Sunday, March 22, 2009

Generating an AuthToken for SwitchUser

As the name implies, the PeopleCode SwitchUser function allows developers to switch the logged in Operator ID from one user to another. For security reasons, you can only switch identities if you either have another user's operator ID and password or another user's valid authentication token (AuthToken). While I'm sure there are numerous uses for this function, here are my top two:

  • Presenting a sign on Pagelet to a GUEST user
  • Switching the runtime context of Integration Broker PeopleCode

In both of these scenarios, PeopleCode is already running as one user, but you need to switch the runtime context to a different user. For example, if we build a web service that exposes Approval Workflow Engine (AWE) approvals, we must authenticate the caller to ensure the caller has access to a specific approval.

The PeopleCode SwitchUser function takes four parameters. If you use the first two parameters, UserID and Password, then you don't use the third. Likewise, if you use the third parameter, AuthToken, then you don't use the first and second. They are mutually exclusive. The fourth parameter is irrelevant for this discussion. Since the first two parameters are self explanatory, the remainder of this discussion will focus on the third parameter, the AuthToken.

Let's further consider the AWE example. Here is the scenario:

Managers want to approve AWE transactions from their mobile devices (BlackBerry, iPhone, etc). PeopleSoft, however, does not support mobile browsers. One method to enable mobile access is to create a stand alone web application that communicates with PeopleSoft using web services. The initial page for this web application will prompt the user for a PeopleSoft user name and password. The second page of this web application will display information about an approval and provide the manager with action buttons to approve, deny, or push back the transaction. When the manager selects one of the action buttons, the web application will use web services to update the PeopleSoft AWE transaction.

The process flow in this scenario requires the web application to call at least two PeopleSoft web services. Since web services are stateless, we need to authenticate the user on each call. Because these web service calls span multiple request/response cycles, the web application will need to store that authentication information between mobile client requests, making session variables the logical place to store this information. At this point, the question we need to ask is, "What authentication information do we want to store in a session variable?" User name and password? As an alternative, we could store an AuthToken in a session variable and use that as a parameter to SwitchUser. Unlike user names and passwords, authentication tokens can be invalidated and are subject to configurable expiration rules.

How do you generate an AuthToken? Here is the method I use: I create an HTTP connection to my PeopleSoft server's sign on URL and then parse the returned cookies. Here is an example that uses Java and Jakarta Commons HttpClient:

HttpClient client = new HttpClient();

// Posting to the PS login URL
PostMethod post = new PostMethod("http://my.ps-server.com/psp/hrms/?cmd=login");
post.addParameter("userid", username);
post.addParameter("pwd", password);

// expect redirect response code
if(client.executeMethod(post) != 302) {
throw new Exception("Expected a redirect response code.");
}

Cookie[] cookies = client.getState().getCookies();
Cookie pstokenCookie = null;
String pstoken = null;

for (int cookieIdx = 0; cookieIdx < cookies.length; cookieIdx++) {
Cookie cookie = cookies[cookieIdx];
if (cookie.getName().equals("PS_TOKEN") &&
cookie.getDomain().equals(".ps-server.com")) {
pstoken = cookie.getValue();
pstokenCookie = cookie;
}
}

if (pstoken == null) {
throw new Exception("Ack! Didn't find PS_TOKEN cookie");
}

With my AuthToken (PS_TOKEN) identified, I can store it in a session variable, pass it along to Integration Broker, and then invalidate it when the mobile user logs out. Here is some sample code that demonstrates how to invalidate an AuthToken:

HttpClient client = new HttpClient();

client.getState().addCookie(pstokenCookie);

GetMethod get = new GetMethod("http://my.ps-server.com/psp/hrms/?cmd=logout");

int httpResponseCode = client.executeMethod(get);
// TODO: validate response code

66 comments:

Cathy said...

Have you worked with any implentations with external SSO from a companies main web site to PS? Any suggestions on how to do the authentication?

Jim Marion said...

I have not. If you need help with something in this area, you should post a question on the PeopleSoft General Discussion OTN forum.

I believe PeopleSoft delivers integration with Oracle Access Manager, which is an SSO solution.

