Enable Microsoft Entra ID (Azure AD) SSO and MFA to Oracle PeopleSoft via Datawiza

Overview

This tutorial shows how to enable Microsoft Entra ID (Azure Active Directory (AD)) Single Sign-On (SSO) and Microsoft Entra ID Multi-Factor Authentication (MFA) for an Oracle PeopleSoft application using Datawiza Access Proxy.

Benefits of integrating applications with Microsoft Entra ID using DAP include:

• Proactive security with Zero Trust through Microsoft Entra ID SSO, Microsoft Entra ID Multi-Factor Authentication and Conditional Access.
• Easy authentication and authorization in Microsoft Entra ID with no-code Datawiza. Use of web applications such as: Oracle JDE, Oracle E-Business Suite, Oracle Sibel, Oracle Peoplesoft, and home-grown apps.
• Use the Datawiza Cloud Management Console to manage access to applications in public clouds and on-premises.

Background

This document focuses on Oracle PeopleSoft application integration using HTTP authorization headers to manage access to protected content.

For legacy applications, due to the absence of modern protocol support, a direct integration with Microsoft Entra ID SSO is difficult. Datawiza Access Proxy bridges the gap between the legacy application and the modern ID control plane, through protocol transitioning. DAP lowers integration overhead, saves engineering time, and improves application security.

Architecture

The solution has the following components:

• Microsoft Entra ID : The Microsoft cloud-based identity and access management service, which helps users sign in and access external and internal resources.
• Datawiza Access Proxy (DAP): A lightweight container-based reverse-proxy that implements OpenID Connect (OIDC), OAuth, or Security Assertion Markup Language (SAML) for user sign-in flow. It transparently passes identity to applications through HTTP headers.
• Datawiza Cloud Management Console (DCMC): A centralized console to manage DAP. DCMC has UI and RESTful APIs for administrators to configure Datawiza Access Proxy and access control policies.
• Oracle Peoplesoft application : Legacy application going to be protected by Microsoft Entra ID and DAP.

Understand the SP initiated flow by following the steps mentioned in Datawiza and Microsoft Entra ID authentication architecture.

Prerequisites

Ensure the following prerequisites are met.

• An Azure subscription. If you don't have one, you can get an Azure free account
• A Microsoft Entra ID tenant linked to the Azure subscription.
  • See, Quickstart: Create a new tenant in Microsoft Entra ID.
• Install Docker and Docker Compose
• User identities synchronized from an on-premises directory to Microsoft Entra ID, or created in Microsoft Entra ID and flowed back to an on-premises directory.
  • See, Microsoft Entra ID Connect sync: Understand and customize synchronization.
• An account with Azure AD and the Application administrator role
  • See, Microsoft Entra ID built-in roles, all roles.
• An Oracle PeopleSoft environment. Supported versions include: PeopleSoft v9.1 or PeopleTools v8.50 (released 2009) or later.
• (Optional) An SSL web certificate to publish services over HTTPS. You can also use default Datawiza self-signed certs for testing.

Getting started with DAP

To integrate Oracle Peoplesoft with Microsoft Entra ID:

1. Sign in to Datawiza Cloud Management Console.

2. The Welcome page appears.

3. Select the orange Getting started button.

4. In the Name and Description fields, enter the relevant information.

5. Select Next.

6. On the Add Application dialog, use the following values:

   Property	Value
   App Type	Web
   Name	Enter a unique application name.
   Application URL	For example: https://ps-prod.your-company.com. For testing, you can use localhost DNS. If you aren't deploying DAP behind a load balancer, use the Public Domain with the port.
   Listen Port	The port that DAP listens on.
   Upstream Servers	The Oracle PeopleSoft implementation URL and port to be protected.

7. Select Next.

8. On the Configure IdP dialog, enter the relevant information.

   Info

   DCMC has one-click integration to help complete Microsoft Entra ID configuration. DCMC calls the Microsoft Graph API to create an application registration on your behalf in your Microsoft Entra ID tenant.

9. Select Create.

Install and run Datawiza Access Proxy

Once clicking on the Create button, the basic configuration on the management console is finished. You will see the final step of the guide, which presents you with a page showing the simple steps to deploy Datawiza Access Proxy (DAP) with your application. Note down the commands for your deployment. The first command will download Docker and Datawiza Access Proxy image, and the second command will create a Docker Compose file and run Datawiza Access Proxy. You can refer to Install and Run Datawiza Access Proxy by command for more information.

