I have integrated shibboleth with people soft tools 8.5.3. I have followed the step by step approach to integrate shibboleth with people soft. They are
1. Service Provider Installation
2. Registering Service Provider with Identity Provider
3. Verifying Service Provider Configuration
4. Installing and Configuring the Apache Web Logic Plugin
5. Verifying Installation and Configuration Apache Web Logic Plugin
6. Protecting the People Soft Application in Service Provider.
7. Developed the Sign-On People Code Functional Libraries
8. Configuring the WWW_AUTHENTICATION in people tools UI
9. Creating the People Soft User without roles and permission
10. Modifying the People Soft Web Profile.
11. Testing the People soft integration with shibboleth.
Installation and Configuration Details
Please follow my earlier blog post from step 1 to step 3 to install, configuration, and verifying service provider and lyncs are provided below.
1. Service Provider Installation and Configuration
1.1 Service Provider Installation
1.2 Registering Service Provider with Identity Provider
Identity Provider Configuration
The following files needs to be configured to enable the external authentication for People Soft. They are
relying-party.xml
Download the service provider meta-data xml file and add the service provider metadata xml location info to the relying-party.xml under the section <metadata:MetadataProvider. The Sample Configuration of the service provider meta-data file path is given below.
<metadata:MetadataProvider id="pspt.liyaqat.com" xsi:type="metadata:FilesystemMetadataProvider"
metadataFile="/opt/shibboleth-idp/metadata/pspt.liyaqat.com.xml"/>
In the above example pspt.liyaqat.com is service provider meta data id and this id must be unique for each service provider and specify the service provider meta-data location in the metadataFile attribute and the sample value is /opt/shibboleth-idp/metadata/pspt.liyaqat.com.xml.
attribute-resolver.xml
Define the Identity provider (people soft) releasing attributes to service provider definition in the attribute-resolver.xml. By default attribute definitions info is commented in the xml file. Uncomment the attribute definition which is requested by the service provider and this info is configured in the attribute-filter.xml file.. In my example, the service provider pspt.liyaqat.com going to requuest uid, givenname ,and sn after authentication successful. I have uncommented the uid, givenname,and sn attributes. The sample configuration is given below
<resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonPrincipalName" scope="liyaqat.com" sourceAttributeID="uid">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" />
<resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="ad:Simple" id="surname" sourceAttributeID="sn">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:sn" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="ad:Simple" id="givenName" sourceAttributeID="givenName">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:givenName" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" />
</resolver:AttributeDefinition>
Define the LDAP Connector Info
In the above example, dependency reference is myLdap. Please define the Ldap Connector and sample configuration is given below.
<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
ldapURL="ldap://idp.liyaqat.com"
baseDN="ou=people,dc=liyaqat,dc=com"
principal="cn=Manager,dc=liyaqat,dc=com"
principalCredential="<Password>">
<dc:FilterTemplate>
<![CDATA[
(uid=$requestContext.principalName)
]]>
</dc:FilterTemplate>
</resolver:DataConnector>
attribute-filter.xml
Defining the service provider requested attributes in the identity Provider attribute-filter.xml file.The policy configuration is given below.
<afp:AttributeFilterPolicy>
<afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://pspt.liyaqat.com/shibboleth" />
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="uid">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="surname">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
In the https://pspt.liyaqat.com/shibboleth is my service provider entity.
handler.xml
Defining the Authentication scheme or Login Handler for the protected resources. The sample configuration is given below.
<ph:LoginHandler xsi:type="ph:UsernamePassword"
jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
</ph:LoginHandler>
login.config
Defining the JAAS authentication module for the identity provider. The sample configuration is given blow
ShibUserPassAuth {
edu.vt.middleware.ldap.jaas.LdapLoginModule required
ldapUrl="ldap://idp.liyaqat.com"
baseDn="ou=people,dc=liyaqat,dc=com"
serviceUser="CN=Manager,dc=liyaqat,dc=com"
serviceCredential="Passw0rd"
ssl="false"
tls="false"
subtreeSearch="true"
userFilter="uid={0}";
};
Service Provider Configuration
The following files needs to be configured to enable the external authentication for People Soft. They are
attribute-map.xml
Defining the service provider requested attribute definition in the attribute-map.xml. In my example service provider going to request the three attributes are uid,givenname and sn.
