Title: Computing And Communications
1Implementing PeopleSoft SSO
- Computing And Communications
2UCR SSO Overview
CAS Server http//auth.ucr.edu
2
5
7
3
PeopleSoft Application Server
Oracle Stored Function
(1) https//auth.ucr.edu/cas/login?servicehttp//
ora02.ucr.edu/psp/UCRTM3/?cmdstart (2) CAS
redirects URL http//ora02.ucr.edu/psp/UCRTM3/?cm
dstartticketST-9-rroTVKeuNy3v (3) Signon
PeopleCode requests validation of ticket via a a
SQL stored function (4) SQL stored function
requests validation of ticket via a URL request
using the Oracle Wallet for a secure
connection (5) CAS returns validation results
(either no or yes ltuser_idgt) to the stored
function (6) Stored function returns the ticket
validation results to the Signon PeopleCode (7)
Signon PeopleCode sets the SetAuthenticationResult
() to true and redirects the browser to our main
PeopleSoft page.
3Web Profile Configuration Security
Turn on public access for the default user
4Web Profile Configuration Look and Feel
Place these files in webserv/peoplesoft/applicat
ions/peoplesoft/PORTAL/WEB-INF/
psftdocs/ltportalnamegt/
Create a simple HTML file that does a META
redirect, ie ltMETA HTTP-EQUIVRefresh
CONTENT"0 URLhttps//auth.ucr.edu/cas/gt
Create a simple HTML file that closes the webpage
when the user logs out, ie ltscript
language"JavaScript" type"text/javascript"gt func
tion closeme()window.opener nullwindow.close()
lt/scriptgt ltBODY onload"javascriptcloseme()"gt
5Enabling Signon PeopleCode
Create a special Function Library (FUNCLIB_) with
your signon peoplecode and enable it here
6Signon PeopleCode at a glance
Function UCR_Signon() / Get the
CAS ticket and service / TICKET
RTrim(Request.GetParameter("ticket"))
SERVICE FULLURI "?cmdstart"
/ Create a SQL statement that will send the
ticket "out of band" for validation /
sqlCASValidate CreateSQL("select
sso_validation_ticket('" SERVICE "', '"
TICKET "') from dual") /
Execute the SQL and fetch the result, which
should be either "no" or "yes ltusergt" /
sqlCASValidate.Fetch(RESULT)
YES_NO Substring(RESULT, 1, 3)
If YES_NO "yes" Then / Additionally,
need to validate the resulting userid with
operdefn table / / and check to see if
account is locked out
/ SetAuthenticationResult( True,
Upper(Result_userid), "", False) Else
/ If NOT valid, then fail the user's login
attempt and redirect back to the CAS page /
SetAuthenticationResult( False,
Result_userid, "", False) End-If
End-Function
Just a brief overview of the custom signon
peoplecode
7Oracle Stored Function
create or replace function SSO_Validation_Ticket(
service in varchar2, ticket in varchar2) return
varchar2 is /
/ /
Title Single Signon Validate Ticket (SSO)
/ / Purpose
Validate a SSO ticket receive via a URL
/ /
/ newservice varchar2(2000) returndata
varchar2(2000) Begin newservice
replace(service, '', '3a') newservice
replace(newservice, '?', '3f') newservice
replace(newservice, '', '26') newservice
replace(newservice, '', '3d') SELECT
utl_http.request('https//auth.ucr.edu/cas/validat
e?service' newservice chr(38)'ticket'
ticket, null,
'file/etc/ORACLE/WALLETS/DATABASES',
'ltwallet_passwordgt') into returndata FROM dual
return(returndata) exception when others then
returndata sqlerrm return(returndata)
end SSO_Validation_Ticket
The stored function that checks the wallet
8Signon PeopleCode (Page 1/5)
Global string TICKET, USERID, RESULT Global
File LOG_FILE Local SQL sqlCASValidate Functi
on UCR_Signon() / Steps to set up single
signon 1) Web Profile Configuration - PSDEV -
Security tab - Allow Public Access YES User ID
XYZ 2) Report Node - UCR_REPORT_NODE - URL
http//ora02.ucr.edu/psreports/ps Login ID XYZ
etc 3) Signon PeopleCode FUNCLIB_UCR.SSOAUTH.Fiel
dDefault.UCR_Signon 4) Ensure that the two files
logout_ucrsso.html and redirect_ucrsso.html are
located in the following directory (or
similiar) /u06/PT8.44.10/webserv/peoplesoft/applic
ations/peoplesoft/PORTAL/WEB-INF/psftdocs/UCRTM2/
These two file are used in step 1) 5) Compile
this stored function sso_validation_ticket(), You
will have to check it out via SourceSafe. 6)
Restart the App and Web Server. Take several
minutes between shutting down and restarting.
