160 likes | 326 Views
PeopleSoft Single Sign-On & Shibboleth. Gary Windham Senior Enterprise Systems Architect University Information Technology Services. Why Single Sign-On?. Use institutional credentials (username/password users already know)
E N D
PeopleSoft Single Sign-On & Shibboleth Gary Windham Senior Enterprise Systems Architect University Information Technology Services
Why Single Sign-On? • Use institutional credentials (username/password users already know) • Avoid headache of maintaining password security policies, expirations, etc • Login once, gain access to multiple services • Portal integration
Signon PeopleCode • PeopleSoft provides the ability to integrate with external authentication providers via Signon PeopleCode • Signon PeopleCode is record PeopleCode • FUNCLIB_LDAP is the delivered record for signon peoplecode; functions are tied to the LDAPAUTH field • Signon PeopleCode runs whenever a user signs onto PeopleSoft via PIA or 3-tier client/server • Primary job is to authenticate the user and copy user profile data from an external source to the local database
Signon PeopleCode (cont) • Various external authentication solutions can be accessed via signon PeopleCode: • LDAP • X509 client certificates • PS SSO (PS_TOKEN) • Oracle SSO • Windows NTLM authentication • Web Server Security (used for Shibboleth) • Overloaded use of “SSO”—can be confusing!
Configuring SignOn PeopleCode • Signon Peoplecode is configured and administered through a dedicated screen (SIGNONPPC_PAGE), located at PeopleTools->Security->Security Objects->Signon PeopleCode • Different signon peoplecode functions can be stacked in sequence and enabled/disabled • “Exec Auth Fail” allows a function to run only if authentication did not succeed • For Web Server Authentication, all initial sign-on to PeopleSoft is done through a “default public user” • set-up in PeopleTools->Web Profile->Web Profile Configuration->Security • no permissions • establishes initial user context such that signon PeopleCode can execute (chicken and egg problem)
What is Shibboleth? • An open software system for web single sign-on • Developed by Internet2 • Enables web applications deployed in most typical web server environments to authenticate and authorize users via a single protocol • Facilitates federated identity • Enables fine-grained assertion of identity data to federated and external partners • privacy and security are key elements
What is Shibboleth? (cont) • The "currency" of the Shibboleth software is attributes. • named set of values about an authenticated user • values are typically strings, but can be more complex XML-based data. • When a user attempts to authenticate to your service, Shibboleth obtains a set of attributes for that user and maps them to environment variables and/or HTTP headers for your application to consume • Attributes not stored within Shibboleth itself • pulled from other sources (e.g. LDAP directory or database) • EDS in our case
1. User requests resource WebAuth The Shibboleth Protocol 2. You are not authenticated, redirect to IdP SSO 3b 3. I don’t know you. Authenticate using WebAuth 3c Client Web Browser 4. I know you now. Send client (via form POST) to resource’s ACS 7b 3a 4a 1a Credentials 2 Resource Provider Web Site Identity Provider Web Site 2 Web Resource Assertion Consumer Service (ACS) SSO Service 7a 1b 4c EDS Handle 4b Resource Manager (RM) Handle Handle Attribute Authority (AA) Attributes 5 Attribute Requester • 6b Attributes 6a 5. I don’t know your attributes. Ask the attribute authority 7. Based on attribute values, allow access to resource 6. Return the attributes allowed by release policy Source: Kathryn Huxtable, Internet2
Wiring-up Shibboleth to PS • Shibboleth infrastructure resides on the web tier • e.g. uaz-sa-w02.mosaic.arizona.edu • Shibboleth software runs under Apache or IIS web containers • consists of two components: • web-server plugin (mod_shib for Apache, or an ISAPI filter for IIS) • standalone UNIX daemon (shibd) or Windows service • Our PeopleSoft app server infrastructure is Linux-based, so we use the Apache version • PeopleSoft web tier runs on WebLogic
Wiring-up Shibboleth to PS (cont) • How to bridge Apache and WebLogic? • mod_weblogic – Apache module delivered with WLS, similar in concept to mod_jk / mod_proxy_ajp (Tomcat) • All requests routed through Apache • mod_shib directives enforce authentication and manage session authentication context • Shibboleth attributes inserted into HTTP request headers • mod_weblogic proxies request to WebLogic (PIA) via back-end connection
ACE Browser https://sa-dev.mosaic.arizona.edu http://uaz-sa-w02.mosaic.arizona.edu:8080 Shib IdP PS App Server Apache WLS mod_weblogic mod_shib
Accessing Shibboleth AttributesIn Signon PeopleCode • Once the Shibboleth authentication sequence is complete, attributes about the user are available • Attributes can be retrieved from %Request object (HTTP Request headers) • All attributes contained in EDS are available • named according to EDS schema, except prefaced by “Shib-” (to disambiguate namespace)