sa
-w02.mosaic.arizo
na.edu:8080
Apache WLS
mod_shib
mod_weblog
ic PS App ServerShibIdP
Accessing Shibboleth AttributesIn Signon PeopleCodeOnce the Shibboleth authentication sequence is
complete, attributes about the user are availableAttributes can be retrieved from %Request object
(HTTP Request headers)All attributes contained in EDS are available
named according to EDS schema, except prefaced by “Shib-” (to disambiguate namespace)
Signon PeopleCode Examples
Signon PeopleCode Examples (cont)
Demo…