Value-Added Module (VAM)

PeopleSoft SecureAuth IdP Deployment

Copyright Information

©2018. SecureAuth® is a registered trademark of SecureAuth Corporation. SecureAuth’s IdP software, appliances, and other products and solutions are copyrighted products of SecureAuth Corporation.

Version 2.2

December 2018

Revision History

Version Date Notes

0.1 2017-03-16 Initial draft

1.0 2018-05-25 First draft completed

2.1 2018-09-25 Second version (largely rewritten)

2.2 2019-01-11 Fixes, enhancements, deployment changes

For information on supporting this product, contact your SecureAuth sales representative:

Email: support@secureauth.com inside-

sales@secureauth.com

Phone: +1.949.777.6959 or +1.866- 859-1526

Website: https://www.secureauth.com/Support

https://www.secureauth.com/contact

Table of Contents

Deployment and Configuration of the Value-Added Module ................................................................................................. 1

System Prerequisites ........................................................................................................................................................................................... 1

System Development Parameters ....................................................................................................................................................................... 1

Intended Audience............................................................................................................................................................................................... 1

Deploying & Configuring Peoplesoft ...................................................................................................................................... 2

Deployment & Configuration for PeopleSoft ....................................................................................................................................................... 2 Importing the PROJECT_SA2FA Project ........................................................................................................................................................ 2

Creating the SALOGIN User Profile ...................................................................................................................................................................... 6

Update Web Profile ........................................................................................................................................................................................... 11

PeopleSoft PSCIPHER Encryption Key and Version Retrieval ............................................................................................................................. 15

Updating PeopleSoft to Default Requiring SecureAuth Authentication (SP-Initiated) ...................................................................................... 19

Setting Up Signon PeopleCode .......................................................................................................................................................................... 20

PeopleSoft Server Pages Restriction .................................................................................................................................................................. 23

Deploying & Configuring the SecureAuth Appliance ............................................................................................................ 24

Deployment & Configuration for SecureAuth Appliance ................................................................................................................................... 24 Setting Up the SecureAuth Realm .............................................................................................................................................................. 24

Validating Workflows ......................................................................................................................................................................................... 25

‘Deep Linking’ .................................................................................................................................................................................................... 26 Default Behavior ........................................................................................................................................................................................ 26 Linking Behavior ......................................................................................................................................................................................... 26

Troubleshooting the Peoplesoft VAM .................................................................................................................................. 26

Troubleshooting ................................................................................................................................................................................................. 26

References & Release Notes ................................................................................................................................................ 27

References ......................................................................................................................................................................................................... 27

Release Notes .................................................................................................................................................................................................... 27

Upgrade Information ......................................................................................................................................................................................... 28

Indemnity ........................................................................................................................................................................................................... 28

Introduction 1

Deployment and Configuration of the Value-Added Module

This document details the deployment and configuration of the PeopleSoft Value-Added Module (VAM) on a

SecureAuth IdP appliance. The addition of the Peoplesoft VAM in your environment will enable authentication and

authorization of applications on PeopleSoft.

System Prerequisites The Peoplesoft Value-Added Module (VAM) and this documentation have been built using the systems outlined

below.

+ PeopleSoft 9.2 running on Linux 4.x

+ PeopleSoft should be previously installed and operational

+ PeopleTools should be configured to support a two-tier connection to complete all required

deployment steps. A three-tier connection cannot be used.

+ IdP Version 9.1 or above

+ Oracle Database 12c (However, all versions compatible with PeopleTools should be supported)

System Development Parameters The following systems were used in the development and testing of this product. Older versions of PeopleSoft and

PeopleTools/PeopleCode have not been verified.

+ PeopleSoft 9.2

+ PeopleTools 8.56.09

+ Tested with PeopleSoft Fluid user interface

Intended Audience This guide will walk a system engineer through the necessary steps to perform the following:

+ Import a project from file to the PeopleSoft system to support encryption of the user name between

SecureAuth and PeopleSoft and install PeopleCode

+ Creating a user profile in PeopleSoft

+ Update the web profile to accept the new user profile

+ Obtain the encryption key and version used by PeopleSoft to be used between systems

+ Configure a SecureAuth realm to validate a credential and redirect the user to PeopleSoft server for

seamless login

Release Notes 2

Deploying & Configuring Peoplesoft

Please read this section to become familiar with the steps required to deploy and configure the PeopleSoft Value-

Added Module.