<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
<Attribute name="urn:oid:2.5.4.4" id="sn"/>
<Attribute name="urn:oid:2.5.4.42" id="givenName"/>
shibboleth2.xml
Define the application default entity id and remote user for the service provider. The sample configuration is given below.
<ApplicationDefaults entityID="https://pspt.liyaqat.com/shibboleth"
REMOTE_USER="uid">
In the above example uid is requesting from the idp server and this uid passed to the people soft sign-on code to enable external shibboleth authentication.
Configuring SSO
configure the SSO idp entity id and discovery idp server url. The sample configuration is given below.
<SSO entityID="https://idp.liyaqat.com/idp/shibboleth"
discoveryProtocol="SAMLDS" discoveryURL="https://idp.liyaqat.com/DS/WAYF">
SAML2 SAML1
</SSO>
Configure the IDP Metada
Download the IDP metadata file and configure the metadata backing file path, The sample data is given below.
<MetadataProvider type="XML" uri="https://idp.liyaqat.com/idp/profile/Metadata/SAML"
backingFilePath="idp-metadata.xml" reloadInterval="7200">
</MetadataProvider>
In the above configuration, https://idp.liyaqat.com/idp/profile/Metadata/SAML is the idp metata url.
Configuring the Certificate
Configuring the Service Provider Certificate key and certificate for the metadata to to encrypt and decrypt the SAML request and response. The Sample configuration is given below.
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
The detailed configuration available in the above lync. this is only for reference for people soft external authentication.
1.3 Verifying Service Provider Configuration
2. Apache Web Logic Plugin Configuration
Follow my previous blog to install and configure weblogic apache plugin from step 04 to 05 and lync is given bellow.
Apache Web Server Weblogic Plugin
3. Apache Shibboleth Configuration
Go to the /etc/httpd/conf.d directory and edit the shib.conf file and perform the following task to protect the resource and also enable the canonical names.
3.1 Turn on the Canonical Name and Canonical Port
UseCanonicalName On
UseCanonicalPhysicalPort On
3.2 Server Name
ServerName <Server Name>
In my example server name is pspt.liyaqat.com
3.3 Protecting a People Soft Resource
Add the following content in the shib.conf file to protect the people soft resource.
<Location /psp/>
AuthType shibboleth
ShibRequestSetting requireSession 1
require shibboleth
ShibUseHeaders On
</Location>
4. Develop the People Soft Sign On Code
4.1 Clone the FUNLIB_LDAP to FUNCLIB_SHIB
Open the Application Designer and Open the Record Definition FUNCLIB_LDAP. Clone the FUNCLIB_LDAP record definition to FUNCLIB_SHIB. After Cloning the Record definition look like this
4.2 Click the FieldDefault Event and Modify the following functions to enable the External Authentication. In our example is shibboleth.
getWWWAuthConfig()
Function getWWWAuthConfig()
&defaultUserId = "PUBUSER";
End-Function;
In the above functions, &defaultUserId is hard coded and the sample user PUBUSER and this user contains no roles and no permissions. Using PUBUSER to establish the connection from web profile to people soft. I am going to create the PUBUSER later.
/**
* To enable the external Authentication SSO in people soft. I am getting the user name that is uid from the request header variable and I am invoking the SetAuthenticationResult( True, Upper(&user), "", False) function to enable the SSO
**/
WWW_AUTHENTICATION()
Function WWW_AUTHENTICATION()
Local string &user;
If %PSAuthResult = True And
&authMethod <> "LDAP" And
&authMethod <> "SSO" Then
getWWWAuthConfig();
If %SignonUserId = &defaultUserId Then
&user = Upper(%Request.GetHeader("uid"));
If &user <> "" Then
SetAuthenticationResult( True, Upper(&user), "", False);
Return;
End-If;
End-Function;
4. Finding the Default Profile for ps site
Run the following command to find the configuration.properties file.
locate configuration.properties
After running the above command properties file located in the following location.
