Transcript PeopleSoft Single Sign-On & Shibboleth

PeopleSoft Single Sign-On &
Shibboleth
Gary Windham
Senior Enterprise Systems Architect
University Information Technology Services
Why Single Sign-On?
 Use institutional credentials (username/password users
already know)
 Avoid headache of maintaining password security
policies, expirations, etc
 Login once, gain access to multiple services
 Portal integration
Signon PeopleCode
 PeopleSoft provides the ability to integrate with
external authentication providers via Signon PeopleCode
 Signon PeopleCode is record PeopleCode
 FUNCLIB_LDAP is the delivered record for signon
peoplecode; functions are tied to the LDAPAUTH field
 Signon PeopleCode runs whenever a user signs onto
PeopleSoft via PIA or 3-tier client/server
 Primary job is to authenticate the user and copy user
profile data from an external source to the local database
Signon PeopleCode (cont)
 Various external authentication solutions can be
accessed via signon PeopleCode:






LDAP
X509 client certificates
PS SSO (PS_TOKEN)
Oracle SSO
Windows NTLM authentication
Web Server Security (used for Shibboleth)
 Overloaded use of “SSO”—can be confusing!
Configuring SignOn PeopleCode
 Signon Peoplecode is configured and administered through a
dedicated screen (SIGNONPPC_PAGE), located at PeopleTools>Security->Security Objects->Signon PeopleCode
 Different signon peoplecode functions can be stacked in
sequence and enabled/disabled
 “Exec Auth Fail” allows a function to run only if authentication
did not succeed
 For Web Server Authentication, all initial sign-on to PeopleSoft is
done through a “default public user”
 set-up in PeopleTools->Web Profile->Web Profile Configuration>Security
 no permissions
 establishes initial user context such that signon PeopleCode can
execute (chicken and egg problem)
Signon PeopleCode Configuration
What is Shibboleth?
 An open software system for web single sign-on
 Developed by Internet2
 Enables web applications deployed in most typical web
server environments to authenticate and authorize users
via a single protocol
 Facilitates federated identity
 Enables fine-grained assertion of identity data to
federated and external partners
 privacy and security are key elements
What is Shibboleth? (cont)
 The "currency" of the Shibboleth software is attributes.
 named set of values about an authenticated user
 values are typically strings, but can be more complex XMLbased data.
 When a user attempts to authenticate to your service,
Shibboleth obtains a set of attributes for that user and
maps them to environment variables and/or HTTP
headers for your application to consume
 Attributes not stored within Shibboleth itself
 pulled from other sources (e.g. LDAP directory or database)
 EDS in our case
2. You are not
The
authenticated,
redirect to IdP SSO
1. User requests
Shibboleth
resource Protocol
WebAuth
3b
3. I don’t know
you. Authenticate
using WebAuth
3c
Client
Web Browser
7b
3a
4a
1a
Credentials
4. I know you now.
Send client (via
form POST) to
resource’s ACS
2
Web Resource
7a
Resource Manager
(RM)
Attributes
2
Assertion Consumer
Service
(ACS)
1b
SSO
Service
4c
4b
Handle
EDS
Handle
6b Requester
Attribute
Handle
5
Attributes
6a
Resource Provider Web Site
7. Based on attribute
values, allow access to
resource
5. I don’t know your attributes.
Ask the attribute authority
Source: Kathryn Huxtable, Internet2
Attribute
Authority (AA)
Identity Provider
Web Site
6. Return the attributes
allowed by release policy
9
Wiring-up Shibboleth to PS
 Shibboleth infrastructure resides on the web tier
 e.g. uaz-sa-w02.mosaic.arizona.edu
 Shibboleth software runs under Apache or IIS web
containers
 consists of two components:
 web-server plugin (mod_shib for Apache, or an ISAPI filter for
IIS)
 standalone UNIX daemon (shibd) or Windows service
 Our PeopleSoft app server infrastructure is Linux-based, so
we use the Apache version
 PeopleSoft web tier runs on WebLogic
Wiring-up Shibboleth to PS (cont)
 How to bridge Apache and WebLogic?
 mod_weblogic – Apache module delivered with WLS, similar
in concept to mod_jk / mod_proxy_ajp (Tomcat)
 All requests routed through Apache
 mod_shib directives enforce authentication and manage
session authentication context
 Shibboleth attributes inserted into HTTP request headers
 mod_weblogic proxies request to WebLogic (PIA) via backend connection
https://sa-dev.mosaic.arizona.edu
ACE
Browser
Shib
IdP
mod_shib
mod_weblogic
Apache
WLS
PS App Server
Accessing Shibboleth Attributes
In Signon PeopleCode
 Once the Shibboleth authentication sequence is
complete, attributes about the user are available
 Attributes can be retrieved from %Request object (HTTP
Request headers)
 All attributes contained in EDS are available
 named according to EDS schema, except prefaced by “Shib” (to disambiguate namespace)
Signon PeopleCode Examples
Signon PeopleCode Examples (cont)
Demo…