Deployment & Configuration for PeopleSoft Importing the PROJECT_SA2FA Project Before starting this task, the PeopleTools Application Designer must be configured to connect to the PeopleSoft database using 2-tier. An Application Server connection cannot be used for database modifications. This project contains:

+ Application Package SA_CIPHER

This package is a temporary addition to the PeopleSoft system to retrieve the server specific encryption key used to encrypt data passed from an appliance realm and PeopleSoft. Steps to remove it are outlined later in this document.

+ Record SA_SIGNON.SA_AUTH

This record contains the function Validate_User() used during the login process when a user is passed by an appliance realm to PeopleSoft.

1. Log into the PeopleSoft database using PeopleTools Application Designer

1. Select Tools | Copy Project | From File…

Release Notes 3

2. Navigate to the location where the PeopleSoft Value Added Module was decompressed and drill down to

\PeopleSoft\Application Designer subfolder

3. Click PROJECT_SA2FA and then the Select button

Release Notes 4

4. Click Select All then Copy

5. “Expand ‘Records’, then expand ‘SA_SIGNON’, then ‘SA_AUTH’, then double click ‘FieldDefault’.

Update the local object &LogFile to a valid path. This is where the imported PeopleCode will log to for audit purposes. In the above screen shot it defaults to the root/tmp (on a Linux system). Note: the directory path references the PS Server, not the machine that the person is working on.

Release Notes 5

2. By default, the PeopleCode includes an optional feature to force a redirection to an appliance realm if a user

attempts to log into the PeopleSoft system directly. If the feature is left enabled, it will be necessary to update the

URL of the appliance realm that is stored in the local string variable &SecureAuthLoginUrl. If the feature is to be

disabled so users can both sign in using the PeopleSoft sign on page and an appliance realm, the value can be left

as-is and the code section show below commented out. If left enabled, not even the designated admin can login

using the PeopleSoft login page. To accommodate that, create an Active Directory user account with the same

name as the PeopleSoft admin and log in using the appliance realm.

Release Notes 6

1. Save changes to cause a recompile of the PeopleCode.

This completes the import of PeopleCode to the PeopleSoft system.

Creating the SALOGIN User Profile

1. Log in to PeopleSoft using a web browser

2. Navigate to User Profiles. This can be found by using the Navigation bar (compass icon located at the top-

right)

Release Notes 7

Release Notes 8

Release Notes 9

3. Select the Add New Value tab

4. Enter SALOGIN in the User ID field and click Add.

1. Note: SALOGIN is used throughout the remainder of this document for demonstration purposes. I can be

any valid user name. If the default is changed it is necessary to return to the PeopleCode function

Validate_User() and update the local string &WebProfileUser. Be sure to save changes to cause a

recompile of the PeopleCode.

Release Notes 10

5. Enter the password for the new User ID

Release Notes 11

6. Select the ID tab and choose None for the ID Type

7. Click Save

8. Accept this Warning by clicking OK

Update Web Profile 1. Navigate to PeopleTools | Web Profile | Web Profile Configuration

Release Notes 12

Release Notes 13

2. Leave Profile begins with blank and click Search to query for a list of web profiles

3. Select the active web profile.

4. If you do not know which web profile is active, and because the location of configuration.properties which

determines which web profile is used varies from system to system, you can determine the active web profile

by searching Web Profile History.

Release Notes 14

Click Search and note the profile name.

Release Notes 15

5. In the Public Users section, check Allow Public Access and set User ID to SALOGIN and provide the password

for the account created in a previous step.

6. Click Save.

PeopleSoft PSCIPHER Encryption Key and Version Retrieval

1. Navigate to Enterprise Components -> Component Configurations -> Application Class Tester

Release Notes 16

Release Notes 17

2. Enter SA_CIPHER:cipher in *Classpath and getKey in Class Method then click Submit

Release Notes 18

3. Copy the key and Version values and save them. You will need it while configuring the SecureAuth realm later

in this document

4. After you have copied the key and version values you should delete the SA_CIPHER package from PeopleSoft

for security purposes. For this task, return to Application Designer.

Release Notes 19

5. Select File | Open | Definition of type Project

6. Enter PROJECT_SA2FA and select Open

7. Expand Application Packages

8. Right-Click SA_CIPHER and select Remove From Project

Updating PeopleSoft to Default Requiring SecureAuth Authentication (SP-Initiated) To implement the optional feature documented earlier to support redirection to SecureAuth when a user attempts to navigate to and log in directly to the PeopleSoft server using their web browser.

Release Notes 20

1. Navigate to Web Profile Configuration | Look & Feel (located at the bottom of the page as a hyperlink)

2. Change Signon Result Doc Page from signonresultdoctext.html to signonresultdocredirect.html. Notice the

change is from doctext to docredirect.