/home/psadm2/psft/pt/8.53/webserv/peoplesoft/applications/peoplesoft/PORTAL.war/WEB-INF/psftdocs/ps/configuration.properties
edit the configuration.properties and search the WebProfile= string and it will fine the default profile for the ps site. In my example
WebProfile=PROD
5. Configuring the Shibboleth People Code
5.1 Create the People Soft User
Navigate the Main Menu --> People Tools --> Security --> User Profiles --> User Profile.
Click Add New Value Button and Enter User ID is PUBUSER and Click Add Button. Please enter the following details in the General and ID tab after Clicking the Add button.
General Tab
Choose Symbolic ID in the combo box. The symbolic ID is sysadm1.
Enter Password, Confirm Password, and User Id Alias
ID Tab
Choose the Id Type is None.
Click Save Button and It will create the user without roles and permissions.
5.2 Modify the Web Profile
Navigate to Main Menu --> People Toos --> Web Profile --> and Web Profile Configuration.
Enter the profile name is PROD and you found in the profile name in the configuration.properties file.
After Clicking the Search button and it will take you the PROD web profile configuration page. Click the Security tab in the Web Profile Configuration page and modify the following properties to enable the SSO.
Enter Days to Auto fill User ID is zero
Public Users:
Select Allow Public Access Check Box
Enter User ID and Password
Click the Save Button and it will save the modified configuration.
5.3 Modify the Sign On Code
Navigate the Main Menu --> People Tools --> Security --> Security Objects --> Sign On People Code. Perform the following task to enable the SSO.
Unckeck All Exec Auth Fail check Boxes.
Modify the WWW_AUTHENTICATION function record definition Name and leave remaining as it is
After modifying the Sign On People Code look Like this.
5.4 Restart the Weblogic Server
6. Testing the Single Signon from Shibboleth To People Soft
Open the Browser and enter the following url
https://<Service Provider Host Name>/psp/ps/EMPLOYEE/HRMS/h/?tab=DEFAULT
After entering the Protected URL in the browser and it will redirect to IDP login Page and shown below.
Enter User Name and Password and Click Login Button and It will redirect to People Soft Default Administration Page and the screen shot shown below.
1. Service Provider Installation
2. Registering Service Provider with Identity Provider
3. Verifying Service Provider Configuration
4. Installing and Configuring the Apache Web Logic Plugin
5. Verifying Installation and Configuration Apache Web Logic Plugin
6. Protecting the People Soft Application in Service Provider.
7. Developed the Sign-On People Code Functional Libraries
8. Configuring the WWW_AUTHENTICATION in people tools UI
9. Creating the People Soft User without roles and permission
10. Modifying the People Soft Web Profile.
11. Testing the People soft integration with shibboleth.
Installation and Configuration Details
Please follow my earlier blog post from step 1 to step 3 to install, configuration, and verifying service provider and lyncs are provided below.
1. Service Provider Installation and Configuration
1.1 Service Provider Installation
1.2 Registering Service Provider with Identity Provider
Identity Provider Configuration
The following files needs to be configured to enable the external authentication for People Soft. They are
relying-party.xml
Download the service provider meta-data xml file and add the service provider metadata xml location info to the relying-party.xml under the section <metadata:MetadataProvider. The Sample Configuration of the service provider meta-data file path is given below.
<metadata:MetadataProvider id="pspt.liyaqat.com" xsi:type="metadata:FilesystemMetadataProvider"
metadataFile="/opt/shibboleth-idp/metadata/pspt.liyaqat.com.xml"/>
In the above example pspt.liyaqat.com is service provider meta data id and this id must be unique for each service provider and specify the service provider meta-data location in the metadataFile attribute and the sample value is /opt/shibboleth-idp/metadata/pspt.liyaqat.com.xml.
attribute-resolver.xml
Define the Identity provider (people soft) releasing attributes to service provider definition in the attribute-resolver.xml. By default attribute definitions info is commented in the xml file. Uncomment the attribute definition which is requested by the service provider and this info is configured in the attribute-filter.xml file.. In my example, the service provider pspt.liyaqat.com going to requuest uid, givenname ,and sn after authentication successful. I have uncommented the uid, givenname,and sn attributes. The sample configuration is given below
<resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonPrincipalName" scope="liyaqat.com" sourceAttributeID="uid">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" />
<resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="ad:Simple" id="surname" sourceAttributeID="sn">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:sn" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="ad:Simple" id="givenName" sourceAttributeID="givenName">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:givenName" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" />
</resolver:AttributeDefinition>
Define the LDAP Connector Info
In the above example, dependency reference is myLdap. Please define the Ldap Connector and sample configuration is given below.