Delete some cache files too. 7) Change the
Disable Signon user from XYZ to another user with
no privileges. / / Get the CAS
ticket and service / FULLURI
RTrim(Request.FullURI) TICKET
RTrim(Request.GetParameter("ticket"))
QUERYSTRING RTrim(Request.QueryString)
SERVICE FULLURI "?cmdstart"
9Signon PeopleCode (Page 2/5)
SERVICE Substitute(SERVICE, "",
"3a") SERVICE Substitute(SERVICE,
"?", "3f") SERVICE Substitute(SERVICE,
"", "26") SERVICE Substitute(SERVICE
, "", "3d") / In order to view
reports from inside the portal, this Signon
PeopleCode will run a second time for the user.
The first time, a user is signed on as XYZ with
a null AuthenticationToken and then
authenticated as themselves (Look for
sqlCASValidate). The second time (by clicking on
a report link), they are signed on as themselves
(not XYZ) with the AuthenticationToken now not
null. We then just sign them in as themselves.
/ / Determine if the user entered
via the web or the application designer using the
app server. / Entered_Via_Http
Find("http", SERVICE) If
SignonUserId ltgt "XYZ" And
(AuthenticationToken ltgt "" Or
Entered_Via_Http 0) Then
SetAuthenticationResult( True, Upper(SignonUserId
), "", False) Return
End-If / Create a SQL statement
that will send the ticket "out of band" for
validation / sqlCASValidate CreateSQL()
10Signon PeopleCode (Page 3/5)
try sqlCASValidate CreateSQL("select
sso_validation_ticket('" SERVICE "', '"
TICKET "') from dual") catch Exception
c1 SetAuthenticationResult(
False, Upper(USERID), "", False)
end-try / Execute the SQL and fetch the
result, which should be either "no" or "yes
ltusergt" / If sqlCASValidate.Fetch(RESULT)
Then RESULT RTrim(RESULT) End-If
sqlCASValidate.Close() YES_NO
Substring(RESULT, 1, 3) If YES_NO
"yes" Then / If valid, then
authenticate the user / / Step 1
Validate the resulting userid with operdefn
table. / / Step 2 Check to see if
account is locked out. /
Result_len Len(RESULT)
Result_userid Clean(Substring(RESULT, 5,
Result_len - 4))
11Signon PeopleCode (Page 4/5)
/ Step 1 Validate userid with operdefn
table. / / Step 2 Check to see if
account is locked out. /
sqlCASValidate CreateSQL() try
/ Convert the resulting user id to upper
case. The user IDs from the upgrade process are
already upper case, but UCR Net IDs are always
lower case and must be equated using the Upper()
function / sqlCASValidate
CreateSQL("select 'Y' from psoprdefn where oprid
'" Upper(Result_userid) "' and acctlock
0") catch Exception c2
SetAuthenticationResult( False, USERID, "",
False) end-try
/ Execute the SQL and fetch the result,
which should be either "no" or "yes ltusergt" /
If sqlCASValidate.Fetch(RESULT) Then
SetAuthenticationResult( True,
Upper(Result_userid), "", False)
Else / Execute the SQL and
fetch the result, which should be either "no" or
"yes ltusergt" / SetAuthenticationResult(
False, USERID, "", False)
End-If
12Signon PeopleCode (Page 5/5)
Else / If NOT valid, then fail
the user's login attempt and redirect back to the
CAS page / SetAuthenticationResult(
False, Result_userid, "", False)
End-If End-Function