I've worked with other security integrations and they are all pretty much the same. Generally speaking, an SSO server generates some type of token (usually stored as a cookie). In your signon PeopleCode, you need to access that token (read the cookie from the list of cookies submitted with the request) and then validate that token against the SSO provider. I believe an SSO provider will provide a service for validating tokens. Once you validate the token, you need the OPRID. This will either come as another cookie, a header, or from the SSO provider. The final step is to call the PeopleCode SetAuthenticationResult function.

Does this make sense? I am certainly no security expert.

Cathy said...

Thanks Jim,

I may post something on the PS General Discussion forum later. Your ideas do make sense thank you for your quick response.

Cathy

Jim Marion said...

@Cathy, I am more than happy to contribute what I know to the PeopleSoft community. I would love to hear the results of your SSO effort. It would be wonderful if you could write up a wiki on PeopleSoft SSO with product "X" on Oracle Wiki. We have a PeopleTools category. Just add a sub category for Security and create a wiki document telling how you did what you did. I think it would be a great addition to the PeopleSoft community!

Jim Marion said...

@Cathy, by the way, if you write up a wiki on this and say the wrong thing, don't worry about it. Wiki's are living documents. If you say something wrong, then someone else who finds the problem can correct it. That is the beauty of wikis!

Peoplesoft_curious said...

Jim,
I am sorry this question is not related to this topic, I was not sure where to post it.
Is there a to do single sign on between e-portal employee node and the cutomer node of the ebill?

Jim Marion said...

@PeopleSoft_curious, your comment sounds strangely familiar to the IT Toolbox thread I read earlier today. The answer? There is no extra setup for employee to customer Portals.

Let's get some terminology straight first. EMPLOYEE and CUSTOMER are portals, not nodes. This portion of the URL tells PeopleSoft which Portal Registry to use. Each PeopleSoft node serves multiple portals (usually EMPLOYEE, CUSTOMER, SUPPLIER, etc). Nodes are the portion of the URL that defines the content provider. This is something like HRMS, ERP, CRM, etc.

PeopleSoft single signon is used between nodes that are served by different databases. For example, ENTP and EMPL are nodes served by Enterprise Portal. No single signon configuration required. Now, if you want to serve or link off to the HRMS node, then you will need to configure single signon trusted nodes between those nodes.

Delivered single signon nodes have names like PSFT_PA, PSFT_HR, etc. PeopleSoft recommends that customers rename these nodes to the same name as the database.

I am not familiar enough with "e-portal" and "ebill" to know if they are served by the same content provider node. If they are served by the same content provider node/database, then no single signon configuration is required. If they are served by different databases, then add the integration broker node name from each to the other's trusted nodes in single signon. Next, reboot your app servers.

I hope this helps.

KCWeaver said...

We are looking at integrating Blackberry's with PeopleSoft and have analyzed the Blackberry response email process as a solution. But on another website you commented that doing this waste of time and that we should use a mobile application. In one response you mentioned that you redirect the user based a reverse proxy or some sort of filter that would know if the application was a mobile phone or someone's computer. This is all pretty new to me and I do have many questions about authentication to the webservice. Can you just expose the requistion approval page as a Webservice using register CI as webservice? Do you have to build a paglet to perform the logon for the mobile devices?

Jim Marion said...

@KCWeaver, the idea is to create an external web application built in some technology other than PeopleTools (Java, Ruby, PHP, .Net, it really doesn't matter). Using this other technology, you build a user interface that your mobile device can consume. It doesn't have to be a web application. It can be a native BlackBerry app (or whatever your device is). Your external application will communicate to PeopleSoft using web services. This means you have to expose some portion of your PeopleSoft application as a web service. Creating the web service can be as easy as creating a CI for your approval component and then publishing the CI as a CI based web service. This will give you a WSDL you can consume in your other development tool.

You don't have to use CI based web services. When I did this, I created an OnRequest Sync Service Operation Handler that worked directly with the AWE PTAF_CORE app classes using plain XML.

The problem is that PeopleTools does not support mobile devices - Period. In one tools release, you may use iScripts or any manner of PeopleTools technologies to browse PeopleSoft from a mobile device. In the next tools release, it may stop working. I know, I've experienced this myself. The safest thing to do is to create the mobile user interface outside PeopleSoft.

