Integrating PeopleSoft and Integrating PeopleSoft and Oracle Collaboration Suite into Oracle Collaboration Suite into

uPortaluPortal

June 13, 2005

Summer JA-SIGBaltimore, Maryland

San Luis Obispo, CASan Luis Obispo, CAInformation Technology ServicesInformation Technology Services

Darren KrakerDarren Kraker

Ken SperowKen Sperow

CAS implementationPeopleSoft HRPeopleSoft FinancialsOracle Collaboration Suite

calendaremail

Integration as uPortal channels (IFrame)PeopleSoft Self Service linksOracle Portlets

OverviewOverview

HistoryHistory

PeopleSoft Impl / IntegrationPeopleSoft Impl / Integration

OCS Impl /IntegrationOCS Impl /Integration

Issues Issues

Questions Questions

AgendaAgenda

Cal PolyCal Poly – Who are we?San Luis Obispo100 Years Old20,000 StudentsPolytechnic

University Engineering, Agriculture,

Architecture, Science

“Learn by Doing”: technical and professional curricula with arts and humanities.

Live with uPortal 1.6 Fall 2001 UNICON assisted LDAP implementation

Motivated to implement SSO Campus introduction PeopleSoft HR

Politically / strategically required for Enterprise Portal

History

System Overview

CAS servers Central Authentication Server 2.0 Servers: Sun Netra T1 500 mhz, 1 GB RAM Solaris 9

Three servers high availability Cisco switches provide failover

Technical Specifications

LDAP servers Oracle Internet Directory: 9.2.0.6 Servers: Sun Netra T1 500 mhz, 1 GB RAM Solaris 9

Three servers for high availability Cisco hardware provides load balancing and failover

Technical Specifications

uPortal server uPortal 2.1.4 One server: Sun E450 4 - 400 mhz, 4 GB RAM Solaris 9Planned upgrade to 2.5.X Fall

Technical Specifications

WebLogin

Service

UserWeb

Application

1 User requests access2 Browser redirected to Login

Service

6 Applicatio

n validates

ticket

9 User gets access

4 Login Service

provides ticket

5 Ticket provided to application

7 Username provided

to application

8 Application decides if

user is authorized

User interaction

No user interaction

CASAuthenticatio

n Flow

3 Web Login Service

recognizes user session

Making PeopleSoft use a central authentication service Evaluate known solutions Integration with CAS

PeopleSoft

Accept a ticket and then validate it Make PeopleSoft accept a CAS ticket parameter as part of login Implement PeopleCode calls Java client CAS java client performs the CAS validation

PeopleSoft - Implementation

Function VALIDATE_TICKET() /* rmatteso@calpoly.edu 20030122 Trusted Authentication Impl */ If %PSAuthResult = False Then

&validator = GetJavaClass("PSCASClient");/* retrieve fullUrl and ticket value from HTTP request */&fullUrl = %Request.FullURI | "?" | %Request.QueryString;&ticket = %Request.GetParameter("ticket");If &ticket <> "" Then

/* have a ticket, load CAS client class and attempt to validate */

&cas_result = &validator.validate(&fullUrl, &ticket);If &cas_result <> "" Then

/* ResultDocument (3rd parm) seems to be ignored by front end */

SetAuthenticationResult( True, &cas_result, "", False);

&authMethod = "SLO";Return;

End-If; /* got username back from CAS */End-If; /* got ticket */

End-If; /* user not yet authenticated */End-Function;

PeopleSoft - Implementation

URL u = new URL(URL u = new URL(validateURL + "?ticket=" + ticket + "&service=" + service);validateURL + "?ticket=" + ticket + "&service=" + service);BufferedReader in = new BufferedReader(BufferedReader in = new BufferedReader(new InputStreamReader(u.openStream()));new InputStreamReader(u.openStream()));if (in == null){if (in == null){

return null;return null;}else {}else {

String line1 = in.readLine();String line1 = in.readLine();String line2 = in.readLine();String line2 = in.readLine();if (line1.equals("no")){if (line1.equals("no")){

return null;return null;}else{}else{// make fully qualified username ("jdoe@calpoly.edu")// make fully qualified username ("jdoe@calpoly.edu")

// into PSFT username ("jdoe")// into PSFT username ("jdoe")return line2;.substring(0, line2.indexOf('@')).toUpperCase();return line2;.substring(0, line2.indexOf('@')).toUpperCase();

}}}}

17

PSCASClient.java

Configure SLO_AUTH hook in PeopleSoft Sign-on Page (Exec Auth Fail)

PeopleSoft - Implementation

Set Exec Auth Fail PeopleCode

Customize HTML files now that original sign-on page is obsolete

• index.html• Logout_page.html (new) • Signin_alternate (new)• Signon.html • signonError.html (new)• Cookiesrequired.html

Modify configuration.properties to point to new HTML files Install CAS client jar, class files

PeopleSoft - Implementation

It’s never that easy . . . Service URL we use for CAS had to contain userid/pwd parameter PeopleSoft cookies After PTools upgrade (2003) HTTP GET no longer worked, POST required

Issues

The next step . . . deep linking More direct and intuitive method for accessing services Add embedded PeopleSoft content within an IFrame using nested URL

uPortal Integration

Oracle Collaboration Suite (OCS)

What is OCS?“Oracle Collaboration Suite is

an integrated database-based email, voicemail, calendaring, web-based meeting, files and search capability that is accessible via all of the interfaces that you currently know and use.”

uPortal entry point for Email and Calendar Making OCS use a central authentication service Integration with CAS

