Enable Azure AD SSO and MFA to Oracle PeopleSoft via Datawiza
Overview
This tutorial shows how to enable Azure Active Directory (Azure AD) Single Sign-On (SSO) and Azure AD Multi-Factor Authentication (MFA) for an Oracle PeopleSoft application using Datawiza Access Proxy.
Benefits of integrating applications with Azure AD using DAP include:
- Proactive security with Zero Trust through Azure AD SSO, Azure AD Multi-Factor Authentication and Conditional Access.
- Easy authentication and authorization in Azure AD with no-code Datawiza. Use of web applications such as: Oracle JDE, Oracle E-Business Suite, Oracle Sibel, Oracle Peoplesoft, and home-grown apps.
- Use the Datawiza Cloud Management Console to manage access to applications in public clouds and on-premises.
Background
This document focuses on Oracle PeopleSoft application integration using HTTP authorization headers to manage access to protected content.
For legacy applications, due to the absence of modern protocol support, a direct integration with Azure AD SSO is difficult. Datawiza Access Proxy bridges the gap between the legacy application and the modern ID control plane, through protocol transitioning. DAP lowers integration overhead, saves engineering time, and improves application security.
Architecture
The solution has the following components:
- Azure AD : The Microsoft cloud-based identity and access management service, which helps users sign in and access external and internal resources.
- Datawiza Access Proxy (DAP): A lightweight container-based reverse-proxy that implements OpenID Connect (OIDC), OAuth, or Security Assertion Markup Language (SAML) for user sign-in flow. It transparently passes identity to applications through HTTP headers.
- Datawiza Cloud Management Console (DCMC): A centralized console to manage DAP. DCMC has UI and RESTful APIs for administrators to configure Datawiza Access Proxy and access control policies.
- Oracle Peoplesoft application : Legacy application going to be protected by Azure AD and DAP.
Understand the SP initiated flow by following the steps mentioned in Datawiza and Azure AD authentication architecture.
Prerequisites
Ensure the following prerequisites are met.
- An Azure subscription. If you don't have one, you can get an Azure free account
- An Azure AD tenant linked to the Azure subscription.
- Install Docker and Docker Compose
- User identities synchronized from an on-premises directory to Azure AD, or created in Azure AD and flowed back to an on-premises directory.
- An account with Azure AD and the Application administrator role
- An Oracle PeopleSoft environment. Supported versions include: v8.50 or later.
- (Optional) An SSL web certificate to publish services over HTTPS. You can also use default Datawiza self-signed certs for testing.
Getting started with DAP
To integrate Oracle Peoplesoft with Azure AD:
Sign in to Datawiza Cloud Management Console.
The Welcome page appears.
Select the orange Getting started button.
In the Name and Description fields, enter the relevant information.
Select Next.
On the Add Application dialog, use the following values:
Property Value Platform Web App Name Enter a unique application name. Public Domain For example: https://ps-external.example.com
. For testing, you can use localhost DNS. If you aren't deploying DAP behind a load balancer, use the Public Domain with the port.Listen Port The port that DAP listens on. Upstream Servers The Oracle PeopleSoft implementation URL and port to be protected. Select Next.
On the Configure IdP dialog, enter the relevant information.
Info
DCMC has one-click integration to help complete Azure AD configuration. DCMC calls the Microsoft Graph API to create an application registration on your behalf in your Azure AD tenant.
Select Create.
The DAP deployment page appears.
Make a note of the deployment Docker Compose file. The file includes the DAP image, also the Provisioning Key and Provision Secret, which pulls the latest configuration and policies from DCMC.
SSO and HTTP headers
The DAP gets user attributes from IdP and passes them to the upstream application via header or cookie.
For the Oracle PeopleSoft application to recognize the user correctly, there's another configuration step. Using a certain name, it instructs DAP to pass the values from the IdP to the application through the HTTP header.
Such configuration will be done in the Applications tab on the left panel and go to Attribute Pass sub-tab. For Oracle PeopleSoft, please refer to the screenshot below to configure the attribute pass:
Property | Value |
---|---|
Field | |
Expected | PS_SSO_UID |
Type | Header |
Info
This configuration uses the user principal name as the sign in username used by Oracle Peoplesoft. To use another user identity, go to the Mappings tab.
SSL Configuration
Select the Advanced tab.
Select Enable SSL.
From the Cert Type dropdown, select a type.
For testing purposes, we'll be providing a self-signed certificate.
Info
You have the option to upload a certificate from a file.
Select Save.