For authentication, in your external development tool, create a login page and send that login information with the SOAP request to PeopleSoft. If you are using web services, then you will use web service security and something like usernametoken.

For browser detection, I used the tuckey.org URLRewriteFilter to determine the browser type and then redirect the user to my custom web application if the user-agent value contained BlackBerry. That way I avoided sending BlackBerry users to PeopleSoft.

The way you accomplish your task is pretty much wide open. I hope this answers some questions for you.

KCWeaver said...

Thanks Jim, I understand that it is not PeopleSoft. I just need to wrap my head around the concept of building a non PeopleSoft application for mobile devices that will consume a PeopleSoft webservice. I have plenty of PeopleSoft development experience, but would like to learn how to create mobile applications that can consume the webservice and your examples will help me understand the concept. I struggle with the authentication and the architecture of building these applications. I just ordered your book from Amazon and it says I will have to wait until July 28. Thanks for you time.

Jim Marion said...

@KCWeaver, I think July 28th is the latest date. Hopefully you will get it a month earlier than that, but I don't know all the details. The book comes with source code and the source code will include a JDeveloper project with a signon page and the code necessary to set the web service authentication token.

KCWeaver said...

Do you know if JDeveloper is licensed with all PeopleSoft installs? Or do you need a seperate license? Also, do you know of any good books that would teach an old PeopleSoft pro how to use JDeveloper? And just one more question. Couldn't I just attach a HTML document to the workflow email that allowed the user to see Requisition details then press a "Approve" or "Deny" button that could use a AJAX to an iScript or post the results to a webservice that could utilize AWE Application Packages from their BlackBerry? I would still need to authenicate the user. Maybe I am trying too hard not include JDeveloper. LOL!

I look forward to getting your book, tell the publisher to hurry up, I needed it yesterday!

Thanks.

Jim Marion said...

@KCWeaver, JDeveloper community edition is free for anyone. The web service data control, however, requires an extra license. You will have to talk to your sales rep to get prices for that. At one time there was a Fusion Middleware for PeopleSoft license that gave you quite a bit of functionality.

About the e-mail HTML attachment... It might be possible. The HTML e-mail attachment is actually the approach taken by PeopleTools for e-mail based approvals. The problem for BlackBerry's is that they don't support HTML e-mail.

You don't need to use JDeveloper or Fusion Middleware. The idea applies whether you use PHP, cold fusion, ruby, or any other language/technology. JDeveloper and Fusion middleware have a very nice web service drag and drop data binding architecture. That is why I recommend it. Without it, you have to write a fair amount of code.

If you have experience with some other language (perl, .net, php, anything?) you can use that language. The idea is to create a lightweight web based user interface that uses web services, or just plain XML to communicate with integration broker on the back end.

There are books on JDeveloper. I don't have any recommendations on books for JDeveloper. You can take a look at the JDeveloper homepage and review the tutorials. You should find web service and web application tutorials on that page.

Now that Oracle owns Java, I strongly recommend learning Java. I have always recommended this, but I think Java is even more important now that Oracle owns it.

kevin weaver said...

I have been working on my Java and have even installed JDeveloper as my IDE. Still anxiously awaiting your book, hoping that it will fill in some gaps that I have, since I am not a Java developer. Just sent out a blast too all my linked in contacts about your blog and book. Hope to get my copy soon. Thanks Jim.

kevin weaver said...

I have installed JDeveloper and a local PIA on my client to further my education of Java and the cool ways I could use it in the PeopleSoft world. So I created a project and I included my class path for my PIA environment, I am having trouble accessing PeopleCode objects in my Java class. JDeveloper allows me to use the import PeopleSoft.PeopleCode.*; But when I try to use the Rowset rs = Func.CreateRowset(new Name("RECORD", "PSMENUITEM"), new Object[]{}); It says it cannot find object RowSet. Do you have any tips on setting up JDeveloper for us PeopleSoft developers who need to learn Java. Thanks,

Kevin

Jim Marion said...

Hi Kevin, that is great that you are learning Java and using JDeveloper.

