SAML Authentication in PeopleSoft

If you want the TLDR version, then just go with Appsian SSO. I have worked with it and it is great. I have heard of a few people using the OKTA solution as well.

This article summarizes the different vendor solutions to get PeopleSoft to act as a SAML SP. We assume you have a working knowledge of SAML and PeopleSoft architecture.

SP stands for “Service Provider”. An SP delegates all or some authentication to a trusted SAML IDP (Identity Provider) that grants authorization tokens. Basically, the SP trusts the IDP. The SP trusts the tokens given by the IDP because they are cryptographically signed and the SP has a copy of the IDP’s public key to verify the signature of the tokens. The IDP may authenticate the user in any number of ways that the SP does not concern itself with.

PeopleSoft does not support SAML for authenticating users and getting a user session. Oracle has no planned support for it (see Document ID 623055.1). Therefore, you have to use some other solution. Most of the solutions revolve around using a reverse proxy service that will interpret and validate the SAML tokens. If they are valid, then information about that IDP authenticated user is passed from the SAML token along to PeopleSoft. That user information is passed to PeopleSoft in the form of HTTP headers. Sign-on PeopleCode will pickup those HTTP headers and resolve information from the HTTP headers to a valid PSOPRDEFN user and grant them a session using SetAuthenticationResult. In some cases the PSOPRDEFN may not exist and it is created on the fly by the sign-on PeopleCode with the information passed in the HTTP headers. In most of these reverse proxy solutions, it becomes very important that a user cannot bypass the reverse proxy and go directly to the PeopleSoft web server as they could easily spoof the HTTP headers and login as pretty much anyone.

I was doing some research on solutions for PeopleSoft and these are the options I found.

• Pathlock Appsian SAML
• OKTA Access Gateway
• Datawiza SAML
• Shibboleth SP
• F5 BIG-IP APM
• Custom PeopleCode SAML Token Validation
• Weblogic SP

Let’s go over each one.

Appsian SAML

On March 2017, Appsian announced a PeopleSoft SAML SSO Product that will accept SAML tokens and authenticate user into PeopleSoft.

OKTA Access Gateway

If you are an OKTA customer you can use the “Access Gateway” product to proxy the SAML and pass HTTP headers to the back in Signon PeopleCode. I have alot of experience working with OKTA integrations and as always they have pretty great documentations.

See the OKTA Identity Gateway Documentation

Datawiza SAML

Datawiza has a SAML solution for PeopleSoft. I have not used it but it looks interesting.

• The product page is here: PeopleSoft SSO and MFA
• Step-by-step tutorial for Microsoft Entra ID (formerly Azure AD)
• Step-by-step tutorial for Okta

Shibboleth

Shibboleth is the first one which we will discuss briefly because this solution has been documented in many other places. This solution is probably the most popular SAML SP implementation for PeopleSoft that I have found. Generally, this involves standing up Apache with the Shibboleth module. There are some other supported implementations on the Shibboleth Wiki.

This requires that apache is acting as a reverse proxy in front of PeopleSoft. A user should not be able to address the PeopleSoft web server directly. The overall flow is:

Web Browser –> Apache Reverse Proxy (with Shibboleth Module) –> PeopleSoft Web Server –> Sign-on PeopleCode

F5 BIG-IP APM

If you are already using an F5 Firewall appliance to do load balancing, you may be able to use that to serve as the SAML SP.

From the F5 site:

BIG-IP APM version 11.3 can act as either a SAML service provider or a SAML identity provider, enabling both federation and SSO within an enterprise.

This requires that you are license for the APM module. If you are already fronting your PeopleSoft Traffic with F5 this would make a lot sense.

The overall flow is:

Web Browsers –> F5 –> PeopleSoft Web Server –> Sign-on PeopleCode

Custom PeopleCode SAML Token Validation

Vlad Kaminsky from GNC Consulting presented at a 2016 PeopleSoft Reconnect conference and demonstrated a solution of using PeopleCode that called out to open source Java SAML libraries.

I would recommend looking at [his presentation](http://apps.questdirect.org/eweb/temp/CFP_Files/2016PSFT102170(9287caed78ac418198e751bc394c5084).pdf). There are a ton of code samples.

The overall flow is:

Web Browsers –> PeopleSoft Web Server –> Sign-on PeopleCode

Weblogic SP

Weblogic the ability to to support SAML. However, a colleague told me that the Weblogic license that comes with PeopleSoft is limited and you cannot use the SAML pieces. So your organization would need some different Weblogic license.

The overall flow is:

Web Browsers –> PeopleSoft Web Server –> Sign-on PeopleCode

Others?

If you know of any other solutions let me know.

Additional Reading

• Single Sign-On (SSO) to PeopleSoft using Reverse Proxy Setup by Logesh Balasubramaniam