<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
ldapURL="ldap://idp.liyaqat.com"
baseDN="ou=people,dc=liyaqat,dc=com"
principal="cn=Manager,dc=liyaqat,dc=com"
principalCredential="<Password>">
<dc:FilterTemplate>
<![CDATA[
(uid=$requestContext.principalName)
]]>
</dc:FilterTemplate>
</resolver:DataConnector>
attribute-filter.xml
Defining the service provider requested attributes in the identity Provider attribute-filter.xml file.The policy configuration is given below.
<afp:AttributeFilterPolicy>
<afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://pspt.liyaqat.com/shibboleth" />
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="uid">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="surname">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
In the https://pspt.liyaqat.com/shibboleth is my service provider entity.
handler.xml
Defining the Authentication scheme or Login Handler for the protected resources. The sample configuration is given below.
<ph:LoginHandler xsi:type="ph:UsernamePassword"
jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
</ph:LoginHandler>
login.config
Defining the JAAS authentication module for the identity provider. The sample configuration is given blow
ShibUserPassAuth {
edu.vt.middleware.ldap.jaas.LdapLoginModule required
ldapUrl="ldap://idp.liyaqat.com"
baseDn="ou=people,dc=liyaqat,dc=com"
serviceUser="CN=Manager,dc=liyaqat,dc=com"
serviceCredential="Passw0rd"
ssl="false"
tls="false"
subtreeSearch="true"
userFilter="uid={0}";
};
Service Provider Configuration
The following files needs to be configured to enable the external authentication for People Soft. They are
attribute-map.xml
Defining the service provider requested attribute definition in the attribute-map.xml. In my example service provider going to request the three attributes are uid,givenname and sn.
<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
<Attribute name="urn:oid:2.5.4.4" id="sn"/>
<Attribute name="urn:oid:2.5.4.42" id="givenName"/>
shibboleth2.xml
Define the application default entity id and remote user for the service provider. The sample configuration is given below.
<ApplicationDefaults entityID="https://pspt.liyaqat.com/shibboleth"
REMOTE_USER="uid">
In the above example uid is requesting from the idp server and this uid passed to the people soft sign-on code to enable external shibboleth authentication.
Configuring SSO
configure the SSO idp entity id and discovery idp server url. The sample configuration is given below.
<SSO entityID="https://idp.liyaqat.com/idp/shibboleth"
discoveryProtocol="SAMLDS" discoveryURL="https://idp.liyaqat.com/DS/WAYF">
SAML2 SAML1
</SSO>
Configure the IDP Metada
Download the IDP metadata file and configure the metadata backing file path, The sample data is given below.
<MetadataProvider type="XML" uri="https://idp.liyaqat.com/idp/profile/Metadata/SAML"
backingFilePath="idp-metadata.xml" reloadInterval="7200">
</MetadataProvider>
In the above configuration, https://idp.liyaqat.com/idp/profile/Metadata/SAML is the idp metata url.
Configuring the Certificate
Configuring the Service Provider Certificate key and certificate for the metadata to to encrypt and decrypt the SAML request and response. The Sample configuration is given below.
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
The detailed configuration available in the above lync. this is only for reference for people soft external authentication.
1.3 Verifying Service Provider Configuration
2. Apache Web Logic Plugin Configuration
Follow my previous blog to install and configure weblogic apache plugin from step 04 to 05 and lync is given bellow.
Apache Web Server Weblogic Plugin
3. Apache Shibboleth Configuration
Go to the /etc/httpd/conf.d directory and edit the shib.conf file and perform the following task to protect the resource and also enable the canonical names.
3.1 Turn on the Canonical Name and Canonical Port
UseCanonicalName On
UseCanonicalPhysicalPort On
3.2 Server Name
ServerName <Server Name>
In my example server name is pspt.liyaqat.com
3.3 Protecting a People Soft Resource
Add the following content in the shib.conf file to protect the people soft resource.