In my book I tell you how to setup JDeveloper. The most important thing is to open the JDeveloper Manage Libraries dialog and add the PeopleCode.jar file as a managed library. Then in your project, you add that library. The peoplecode.jar file is all you need from the app server class path. Once you do that, you can type Rowset without qualifying it or importing it and JDeveloper will prompt you for the import (alt-enter, I think).

It may be a typo, but the code uses Rowset and the error is RowSet. I'm sure you know Java is case sensitive. Make sure you used the correct case.

Another point of clarity... do you see the error message when running your code or in the editor itself. I ask because Java that uses PeopleCode functions will only run from the app server.

I'm sure you already saw my old post on using SQLExec and SQL objects in Java.

I'll have to work up an example with Rowset. I don't recall using that object before (just Record, SQLExec, and SQL).

Jim Marion said...

@Kevin, Here is a new post that hopefully provides you with a starting point: Accessing PeopleCode Rowsets from Java

mmaller said...

Hello Jim

Is is possible to have UAT as psfin.uat.company.com(Subset of PROD Domain) and PROD as psfin.company.com and simultaneosuly work in both environments?

Regards
M

Jim Marion said...

@mmaller, I think your concern is with Auth Token Domain and the PS_TOKEN cookie. Is this correct? If you set your Auth Token Domain to psfin.company.com and redeploy PIA to update your weblogic.xml Cookie Domain, then that might work. I'm not sure though. I've only worked with 2 part domains, with a third part for a sub domain.

You should try it and use a tool like Fiddler to inspect the Cookie header. The Cookie header will have the cookie's domain so you can see if the cookies will overwrite each other. That is the main problem with two sessions from untrusted apps (and you DO NOT want PROD trusting UAT).

mmaller said...

Thanks Jim.

PeopleBooks has stated like this for a Webprofile paramater in Custom properties

ie checkForDuplicateCookies


Duplicate cookies occur when all of the following are true:

*

You have two PeopleSoft applications installed for which you have not implemented single signon functionality.
*

The authentication domain that you specify for one application's web server is a subset of the authentication domain that you specify for the other, such as .mycompany.com and .user.mycompany.com.
*

A user attempts to sign in to both applications simultaneously from the same browser.

When these conditions are met, the browser presents multiple cookies to each application, which produces unpredictable browser behavior, such as displaying the sign-in page or a page expiration message.

For this property, specify a validation type of boolean and enter one of these property values:

True: The portal checks for sets of duplicate cookies. When a duplicate is found, the user is taken back to the sign-in page with this message: “Your browser sent multiple sets of cookies.” You can change the text of this message by editing number 107 in the errors.properties file of the portal site.

False: The portal doesn't check for sets of duplicate cookies. This is the default setting, which applies when this property isn't specified.

To avoid this issue altogether with applications that don't use single signon functionality, make sure that you specify authentication domains that aren't subsets of each other, such as .user.mycompany.com and .corp.mycompany.com.

In my case i am trying to have a URL as

psfin.uat.xxx.com
and
psfin.xxx.com which clearly means uat is subdomain to the otherone.So is it correct from above reference that we cannot have a domain and subdomain URL coexist in a PeopleSoft Environment,if we want to work on both simultaneosuly.

Jim Marion said...

@mmaller, that is how I understand it to work. The reason I said to try using psfin.xxx.com as your AuthTokenDomain is because psfin.uat.xxx.com is not a sub domain of psfin.xxx.com uat.psfin.xxx.com would be a subdomain of psfin.xxx.com (notice that the uat is in a different place). In my prior comment I should have also noted that your uat domain would be uat.xxx.com. I believe the application uses the Auth Token Domain value when reading and setting cookies. If you qualify the Auth Token Domain in a manner that makes the two domains different, then it might work.

I know for a fact that xxx.com will create duplicate cookies. The question is just whether PS will see psfin.xxx.com and uat.xxx.com as separate domains.

Reconfigure your systems, log into both, and look at the cookie headers they are generating. That is the best way to find out.

Helping People Succeed said...

