SAML Authentication in PeopleSoft
By Chris Malek | Thu, Jan 26, 2017
If you want the TLDR version, then just go with Appsian SSO. I have worked with it and it is great. I have heard of a few people using the OKTA solution as well.
This article summarizes the different vendor solutions to get PeopleSoft to act as a SAML SP. We assume you have a working knowledge of SAML and PeopleSoft architecture.
SP
stands for “Service Provider”. An SP delegates all or some authentication to a trusted SAML IDP
(Identity Provider) that grants authorization tokens. Basically, the SP trusts the IDP. The SP trusts the tokens given by the IDP because they are cryptographically signed and the SP has a copy of the IDP’s public key to verify the signature of the tokens. The IDP may authenticate the user in any number of ways that the SP does not concern itself with.
PeopleSoft does not support SAML for authenticating users and getting a user session. Oracle has no planned support for it (see Document ID 623055.1). Therefore, you have to use some other solution. Most of the solutions revolve around using a reverse proxy service that will interpret and validate the SAML tokens. If they are valid, then information about that IDP authenticated user is passed from the SAML token along to PeopleSoft. That user information is passed to PeopleSoft in the form of HTTP headers. Sign-on PeopleCode will pickup those HTTP headers and resolve information from the HTTP headers to a valid PSOPRDEFN user and grant them a session using SetAuthenticationResult
. In some cases the PSOPRDEFN may not exist and it is created on the fly by the sign-on PeopleCode with the information passed in the HTTP headers. In most of these reverse proxy solutions, it becomes very important that a user cannot bypass the reverse proxy and go directly to the PeopleSoft web server as they could easily spoof the HTTP headers and login as pretty much anyone.
I was doing some research on solutions for PeopleSoft and these are the options I found.
- Pathlock Appsian SAML
- OKTA Access Gateway
- Datawiza SAML
- Shibboleth SP
- F5 BIG-IP APM
- Custom PeopleCode SAML Token Validation
- Weblogic SP
Let’s go over each one.
Appsian SAML
On March 2017, Appsian announced a PeopleSoft SAML SSO Product that will accept SAML tokens and authenticate user into PeopleSoft.
OKTA Access Gateway
If you are an OKTA customer you can use the “Access Gateway” product to proxy the SAML and pass HTTP headers to the back in Signon PeopleCode. I have alot of experience working with OKTA integrations and as always they have pretty great documentations.
See the OKTA Identity Gateway Documentation
Datawiza SAML
Datawiza has a SAML solution for PeopleSoft. I have not used it but it looks interesting.
- The product page is here: PeopleSoft SSO and MFA
- Step-by-step tutorial for Microsoft Entra ID (formerly Azure AD)
- Step-by-step tutorial for Okta
Shibboleth
Shibboleth is the first one which we will discuss briefly because this solution has been documented in many other places. This solution is probably the most popular SAML SP implementation for PeopleSoft that I have found. Generally, this involves standing up Apache with the Shibboleth module. There are some other supported implementations on the Shibboleth Wiki.
This requires that apache is acting as a reverse proxy in front of PeopleSoft. A user should not be able to address the PeopleSoft web server directly. The overall flow is:
Web Browser –> Apache Reverse Proxy (with Shibboleth Module) –> PeopleSoft Web Server –> Sign-on PeopleCode
F5 BIG-IP APM
If you are already using an F5 Firewall appliance to do load balancing, you may be able to use that to serve as the SAML SP.
From the F5 site:
BIG-IP APM version 11.3 can act as either a SAML service provider or a SAML identity provider, enabling both federation and SSO within an enterprise.
This requires that you are license for the APM module. If you are already fronting your PeopleSoft Traffic with F5 this would make a lot sense.
The overall flow is:
Web Browsers –> F5 –> PeopleSoft Web Server –> Sign-on PeopleCode
Custom PeopleCode SAML Token Validation
Vlad Kaminsky from GNC Consulting presented at a 2016 PeopleSoft Reconnect conference and demonstrated a solution of using PeopleCode that called out to open source Java SAML libraries.
I would recommend looking at [his presentation](http://apps.questdirect.org/eweb/temp/CFP_Files/2016PSFT102170(9287caed78ac418198e751bc394c5084).pdf). There are a ton of code samples.
The overall flow is:
Web Browsers –> PeopleSoft Web Server –> Sign-on PeopleCode
Weblogic SP
Weblogic the ability to to support SAML. However, a colleague told me that the Weblogic license that comes with PeopleSoft is limited and you cannot use the SAML pieces. So your organization would need some different Weblogic license.
The overall flow is:
Web Browsers –> PeopleSoft Web Server –> Sign-on PeopleCode
Others?
If you know of any other solutions let me know.
Additional Reading
- Single Sign-On (SSO) to PeopleSoft using Reverse Proxy Setup by Logesh Balasubramaniam
Chris Malek
Chris Malek is a PeopleTools® Technical Consultant with two decades of experience working on PeopleSoft enterprise software projects. He is available for consulting engagements.
About Chris Work with ChrisPeopleSoft Simple Web Services (SWS)
Introducing a small but powerful PeopleSoft bolt-on that makes web services very easy. If you have a SQL statement, you can turn that into a web service in PeopleSoft in a few minutes.
Integration Broker - The Missing Manual
I am in the process of writing a book called "Integration Broker - The Missing Manual" that you can read online.