<Location /psp/>
AuthType shibboleth
ShibRequestSetting requireSession 1
require shibboleth
ShibUseHeaders On
</Location>
4. Develop the People Soft Sign On Code
4.1 Clone the FUNLIB_LDAP to FUNCLIB_SHIB
Open the Application Designer and Open the Record Definition FUNCLIB_LDAP. Clone the FUNCLIB_LDAP record definition to FUNCLIB_SHIB. After Cloning the Record definition look like this
4.2 Click the FieldDefault Event and Modify the following functions to enable the External Authentication. In our example is shibboleth.
getWWWAuthConfig()
Function getWWWAuthConfig()
&defaultUserId = "PUBUSER";
End-Function;
In the above functions, &defaultUserId is hard coded and the sample user PUBUSER and this user contains no roles and no permissions. Using PUBUSER to establish the connection from web profile to people soft. I am going to create the PUBUSER later.
/**
* To enable the external Authentication SSO in people soft. I am getting the user name that is uid from the request header variable and I am invoking the SetAuthenticationResult( True, Upper(&user), "", False) function to enable the SSO
**/
WWW_AUTHENTICATION()
Function WWW_AUTHENTICATION()
Local string &user;
If %PSAuthResult = True And
&authMethod <> "LDAP" And
&authMethod <> "SSO" Then
getWWWAuthConfig();
If %SignonUserId = &defaultUserId Then
&user = Upper(%Request.GetHeader("uid"));
If &user <> "" Then
SetAuthenticationResult( True, Upper(&user), "", False);
Return;
End-If;
End-Function;
4. Finding the Default Profile for ps site
Run the following command to find the configuration.properties file.
locate configuration.properties
After running the above command properties file located in the following location.
/home/psadm2/psft/pt/8.53/webserv/peoplesoft/applications/peoplesoft/PORTAL.war/WEB-INF/psftdocs/ps/configuration.properties
edit the configuration.properties and search the WebProfile= string and it will fine the default profile for the ps site. In my example
WebProfile=PROD
5. Configuring the Shibboleth People Code
5.1 Create the People Soft User
Navigate the Main Menu --> People Tools --> Security --> User Profiles --> User Profile.
Click Add New Value Button and Enter User ID is PUBUSER and Click Add Button. Please enter the following details in the General and ID tab after Clicking the Add button.
General Tab
Choose Symbolic ID in the combo box. The symbolic ID is sysadm1.
Enter Password, Confirm Password, and User Id Alias
ID Tab
Choose the Id Type is None.
Click Save Button and It will create the user without roles and permissions.
5.2 Modify the Web Profile
Navigate to Main Menu --> People Toos --> Web Profile --> and Web Profile Configuration.
Enter the profile name is PROD and you found in the profile name in the configuration.properties file.
After Clicking the Search button and it will take you the PROD web profile configuration page. Click the Security tab in the Web Profile Configuration page and modify the following properties to enable the SSO.
Enter Days to Auto fill User ID is zero
Public Users:
Select Allow Public Access Check Box
Enter User ID and Password
Click the Save Button and it will save the modified configuration.
5.3 Modify the Sign On Code
Navigate the Main Menu --> People Tools --> Security --> Security Objects --> Sign On People Code. Perform the following task to enable the SSO.
Unckeck All Exec Auth Fail check Boxes.
Modify the WWW_AUTHENTICATION function record definition Name and leave remaining as it is
After modifying the Sign On People Code look Like this.
5.4 Restart the Weblogic Server
6. Testing the Single Signon from Shibboleth To People Soft
Open the Browser and enter the following url
https://<Service Provider Host Name>/psp/ps/EMPLOYEE/HRMS/h/?tab=DEFAULT
After entering the Protected URL in the browser and it will redirect to IDP login Page and shown below.
Enter User Name and Password and Click Login Button and It will redirect to People Soft Default Administration Page and the screen shot shown below.
This comment has been removed by the author.
ReplyDeleteWe are working on integrating Shibboleth 2.4 with PeopleTools 8.55. Could you please let me know if you installed Shibboleth on the same server as PeopleSoft or is it a different server.
ReplyDeleteThank you for sharing your blog, seems to be useful information can’t wait to dig deep!
ReplyDeleteHi There Sir,
ReplyDeleteDo you have Youtube vids on SSO for PeopleSoft using Shibboleth?
Thanks