Chapter 3 - Page 139,
(method OnRequest)
On web service Enabling Approvals,

Is it possible to use %OperatorId as one of the parameters of ApprovalManager(&processid, &headerrec, %OperatorId)?

Additional - how can we work around if we have used %OperatorId as one of the parameters of ApprovalManager in the component and if we plan to expose that component as web services?

Jim Marion said...

@Helping, yes, using %OperatorId is the most common value for parameter 3. Yes, you can use %OperatorId in web services, especially if you are considering component (CI) based web services. CI based web services include ws-security, etc, to ensure that the CI runs as a logged in, named user.

If you are not using a CI, then you need to call SwitchUser prior to using %OperatorId. This, of course, would require you to send credentials along with the web service request (ws-security, auth token, plain username/password over SSL, etc).

Hari said...

Hi Jim- we are trying to generate the Authtoken after LDAP authentication. We are trying to pass the user credentials in LDAPBind function @Funclib_LDAP-LDAP_Authentication delivered PeopleCode.we are invoking this method through app package.We are passing plain text password to the LDAPBind.But it always fails to authenticate the user.
We took the trace to get the encrypted password and then we passed that encrypted password to LDAPBind even then it fails to authenticate. Not sure about the LDAP password encryption algorithm whether it's Base64 or PeopleSoft native encryption. Could you please help us, how do we need to get the user authenticated through LDAP.
We are using Tools version:8.49 LDAP: Novell NDS eDirectory

Thanks,
Hari

Jim Marion said...

@Hari, I've looked into the LDAP signon PeopleCode before, and it seems a bit complicated. Since these are delivered functions, I recommend opening a case and having a support analyst work directly with you and your system.

Hari said...

Many Thanks Jim. I have raised the case with Oracle.I will be happy to share if they provide any solutions.

Regards,
Hari.A

Jim Marion said...

@Hari, Thank you. Whatever you share, just be sure it is inline with your support contract.

BIll said...

Jim loved the book...I've had been doing PeopleSoft development for years then switched over to Java work. Do you happen to have an example of using httpclient from within PeopleCode?

Thanks

BIll said...

Jim...I got the HTTPCLIENT working now. Your book is very helpful!
Bill

Jim Marion said...

Thank you Bill. After your prior comment, I went looking for a PeopleCode example, but didn't have one ready. I'm glad you figured it out.

mymithraa said...

Jim,

We consumed one web service from third party tool and we are able to do some operation succesfully (Like Log in). Once Login is inovked we will get sessionid as result from 3rd party. For doing other operations (Like Insert/Update/..) we need to keep sessionid live. I dont know how to keep session id live in PS. 3rd party experts adviced something similar to SESSION_MAINTAIN_PROPERTY. whether we do have anything similar. Or they adviced to pass the session in Set-cookie (JSESSIONID) value in HTTPHeader. Can you please advice how to do that.

Thanks,

Hari said...

Hi Jim, this time I am trying to do ldap authentication through LDAPBind UNIX command rather than trying with PeopleSoft sign on PeopleCode LDAPBind. But no luck when we trigger this command from PeopleCode. When we execute this LDAPBind command directly in UNIX server its working fine. But when we invoke this from PeopleCode its not resulting any (success/failure) its seems like that command alone getting skipped off from execution. We are able to all other log files generated from that script.

PS: this is in continuation to my previous question about PeopleSoft LDAPbind sign on peoplecode.

Any thoughts on this?

Thanks,
Hari.A

Jim Marion said...

@Hari, are you using Exec to run a shell script? I'm wondering if it has something to do with the user or environment table used to launch your PeopleSoft installation. Here is an alternative to Exec: Exec Processes while Controlling stdin and stdout. Perhaps this alternate method will give you more information (stdout, etc).

Hari said...

Hi Jim, Thanks for your inputs. I will try to do the same. Let say if I am submitting a process to run using java run time then will it be a synchronous process? because user has to get authenticated instantaneously.
we are using Exec function to invoke the shell script.

Hari said...

Adding to that we inserting the LDAPBind result to a table through shell script itself. So we didnt expect exec to return the results. Our problem is with the LDAPBind command execution. Its not working when we invoke the shell script from PeopleCode using Exec. But if we trigger the script directly in the UNIX servers its works beautifully. I am wondering how this could happen?