3. The web server(s) must be restarted for this to take effect.

Setting Up Signon PeopleCode The record associated with PeopleCode has to be configured for the Signon PeopleCode page. The code is triggered using the public guest credentials (that is, SALOGIN). The code has to be enabled along with the function, that is Validate_User(), as shown below.

1. Navigate to PeopleTools | Security | Security Objects | Signon PeopleCode

Release Notes 21

Release Notes 22

1. Add a new row by clicking the + button on the last row to the far-right

2. Enter the next incremental value available in Sequence. In this example the number 7

Release Notes 23

3. In the Record field, type SA_SIGNON. It should auto populate as you type

4. In Field Name enter SA_AUTH

5. In Event Name enter FieldDefault

6. In Function Name enter Validate_User

7. Check Exec Auth Fail

8. Click Save

PeopleSoft Server Pages Restriction Under copyright restriction, SecureAuth Corporation cannot provide documentation that outlines modifications to PeopleSoft pages that redirects a user to a SecureAuth appliance for the following pages, expire.html, signon.html, signin.html, and start.html, to bypass the standard PeopleSoft user sign on experience. Please consult with Oracle Corporation for assistance with modifying these pages. <!-- Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. --> <!-- * *************************************************************** * This software and related documentation are provided under a * license agreement containing restrictions on use and * disclosure and are protected by intellectual property * laws. Except as expressly permitted in your license agreement * or allowed by law, you may not use, copy, reproduce, * translate, broadcast, modify, license, transmit, distribute, * exhibit, perform, publish or display any part, in any form or * by any means. Reverse engineering, disassembly, or * decompilation of this software, unless required by law for * interoperability, is prohibited. * The information contained herein is subject to change without * notice and is not warranted to be error-free. If you find any * errors, please report them to us in writing. * * Copyright (C) 1988, 2017, Oracle and/or its affiliates. * All Rights Reserved. * *************************************************************** -->

Release Notes 24

Deploying & Configuring the SecureAuth Appliance Deployment & Configuration for SecureAuth Appliance Setting Up the SecureAuth Realm

1. Follow default rules for defining the Data and Workflow information for the realm.

2. Copy the files PeopleSoft.aspx and PeopleSoft.aspx.vb located under \SecureAuth from the decompress zip

file to the SecureAuth IdP realm to be used for SSO into PeopleSoft. For example, copy the files to

D:\SecureAuth\SecureAuth1\Customized

3. On the Post Authentication page of the PeopleSoft realm, change Authenticated User Redirect to Use Custom

Redirect and assign the page PoepleSoft.aspx

4. Update the realm settings (web.config) to include the following settings. Do not replace <appSettings>

<appSettings>

/* obtained from PeopleSoft server. see deployment guide */

<add key="PSVersion" value="{V1.1}" />

/* obtained from PeopleSoft server. see deployment guide */

<add key="PSKey" value="T0qn4IaSDYoxTFflL0wcoaKXV6FDQ8Fr" />

/* example: http://<<FQDN>>:<<port>>/psc/ps/EMPLOYEE/HRMS/c/NUI_FRAMEWORK.PT_LANDINGPAGE.GBL?

<add key="PSRedirectURL" value="https://<<FQDN>>" />

</appSettings>

Release Notes 25

Validating Workflows 1. Launch a browser session and direct to the SecureAuth realm used for PeopleSoft. Example:

https://localhost/secureauth1/secureauth.aspx

2. Log in with the user account you want to verify the workflow with. This account must be a valid account that is

in the user store configured for the realm and accessible by the PeopleSoft system database.

3. The browser will redirect to PeopleSoft and log the user in taking them to the page specified in the

PSRedirectURL configuration of the realm.

4. This example is displaying the home page for the user GMILES that was verified by the SecureAuth realm after

redirection from SecureAuth and successful login to PeopleSoft.

Release Notes 26

If an error is encountered during the process this screen will display. Further information will be available to the cause in the log file outlined below for troubleshooting.

‘Deep Linking’ The SecureAuth appliance realm can redirect a user to a page other than the default landing page specified in the web.config entry described earlier. This is often used for portal links or personalized links users may receive in an email to review a specific report for example. This functionality is built into the post-authentication page installed earlier in this document.

Default Behavior By default, all users will be redirected to the landing page specified in PSRedirectUrl.