Enable Azure AD Multi-Factor Authentication
To provide an extra level of security for sign-ins, enforce multifactor authentication (MFA) for user sign-in. One way to achieve this is to enable MFA on the Azure portal.
- Sign in to the Azure portal as a Global Administrator.
- Select Azure Active Directory > Manage > Properties.
- Under Properties, select Manage security defaults.
- Under Enable Security defaults, select Yes and then Save.
Enable SSO in the Oracle Peoplesoft Console
To enable SSO in the Oracle Peoplesoft environment:
- Log into to Peoplesoft Console
http://{your-peoplesoft-fqdn}:8000/psp/ps/?cmd=start
using Admin credentials (Example: PS/PS).
Add a default public access user to Peoplesoft
- From the main menu, navigate to PeopleTools > Security > User Profiles > User Profiles > Add a New Value.
- Select Add a new value.
- Create user: PSPUBUSER and enter the password
- Select the ID tab and choose the type as none
Configure the web profile
- Navigate to PeopleTools > Web Profile > Web Profile Configuration > Search > PROD > Security to configure the user profile.
- Check the Allow Public Access box and then enter the user id PSPUBUSER and password.
- Click Save.
Enable SSO
- Navigate to PeopleTools > Security > Security Objects > Signon PeopleCode
- Select the Signon PeopleCode page.
- Enable the OAMSSO_AUTHENTICATION and then click Save.
Configure PeopleCode using the PeopleTools application designer
- Navigate to File > Open > Definition: Record > Name: FUNCLIB_LDAP.
- Open FUNCLIB_LDAP.
- Double click on this record.
- Right-click LDAPAUTH > View PeopleCode.
- Search for the
getWWWAuthConfig()
function. Change&defaultUserId = "";
or&defaultUserId = "IDCSPSFT"
to&defaultUserId = "PSPUBUSER"
. - Double check the user header is PS_SSO_UID for OAMSSO_AUTHENTICATION function. Save the record definition.
Set the default proxy address
From the Main Menu navigate to PeopleTools > Web Profile > Web Profile Configuration > Search > PROD > Virtual Addressing.
Choose the Default Addressing, set the following fields and click Save
Field Value Protocol https Name The Fully Qualified Domain Name (FQDN) for the public domain of the PeopleSoft application, could be something like ps-external.example.com. Port 443
Handling 'logout' from PS
Default 'logout' action takes user to PS sign-on page, this link should either be disabled or updated to redirect user to SSO logout page. To achieve this:
Obtain the correct logout URL for PeopleSoft portal.
Open the portal through a web browser with debug tools enabled. Find the element with the PT_LOGOUT_MENU id and save the URL path with the query parameters. In this example, we have:
/psp/ps/EMPLOYEE/SA/?cmd=logout
Go to the advanced sub-tab on DCMC, and input the value into the field Logout DAP URI.
Handling 'login' from PS
Default PS Sign-in page can also be replaced to redirect users to SSO login page, just to cover scenarios where user inadvertently land in PS sign-in page. There are several ways to achieve this goal. One way is to update index.html in PORTAL.war with the SSO Login Redirect.
$ cat /home/psadm2/psft/pt/8.57/webserv/peoplesoft/applications/peoplesoft/PORTAL.war/index.html
<HTML>
<HEAD>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta HTTP-EQUIV='Refresh' CONTENT='0; URL=/psp/ps/?cmd=start'>
</HEAD>
</HTML>
Handling of 'Session Timeout' from PS
Default PS session expiration page can also be replaced to redirect users to SSO login page, just to cover scenarios where user land in PS expire page if the session is timeout. Update expire.html in PORTAL.war with the SSO Login Redirect.
$ cat /home/psadm2/psft/pt/8.57/webserv/peoplesoft/applications/peoplesoft/PORTAL.war/WEB-INF/psftdocs/ps/expire.html
<HTML>
<HEAD>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta HTTP-EQUIV='Refresh' CONTENT='0; URL=/psp/ps/?cmd=start'>
</HEAD>
</HTML>
Go to the advanced sub-tab on DCMC, and input the value /psp/ps/?cmd=start
into the field Login Redirect URI.
Info
After completing configuration steps in PeopleSoft, application and web servers need to be bounced for changes to take effect.
Test an Oracle PeopleSoft application
To confirm Oracle PeopleSoft application access occurs correctly, a prompt appears to use an Identity Provider account for sign-in. Credentials are checked and the Oracle PeopleSoft appears.
Note
To improve security, organizations using this model may also consider blocking all direct access to the application, thus forcing the use of a strict path through the Datawiza Access Proxy.