Oracle Collaboration Suite (OCS) Objectives

Logical Architecture

Hardware - IllustrationTier 1 : Infrastructure

2 Node (Red Hat Cluster Server)

Dell Power Edge 26502 * 2.8 GHz4 GB RAM

2 * 36GB HD3* GIG-E NIC

HBA ’s (to EMC)

Tier 2 : Application MT4 Nodes + BI 1 Node

Tier 3 : Database4 Node Oracle RAC

9.2.0.4

Dell Power Edge 66504 * 2.8 GHz16 GB RAM2 * 36GB HD4* GIG-E NIC

9iRACHBA ’s (to EMC)

Dell Power Edge 26502 * 2.8 GHz2 GB RAM

2 * 36GB HD2* 73 GB HD2* GIG-E NIC

HBA ’s (to EMC)

Tier 2 : Calendar2 Node

Dell Power 66504 * 2.8 GHz16 GB RAM2 * 36GB HD2* GIG-E NIC

Storage: EMC DMX1000

OCS, Central Authentication & uPortal

OCS DB9.2.0.5

OCS Middle Tier

BI DB

Oracle BI Middle Tier

OCS Infrastructure(Shared between OCS and BI)

Central Authentication Services

Corporate Portal (uPortal)

Oracle Portal WebWeb

Calendar

Outlook

Other CampusApplications

(SCT, PeopleSoft

Etc..)

Oracle Collaboration Suite (OCS) Integration

ObjectivesuPortal entry point for Email

and Calendar SSOuPortal channels - simplified

view of Email and CalendarAbility to render Oracle

Portlets within uPortal

OCS Integration - Solutions

uPortal entry point ---> CAS-enable OCS

uPortal channels ---> Custom channels- Oracle’s APIs?- Query DB---> Pre-existing Oracle Portlets

Oracle Portlets“External JSP”Direct URL

CAS Enabling OCS

Oracle SSOWeb based applicationsIntegrates with external login

sourceSolution required the use of cookiesAll code written in PL/SQL

Requires Oracle Internet Directory (OID)Users must be populated in OIDFERPA

WebLogin

Service

UserOracleWeb

Application

1 User requests access

2 Browser redirected to Oracle SSO

12 A

ppli

cati

on v

alid

ates

tick

et

15 User gets access

6 L

ogin Service provides ticket for O

SS

O

11 OSSO Ticket provided to application

13 U

sername provided to application

14 Application

decides if user is authorized

5 W

eb L

ogin

Ser

vice

aut

hent

icat

ion

requ

ired

OracleSSO

8 OSSO validates ticket

9 Username provided to OSSO

4 Browser redirected to W

eb Login Service

3 Oracle

SSO authen

ticati

on require

d

7 Ticket

provided to

OSSO

10 Oracle SSO ticket provided for application

OCS - Rendering Oracle Portlets

External JSPMakes a portlet available through a

JSPNot well documentedIs not supported in a “Partial SSL

configuration”uPortal Inline Frame points to

external JSP

OCS - Rendering Oracle Portlets

Direct Access URLAccess to Oracle Portal page

through user-friendly URLCreate Oracle Portal Page

No header/border/templatePut portlet on pageAttach stylesheet to pagePoint uPortal Inline frame to URL

OCS - Rendering Oracle Portlets (cont.)

AuthorizationControl access to uPortal

channels through Groups??Needed way to restrict access

to Oracle pageSolution: Pull groups tables

into OID nightly

OCS Integration Issues ISSUE:

When users subscribe to more than one channel containing Oracle Portlet content, the channel may respond with browser error messages resulting in no content displayed.

ROOT CAUSE:

This problem is a result of multiple uPortal channels attempting to establish an Oracle Portal session at the same time.

OCS Integration Issues (cont.)

Possible Solutions

Introduce a Delay with Consecutive Page Requests.

Introduce an Intermediate Page at CAS Login.

Send all requests through a single threaded servlet.

CAS Enabling OCS Resources

Oracle9iAS Single Sign-On Administrator's Guide Release 2 (9.0.2) Part Number A96115-01 Chapter 5 - Third-Party Single Sign-On Chapter 8 - Customizing the Single Sign-On

Interface

Metalink Documents: Note:191299.1 Note:244557.1 Note:191345.1

PeopleSoft Applications: HR total accounts: 2,500 (admin accounts: 700) Concurrent users average: 22 (high 75) Finance total admin accounts: 700 Concurrent users average: 23 (high 95)

Single Sign-on Unique Users per month: Approx: 12,000 - 28,000 Average: 20,000 (including summer quarters)

Single Sign-on Unique users per DAY Maximum: 14,000 Average: 5,700  

Single Sign-on Concurrent users of the Portal: High: 2,800

Statistics on Usage

Single clicks to HR PRD and FS PRD per month

2,200 – 6,100 Average: 4,200 (including summer quarters)

Single Sign-on Outages Unplanned: Less than 1/2 hour per month Planned:

4 hours/month Updates, new application rollouts Users CAN authenticate to PS and other applications

Statistics on Usage

CAS http://www.yale.edu/tp/cas/

This Presentation, Cal Poly’s documents and code on CAS Enabling OCS, and PeopleSoft Single Sign-on Guides

http://myportal.calpoly.edu/downloads

PeopleBooks

References

Questions?Questions? Darren Kraker

Software Engineerdkraker@calpoly.edu

Ryan MattesonWeb Architect and Info

Security Managerrmatteso@calpoly.edu

Melinda RojoOracle Portal Integrationmrojo@calpoly.edu

Ken SperowSoftware Engineerksperow@calpoly.ed

u

Dan MaloneOracle SSO dmalone@calpoly.ed

u