SSO and HTTP headers

The DAP gets user attributes from IdP and passes them to the upstream application via header or cookie.

For the Oracle PeopleSoft application to recognize the user correctly, there's another configuration step. Using a certain name, it instructs DAP to pass the values from the IdP to the application through the HTTP header.

Such configuration will be done in the Applications tab on the left panel and go to Attribute Pass sub-tab. For Oracle PeopleSoft, please refer to the screenshot below to configure the attribute pass:

Property	Value
Field	Email
Expected	PSSSOUID
Type	Header

Info

This configuration uses the User Principal Name as the sign in username used by Oracle Peoplesoft. To use another user identity, go to the Mappings tab.

(Optional) SSL Configuration

1. By default, when you set up this application, it will use the Datawiza self-sign certificate, but you still have the chance to replace it with your own certificate. Select the Advanced tab. Click the edit button, then upload your own certificate.
2. Select Save.

Enable Microsoft Entra ID Multi-Factor Authentication

To provide an extra level of security for sign-ins, enforce multifactor authentication (MFA) for user sign-in. One way to achieve this is to Oracle PeopleSoft Microsoft Entra ID (Azure AD) SSO and MFA | Enable MFA on the Azure portal.

1. Sign in to the Azure portal as a Global Administrator.
2. Select Microsoft Entra ID > Manage > Properties.
3. Under Properties, select Manage security defaults.
4. Under Enable Security defaults, select Yes and then Save.

Enable SSO in the Oracle Peoplesoft Console

To enable SSO in the Oracle Peoplesoft environment:

1. Log into to Peoplesoft Console http://{your-peoplesoft-fqdn}:8000/psp/ps/?cmd=start using Admin credentials (Example: PS/PS).

Add a default public access user to Peoplesoft

1. From the main menu, navigate to PeopleTools > Security > User Profiles > User Profiles > Add a New Value.
2. Select Add a new value.
3. Create user: PSPUBUSER and enter the password.
4. Select the ID tab and choose the type as None.
5. Associate a low security role such as PeopleSoft User.

Configure the web profile

1. Navigate to PeopleTools > Web Profile > Web Profile Configuration > Search > PROD > Security to configure the user profile.
2. Check the Allow Public Access box and then enter the user id PSPUBUSER and password.
3. Click Save.

Enable SSO

1. Navigate to PeopleTools > Security > Security Objects > Signon PeopleCode
2. Select the Signon PeopleCode page.
3. Enable the OAMSSO_AUTHENTICATION and then click Save.
4. Make sure to select Invoke as user signing in.

Configure PeopleCode using the PeopleTools application designer

1. Navigate to File > Open > Definition: Record > Name: FUNCLIB_LDAP.
2. Open FUNCLIB_LDAP.
3. Double click on this record.
4. Right-click LDAPAUTH > View PeopleCode.
5. Search for the getWWWAuthConfig() function. Change &defaultUserId = ""; or &defaultUserId = "IDCSPSFT" to &defaultUserId = "PSPUBUSER".
6. Double check the user header is PSSSOUID for OAMSSO_AUTHENTICATION function. Save the record definition.

Set the default proxy address

1. From the Main Menu navigate to PeopleTools > Web Profile > Web Profile Configuration > Search > PROD > Virtual Addressing.

2. Choose the Default Addressing, set the following fields and click Save

   Field	Value
   Protocol	https
   Name	The Fully Qualified Domain Name (FQDN) for the public domain of the PeopleSoft application, could be something like ps-prod.your-company.com.
   Port	443

Set the Authentication Domain

1. Leverage the psadmin tool to both configure your authentication domain, and ensure that it has been set up appropriately. Choose Web (PIA) Server > Administer a domain > Configure this domain.
2. Verify the value of Auth Token Domain is .yourcompany.com, then Save.

Handling 'login' from PS

Default PS Sign-in page can also be replaced to redirect users to SSO login page, just to cover scenarios where user inadvertently land in PS sign-in page. There are several ways to achieve this goal. One way is to create a new dapsignin.html in PORTAL.war with the SSO Login Redirect.

1. Create a new signin page which will redirect users to the SSO login url.

   Info

   Remember to replace /psp/{SITE-NAME}/?cmd=start with your real PeopleSoft Site Name.