Thanks,
Hari.A

Jim Marion said...

@Hari, I would expect using Java's Runtime.getRuntime().exec to fail just like the PeopleCode exec. What I would do to debug this, however, is write stdin and stdout to a log file so you can see it just like you would see it if you ran it from the command line. That way you can capture any output (error messages, etc) that PeopleCode is throwing away. My first guess would be that the app server operating environment (user, env variables, etc) is different from the command line. I'm sure it is the same server, but when running from the app server console, you will want to log in as the app server user, run psconfig, etc.

If you aren't reading stdout from the process output and you want it to be synchronous, then call waitFor() on the &process object returned by runtime.exec(). If you usually run exec asynchronously, then I would try running it synchronously just to test it. If it works synchronously, then figure out why and switch back to asynchronous.

Raju said...

Hi Jim,

In Peoplcode, is there a way to tell where the request came from is it from Mobile or System. It would be an Iscript call based on the request the response will be different.

Thanks
Raju.

Jim Marion said...

@Raju, you can check the user agent header.

Allen Kuruvilla said...

Hey Jim, I am trying to use SwitchUser functionality by using PS_TOKEN. For eg, I have logged in as User A and for some
purpose, I need to switch to User B.
For the above step, I am planning to use Switch User. Since I dont know the password for the User B,
I am planning to use the Ps_TOKEN which I got by %Request.GetCookieValue("Ps_TOKEN");
The token which i got is encoded, I believe. How do I use it so that I can switch to other user??

I read that you can change the UserId in the Ps_TOKEN and then use it as a param in the SwitchUser function.

Jim Marion said...

@Allen, To authenticate with a Token, you call SwitchUser like this: SwitchUser("", "", &token, "").

Tokens have a life time based on your web profile's timeout setting. If I followed your authentication path, you are logged in as A and want to become B. If you read your PS_TOKEN cookie prior to becoming B, your cookie will have a token for A, not B. If you happen to have a valid token for B, you can call SwitchUser. The question is, "How are you going to acquire a valid token without a username and password?" As described here, you can get a token from Integration Broker and pass that around, but only until the token times out.

Raj_Indiran said...

Jim

I am working on LDAP autentication, to check userid/pwd thru my web services.

Pls let me know if any delivered application package available for this or any suggestions/idea to achieve this.

Thanks in advance
Rajendran

Jim Marion said...

@Raj_Indiran, you may want to ask your question on the OTN General Discussion forum

M Asim said...

hi jim
I am developing CI Based web services in peoplesoft.
i want to change language of service(mean need to change language code)
mean need data in different in languages.
can you help me?

Jim Marion said...

@M Asim, I suggest you ask this question on the PeopleSoft General Discussion OTN Forum.

Gautam said...

Newbie question... you mentioned the authentication token has configurable expiration rules. Can you point me to some details/documentation describing this? Thanks!

Jim Marion said...

@Gautam, you configure the session time out (PS_TOKEN timeout) in the web profile: PeopleTools > Web Profile > Web Profile Configuration

Simon Chiu said...

Hi Jim,

we recently went through the 'Configuring a Contemporary User Experience' red paper to Override the Default Login / Expiration page. We want a public user to view news without having to login. The steps outlined in the guide(update security tab in web profile, replace signin.html/expire.html pages) worked perfectly, however Email Workflow was broken. When a user isn't logged in, and they click a workflow link in the email, they get a very crude: "Unable to signon to Server" please contact your system Admin" error message.

To get around this, we changed signin.html/expire.html back to their defaults, and have a simple html page that automatically logs you in as the guest account using java script.

This solution works, but am wondering if there is a better way to do this. Is it possible to have 2 web profiles on one system? (one public for the guest and one private for everything else?). Does a second web server need to be setup?

Jim Marion said...

@Simon, the functionality you require is supposed to be part of a later PeopleTools release. I can't remember which 8.5+ version. For earlier versions you need two web servers with different web profiles for workflow links.

Naveen said...

Jim,
I need some expert advise on "How to Setup SSO between 2 PeopleSoft environments with different User ID's". Is it possible to accomplish this requirement? Can you pls share your thoughts.
Thx

Jim Marion said...

