By | 26 January 2017

SAML Authentication in PeopleSoft

This article summarizes the different vendor solutions to get PeopleSoft to act as a SAML SP. We assume you have a working knowledge of SAML and PeopleSoft architecture.

SP stands for "Service Provider". An SP delegates all or some authentication to a trusted SAML IDP (Identity Provider) that grants authorization tokens. Basically, the SP trusts the IDP. The SP trusts the tokens given by the IDP because they are cryptographically signed and the SP has a copy of the IDP's public key to verify the signature of the tokens. The IDP may authenticate the user in any number of ways that the SP does not concern itself with.

PeopleSoft does not support SAML for authenticating users and getting a user session. Oracle has no planned support for it (see Document ID 623055.1). Therefore, you have to use some other solution. Most of the solutions revolve around using a reverse proxy service that will interpret and validate the SAML tokens. If they are valid, then information about that IDP authenticated user is passed from the SAML token along to PeopleSoft. That user information is passed to PeopleSoft in the form of HTTP headers. Sign-on PeopleCode will pickup those HTTP headers and resolve information from the HTTP headers to a valid PSOPRDEFN user and grant them a session using SetAuthenticationResult. In some cases the PSOPRDEFN may not exists and it is created on the fly by the sign-on PeopleCode with the information passed in the HTTP headers. In most of these reverse proxy solutions, it becomes very important that a user cannot bypass the reverse proxy and go directly to the PeopleSoft web server as they could easily spoof the HTTP headers and login as pretty much anyone.

I was doing some research on solutions for PeopleSoft and these are the options I found.

  • Shibboleth SP
  • Grey Heller SAML
  • F5 BIG-IP APM
  • SOHA.io
  • Custom PeopleCode SAML Token Validation
  • Weblogic SP

Lets go over each one.

Shibboleth

Shibboleth is the first one which we will discuss briefly because this solution has been documented in many other places. This solution is probably the most popular SAML SP implementation for PeopleSoft that I have found. Generally, this involves standing up Apache with the Shibboleth module. There are some other supported implementations on the Shibboleth Wiki.

This requires that apache is acting as a reverse proxy in front of PeopleSoft. A user should not be able to address the PeopleSoft web server directly. The overall flow is:

Web Browser --> Apache Reverse Proxy (with Shibboleth Module) --> PeopleSoft Web Server --> Sign-on PeopleCode

Grey Heller SAML

On March 2017, Grey Heller announced a PeopleSoft SAML SSO Product that will accept SAML tokens and authenticate user into PeopleSoft.

F5 BIG-IP APM

If you are already using an F5 Firewall appliance to do load balancing, you may be able to use that to serve as the SAML SP.

From the F5 site:

BIG-IP APM version 11.3 can act as either a SAML service provider or a SAML identity provider, enabling both federation and SSO within an enterprise.

This requires that you are license for the APM module. If you are already fronting your PeopleSoft Traffic with F5 this would make a lot sense.

The overall flow is:

Web Browsers --> F5 --> PeopleSoft Web Server --> Sign-on PeopleCode

SOHA.IO

SOHA is a fairly new company that was purchased by Akamai in October 2016. They have a very interesting solution that has a lot of functionality. It turns a firewall "upside" down for lack of better words. At a very high level it would serve as your load balancer and a reverse proxy. It can integrate with your IDP to perform the SAML-SP functionality then pass the HTTP headers to PeopleSoft and the sign-on PeopleCode.

SOHA has an interesting architecture that allows applications that are behind the firewall to be exposed to the Internet in a secure way that does not involve you opening your firewall or requiring VPN. Get a demo as there is a lot of interesting functionality they offer.

The overall flow is:

Web Browser --> SOHA Cloud --> SOHA Cloudlet Agent (on premises) --> PeopleSoft Web Server --> Sign-on PeopleCode

Custom PeopleCode SAML Token Validation

Vlad Kaminsky from GNC Consulting presented at a 2016 PeopleSoft Reconnect conference and demonstrated a solution of using PeopleCode that called out to open source Java SAML libraries.

I would recommend looking at his presentation. There are a ton of code samples.

The overall flow is:

Web Browsers --> PeopleSoft Web Server --> Sign-on PeopleCode

Weblogic SP

Weblogic the ability to to support SAML. However, a colleague told me that the Weblogic license that comes with PeopleSoft is limited and you cannot use the SAML pieces. So your organization would need some different Weblogic license.

The overall flow is:

Web Browsers --> PeopleSoft Web Server --> Sign-on PeopleCode

Others?

If you know of any other solutions let me know.

Additional Reading