SAML Authentication in PeopleSoft

By Chris Malek | Thu, Jan 26, 2017

If you want the TLDR version, then just go with Appsian SSO. I have worked with it and it is great.


This article summarizes the different vendor solutions to get PeopleSoft to act as a SAML SP. We assume you have a working knowledge of SAML and PeopleSoft architecture.

SP stands for “Service Provider”. An SP delegates all or some authentication to a trusted SAML IDP (Identity Provider) that grants authorization tokens. Basically, the SP trusts the IDP. The SP trusts the tokens given by the IDP because they are cryptographically signed and the SP has a copy of the IDP’s public key to verify the signature of the tokens. The IDP may authenticate the user in any number of ways that the SP does not concern itself with.

PeopleSoft does not support SAML for authenticating users and getting a user session. Oracle has no planned support for it (see Document ID 623055.1). Therefore, you have to use some other solution. Most of the solutions revolve around using a reverse proxy service that will interpret and validate the SAML tokens. If they are valid, then information about that IDP authenticated user is passed from the SAML token along to PeopleSoft. That user information is passed to PeopleSoft in the form of HTTP headers. Sign-on PeopleCode will pickup those HTTP headers and resolve information from the HTTP headers to a valid PSOPRDEFN user and grant them a session using SetAuthenticationResult. In some cases the PSOPRDEFN may not exists and it is created on the fly by the sign-on PeopleCode with the information passed in the HTTP headers. In most of these reverse proxy solutions, it becomes very important that a user cannot bypass the reverse proxy and go directly to the PeopleSoft web server as they could easily spoof the HTTP headers and login as pretty much anyone.

I was doing some research on solutions for PeopleSoft and these are the options I found.

  • Appsian SAML
  • Shibboleth SP
  • F5 BIG-IP APM
  • SOHA.io Purchased by Akamai
  • Custom PeopleCode SAML Token Validation
  • Weblogic SP

Lets go over each one.

Appsian SAML

On March 2017, Appsian announced a PeopleSoft SAML SSO Product that will accept SAML tokens and authenticate user into PeopleSoft.

Shibboleth

Shibboleth is the first one which we will discuss briefly because this solution has been documented in many other places. This solution is probably the most popular SAML SP implementation for PeopleSoft that I have found. Generally, this involves standing up Apache with the Shibboleth module. There are some other supported implementations on the Shibboleth Wiki.

This requires that apache is acting as a reverse proxy in front of PeopleSoft. A user should not be able to address the PeopleSoft web server directly. The overall flow is:

Web Browser –> Apache Reverse Proxy (with Shibboleth Module) –> PeopleSoft Web Server –> Sign-on PeopleCode

F5 BIG-IP APM

If you are already using an F5 Firewall appliance to do load balancing, you may be able to use that to serve as the SAML SP.

From the F5 site:

BIG-IP APM version 11.3 can act as either a SAML service provider or a SAML identity provider, enabling both federation and SSO within an enterprise.

This requires that you are license for the APM module. If you are already fronting your PeopleSoft Traffic with F5 this would make a lot sense.

The overall flow is:

Web Browsers –> F5 –> PeopleSoft Web Server –> Sign-on PeopleCode

Custom PeopleCode SAML Token Validation

Vlad Kaminsky from GNC Consulting presented at a 2016 PeopleSoft Reconnect conference and demonstrated a solution of using PeopleCode that called out to open source Java SAML libraries.

I would recommend looking at [his presentation](http://apps.questdirect.org/eweb/temp/CFP_Files/2016PSFT102170(9287caed78ac418198e751bc394c5084).pdf). There are a ton of code samples.

The overall flow is:

Web Browsers –> PeopleSoft Web Server –> Sign-on PeopleCode

Weblogic SP

Weblogic the ability to to support SAML. However, a colleague told me that the Weblogic license that comes with PeopleSoft is limited and you cannot use the SAML pieces. So your organization would need some different Weblogic license.

The overall flow is:

Web Browsers –> PeopleSoft Web Server –> Sign-on PeopleCode

Others?

If you know of any other solutions let me know.

Additional Reading

Article Categories
Author Info
Chris Malek

Chris Malek is a PeopleTools® Technical Consultant with two decades of experience working on PeopleSoft enterprise software projects. He is available for consulting engagements.

About Chris Work with Chris
Product
PeopleSoft Simple Web Services (SWS)
Do you need a quick way to create web services?

Introducing a small but powerful PeopleSoft bolt-on that makes web services very easy. If you have a SQL statement, you can turn that into a web service in PeopleSoft in a few minutes.

Book
Integration Broker - The Missing Manual

I am in the process of writing a book called "Integration Broker - The Missing Manual" that you can read online.