@Naveen, no. The cookie is OPRID specific. You must have common OPRID's between the two systems. I'm sure someone could figure out a way around this, but I don't know of one.

Unknown said...

Hi There,
I have Peoplesoft HCM with 8.53 peopletools and I have OAM 11.1.2.1 I am trying to do integration. I followed the peopletools 8.53 document to configure the OAM sso
1.create OAMPSFT as a new user profile and associate a low security role
such as PeopleSoft User.
2.user profile, access the ID page and select NONE as the ID type
3.Access the web profile and enter OAMPSFTas the public access user ID
4.PeopleSoft Application Designer, open the FUNCLIB_LDAP record
5.Right-click the LDAPAUTH field and select View PeopleCode.
6.Find the getWWWAuthConfig() function and replace the value that is assigned to the
&defaultUserId with OAMPSFT
7.Access the Signon PeopleCode page (PeopleTools, Security, Security Objects, Signon PeopleCode)
and enable the OAMSSO_AUTHENTICATION function—the Signon PeopleCode for Oracle Access
Manager single signon.
8.since WebLogic user i disable basic authentication
9. I did all the setup properly from OAM side and when I try to access http://ludichka.kotapuri.com:7778/psp/ps/?cmd=start
I get the access manager longin page and when I attenticate I am getting peoplesoft login page.
Can you please tell me if I have to do any thing more in peoplesoft side

Jim Marion said...

@eban, I recommend filing a My Oracle support case so you have someone working with you on this.

Chandra said...

Hello Jim,

Does Peoplesoft natively provides 2 tier security authentication i.e either by asking a security question or sending text message to Ccllphone during the login process.

Is there a way to achieve this functionality within Peoplesoft ?

please suggest if there are any alternatives ?

Chandra

Jim Marion said...

@Chandra, Grey Heller's ERP Firewall offers multi-factor authentication.

Kevin Weaver said...

Hey Jim,

I have a slightly different approach to switch users and it works great, except for in our Development Interaction hub. The approach we use in Development and QA is to set the user id same as password, so I have created a bookmarklet that will create a form and submit that form to the websever for authentication. In our Development Interaction hub I get the following error.

PSAPPSRV.8918 (505) [2014-11-04T12:41:57.162 KDA003@10.160.164.126 (FIREFOX 33.0; WIN7) HomepageTemplate](4) Failed to load URL:/psc/pa91dev/EMPLOYEE/EMPL/?tab=DEFAULT in the Portal registry. In fn CPortalRegistry::FindLogicalURL in file /vob/peopletools/src/psoftapi/portalregistry.cpp
PSAPPSRV.8918 (505) [2014-11-04T12:41:57.162 KDA003@10.160.164.126 (FIREFOX 33.0; WIN7) HomepageTemplate](4) URL is not found in the database, ContentRef Init failed. In fn CContentRef::DoInitialize file /vob/peopletools/src/psoftapi/portalregistry.cpp.
PSAPPSRV.8918 (505) [2014-11-04T12:41:57.162 KDA003@10.160.164.126 (FIREFOX 33.0; WIN7) HomepageTemplate](1) Error in service HomepageT, CREF with URL can not be found: /psc/pa91dev/EMPLOYEE/EMPL/?tab=DEFAULT
PSAPPSRV.8918 (505) [2014-11-04T12:41:57.162 KDA003@10.160.164.126 (FIREFOX 33.0; WIN7) HomepageTemplate](1) (NET.346): Failed to execute HomepageTemplate request
PSAPPSRV.8918 (505) [2014-11-04T12:41:57.162 KDA003@10.160.164.126](2) Service HomepageT failed

Here is a url to my blog post on my bookmarklet, any idea on what is creating this error?

Thanks!

Jim Marion said...

@Kevin, I have seen this before. It appears that your URL is missing the "h/" at the end.

Kevin Weaver said...