Linking Behavior To support redirecting a user to a specific page other than the default, when formatting a published link to PeopleSoft, format the URL to point to the appliance realm and append the parameter ‘RedirectUrl’.

Example link: http://secureauthserver/realmnumber/secureauth.aspx?RedirectUrl=https://peoplesoftserver/specificpage?optionalparamter1=”value”&optionalparamter2=”value”

Troubleshooting the Peoplesoft VAM Troubleshooting

1. If you experience any difficulty, close all browser sessions and attempt the workflow again. If this does not

solve the issue, restart the PeopleSoft system.

Release Notes 27

2. Credential validation is handled by standard SecureAuth realm functionality. Contact SecureAuth Technical

Support if you encounter an issue with logging a user in at the SecureAuth realm level.

3. If you encounter the issue noted above where the user is logged in as SALOGIN, contact SecureAuth Technical

Support and arrange for an online support session with your local PeopleSoft administrator that has access to

PeopleSoft administrative functions as well as access to the operating system file system to retrieve log files.

The log file for Signon PeopleCode can be found at the location specified in the Validate_User function

described earlier in this document. A copy of the audit can be retrieved. By default the file name will be

SECUREAUTH_SA_SIGNON_SA_AUTH.FieldDefault.txt.

References & Release Notes References Oracle: Employing Signon PeopleCode https://docs.oracle.com/cd/E26239_01/pt851h3/eng/psbooks/tsec/chapter.htm?File=tsec/htm/tsec09.htm

Release Notes

Version 2.2 – 11/23/2018 • Fix: PeopleCode was calling Error before logging resulting in some error conditions not being included in the

audit file

• Fix: Deep link feature was truncating parameters

• Fix: Log fie was not being closed at the end of Validate_User

• Maintenance: Explicitly defined all variables in PeopleCode

• Enhancement: Migrated creation of the function Validate_User and SA_CIPHER to a single project file that can

be imported to simplify deployment

• Enhancement: Switched to form POST to send user credentials to PeopleSoft

• Enhancement: Post-authentication page now supports User ID mapping based on realm configuration

Version 2.1 – 10/22/2018 • Fix: expiry tolerance now support +/- between servers instead of just +

• Enhancement: Added support for redirection after login to support ‘deep links’

Version 2.0 – 09/25/2018 • Enhancement: Replaced secure cookie with querystring parameter to support both on-premises and SaaS

implementations

• Enhancement: Added support for SP-Initiated workflow so when a user enters their credentials at a PeopleSoft

login they will be redirected to SecureAuth

• Enhancement: Added expiration to encrypted token

• Maintenance: Redesigned the PeopleCode distribution to use a new Record instead of adding to

FUNCLIB_LDAP2 for PeopleCode Signon

Version 1.0 – 6/15/2018 • Initial release supporting IdP-Initiated from SecureAuth to PeopleSoft using a secure cookie for authentication

Release Notes 28

Upgrade Information Prior to upgrading your IdP appliances, please open a Support ticket so that SecureAuth may evaluate and ensure the Value-Added Module’s availability for that upgrade.

Indemnity This product has been designed using guidelines published by the manufacturer for modification to the sign-on

process for PeopleSoft. In the event the manufacturer revokes the ability to continue to integrate with other

vendors, all documentation and installation instructions are declared null and void. Any attempts to alter or modify

the code base of this Value-Added Module will create an unsupportable version due to alterations outside of

SecureAuth’s control.

This document is for informational purposes only. SecureAuth makes no warranties, express or implied, in this

document. SecureAuth is a registered trademark of the SecureAuth Corp. in the United States and/or other

countries. The names of other companies and products mentioned herein may be the trademarks of their respective

owners.

The information contained in this document, or any addendum or revision thereof is proprietary of SecureAuth and

is subject to all relevant copyright, patent and other laws and treaties protecting intellectual property, as well as any

specific agreement protecting SecureAuth Inc. rights in the aforesaid information. Any use of this document or the

information contained herein for any purposes other than those for which it was disclosed is strictly forbidden.

SecureAuth Inc. reserves the right, without prior notice or liability, to make changes in equipment design or

specifications. All specifications are subject to change without prior notice. SecureAuth Inc. assumes no

responsibility for the use thereof nor for the rights of third parties, which may be affected in any way by the use

thereof.

This document may contain flaws, omissions or typesetting errors; no warranty is granted nor liability assumed in

relation thereto unless specifically undertaken in SecureAuth Inc.’s sales contract or order confirmation. Information

contained herein is periodically updated and changes will be incorporated into subsequent editions. If you have

encountered an error, please notify SecureAuth Inc.