   $ vi /home/psadm2/psft/pt/8.57/webserv/peoplesoft/applications/peoplesoft/PORTAL.war/dapsignin.html
   
   <HTML>
   <HEAD>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
   <meta HTTP-EQUIV='Refresh' CONTENT='0; URL=/psp/{SITE-NAME}/?cmd=start'>
   </HEAD>
   </HTML>
   
   

2. Navigate to PeopleTools > Web Profile > Web Profile Configuration > Search > PROD > Look and Feel to configure the signin page.

3. Change the value of Signon Page to dapsignin.html.

Handling 'logout' from PS

Default 'logout' action takes user to PS sign-on page, this link should either be disabled or updated to redirect user to SSO logout page. To achieve this:

1. Create a new logout page which will redirect users to the DAP logout url.

   Info

   Your path may slightly differ from the example provided here. Please adjust as necessary to fit your specific environment.

   $ vi /home/psadm2/psft/pt/8.57/webserv/peoplesoft/applications/peoplesoft/PORTAL.war/WEB-INF/psftdocs/ps/daplogout.html
   
   <HTML>
   <HEAD>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
   <meta HTTP-EQUIV='Refresh' CONTENT='0; URL=/datawiza/ab-logout'>
   </HEAD>
   </HTML>
   
   

2. Navigate to PeopleTools > Web Profile > Web Profile Configuration > Search > PROD > Look and Feel to configure the signout page.

3. Change the value of Logout Page to daplogout.html.

Handling of 'Session Timeout' from PS

Default PS session expiration page can also be replaced to redirect users to SSO login page, just to cover scenarios where user land in PS expire page if the session is timeout. Create a new dapexpire.html in PORTAL.war with the SSO Logout Redirect.

1. Create a new expire page which will redirect users to the DAP logout url.

   Info

   Your path may slightly differ from the example provided here. Please adjust as necessary to fit your specific environment.

   $ vi /home/psadm2/psft/pt/8.57/webserv/peoplesoft/applications/peoplesoft/PORTAL.war/WEB-INF/psftdocs/ps/dapexpire.html
   
   <HTML>
   <HEAD>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
   <meta HTTP-EQUIV='Refresh' CONTENT='0; URL=/datawiza/ab-logout'>
   </HEAD>
   </HTML>
   

2. Navigate to PeopleTools > Web Profile > Web Profile Configuration > Search > PROD > Look and Feel to configure the expire page.

3. Change the value of Expire Page to dapexpire.html.

Handling of 'Signon Error' from PS

The default PeopleSoft (PS) Signon error page, which currently displays a standard login page with username and password fields, can be altered to automatically redirect users to the Single Sign-On logout page. This change would be beneficial in cases where users encounter a signon error and are subsequently directed to the PS Signon error page. Create a new daplogout.html in PORTAL.war with the SSO Logout Redirect.

1. Create a new logout page which will redirect users to the DAP logout url.

   Info

   Your path may slightly differ from the example provided here. Please adjust as necessary to fit your specific environment.

   $ vi /home/psadm2/psft/pt/8.57/webserv/peoplesoft/applications/peoplesoft/PORTAL.war/WEB-INF/psftdocs/ps/daplogout.html
   
   <HTML>
   <HEAD>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
   <meta HTTP-EQUIV='Refresh' CONTENT='0; URL=/datawiza/ab-logout'>
   </HEAD>
   </HTML>
   

2. Navigate to PeopleTools > Web Profile > Web Profile Configuration > Search > PROD > Look and Feel to configure the signon error page.

3. Change the value of Signon Error Page to daplogout.html.

Info

After completing configuration steps in PeopleSoft, application and web servers need to be bounced and cache to be cleared for changes to take effect.

Test an Oracle PeopleSoft application

To confirm Oracle PeopleSoft application access occurs correctly, a prompt appears to use an Identity Provider account for sign-in. Credentials are checked and the Oracle PeopleSoft appears.

Note

To improve security, organizations using this model may also consider blocking all direct access to the application, thus forcing the use of a strict path through the Datawiza Access Proxy.

What's more

• Watch the video - Enable SSO/MFA for Oracle PeopleSoft with Microsoft Entra ID via Datawiza.
• Configure Datawiza and Microsoft Entra ID for secure hybrid access
• Configure Datawiza with Azure AD B2C