I have traced both the normal signon and the switch user bookmarklet and the normal signon goes through the signon PeopleCode and then calls IScript_HPDefaultHdr WEBLIB_PORTAL.PORTAL_HOMEPAGE.FieldFormula. The Swich user bookmarklet calls the signon peoplecode and then nothing else? Turns out this issue is not with Portal, but with Interaction Hub as we have upgraded or Portal from Portal to Interaction Hub. This leaves me wondering why it would not call the IScript_HPDefaultHdr WEBLIB_PORTAL.PORTAL_HOMEPAGE.FieldFormula when I use the book marklet to submit the form?

Praveen Shabadi said...

Hi Jim,

We are trying to expose a PeopleSoft Web service(a REST API) out side of firewall from Portal. We are on 9.1 application and 8.53 tools.

We are not able consume the API from outside VPN but within the VPN it works fine.

Is there any way that it can be made available on internet.

Thanks in Advance

Jim Marion said...

@Praveen, If you can access it through the VPN, then everything is correctly configured in PeopleSoft. You will need to work with your network security team to make your PeopleSoft instance internet facing.

Chandra Rawat said...

Dear Jim,
I have a query that we are facing some audit issue in production because of singon peoplecode.

At Peoplesoft signon peoplecode setup configuration there are two options to invoke signon peoplecode either using %singonuser or you can set a particular user account. we have set a custom user to invoke the signon peoplecode.

But we are seeing the lastupdoprid in psoprdefn of the "Invoke as user" which should not happen.
I am facing problem to replicate this issue in lower environments.

Could you please suggest any possible reason?

Thanks in advance :)

Simon Chiu said...

Hi Jim,

wondering if we can restrict how a user could sign into Peoplesoft. We are trying to avoid a scenario where anyone can set up their own login page (using a simple html form) and then pass the credentials to our server, and be authenticated. Is there some sort of token we can enable on the delivered sign-in page that would prevent this?

Thanks!!

-Simon

Awais said...

Hi,

I have changed the OAMAuth function in peopleCode to read the HTTP Header coming from OAM SSO.

I can see the live Header HTTP_PS_SSO_UID has passed the user UID but in return peoplesoft is not issuing PS_TOken instead it take you to login page of peoplesoft.

Can someone help me to read HTTP_Header and PS_TOken ?

//AAA

Unknown said...

hi,

I am using switchuser command to switch betweeen guest user and a registered user in 9.0.
We are into upgrading to peoplesoft 9.2 / Peopletools 8.55. In fluid , I see when I use the switchuser , the right hand side Nav bar is not refreshing based on the registered user role.
It still has the guest access navigation which on clicking gives an authentication error.

Is this something you have seen before?

Thank you,
GS

Siddharth said...

Hi Jim,

We are trying to implement PeopleSoft Single Sign-on between:
>> PeopleSoft Portal 9.0 on PeopleTools 8.49
>> PeopleSoft Campus 9.2 on PeopleTools 8.56

Is there a way to achieve this? If yes, can you share some idea on this?

If not, then what is the suggested approach to achieve this integration w/o the PeopleTools upgrade.

Regards,
Sidd

Jim Marion said...

That may be really challenging. Oracle recommendation is that portal be at the highest tools release. 8.56 has a special token that must be configured for SSO, so that might be a challenge too.

Antonio Hdz said...

Hello Jim,

As always, your blog is really interesting. Right now I'm facing some issues related to Integration broker performance and I don't find some specific information, maybe you could help out with this:

For one integration, we are using either delivered SAD_ADMISSIONS service to process the incoming data, or new CI-based web services to maintain data for Search/Match.

We had expected some limited performance issues due to the use of CI-based web services, but it was worse than expected. We are using Boomi as integration platform. We had assigned a PeopleSoft User to the Boomi instance to enable authentication, but single-streaming these transactions was not feasible from daily processing timelines. Allowing Boomi to submit up to 20 transactions simultaneously led to PSVERSION locking (expected), and so we have settled at submitting 5 authenticated web services at a time.

I have these doubts, I hope someone can help me clarify them:


Can we force the authenticated web services to execute from a dedicated PeopleSoft node, and we transfer the Boomi authentication submission/action to the node to avoid Locking?

Could PS_TOKEN be used with SOAP CI-based web services to improve performance?

Your opinion will be highly appreciated.
Thanks