What is PeopleSoft Single Signon – SSO?
PeopleSoft SSO is most desired for PeopleSoft Portal implementations, as PeopleSoft Portal is the central and unified interface to access other PeopleSoft Applications, such as HCM or CRM. PeopleSoft SSO authenticates the user during the first login to PeopleSoft Portal, then allows the user to access other PeopleSoft Applications without forcing the user to login to the each application over and over. Therefore, SSO is a must have for PeopleSoft Applications. Unlike other applications, Oracle PeopleSoft offers Single Signon – SSO out of the box to offer the better user expereince for its customers. This out of the box PeopleSoft SSO uses PS_TOKEN cookie to store the user or session information to pass from PeopleSoft Application to another.
Security Concerns with PS_TOKEN – TokenChpoken Attack
PS_TOKEN cookie stores confidential information such as UserID – Name of the Authenticated User, Node Name – Node Name Authenticated the user, Date And Time – when the PS_TOKEN was issued, and SHA Signature in base64 encoded.
According to ERPScan report about Oracle PeopleSoft vulnerabilities, PeopleSoft Applications are susceptible to the TokenChpoken attack, which affects systems that use Single Sign On SSO, is possible because an PS_TOKEN Authentication cookie used by PeopleSoft Applications can be forged. When the PS_TOKEN is identified by a “brute force” TokenChpoken attack, it is possible to log in under a system account and gain access to all data from the compromised system. The following are the quick references.
Solution for PS_TOKEN TokenChpoken Attack Vulnerability
- Disable out of the box SSO from PeopleSoft to eliminate PS_TOKEN completely.
- Enable External SSO for PeopleSoft with solutions such Microsoft Azure, CA Siteminder, Okta, Oracle Access Manager, and SSOGEN.
- Enable Multi Factor Authentication – MFA for PeopleSoft Applications
- Enable External SSO for all PeopleSoft Applications for seamless access
How to enable PeopleSoft Single Signon?
Configure Apache or Oracle HTTP Server Reverse Proxy to front-end all the PeopleSoft Servers, proxying /psp/, /ps, /psc, amd /cs URIs.
Disable Direct Access
Ensure that all the traffic is routed through the above webserver and Disable direct access to PeopleSoft Server URLs.
Enable External SSO
Enable SSO at Web Server – Reverse Proxy and Configure SSO in PeopleSoft. Header Injection and Cookie forgery are completely eliminated.
PeopleSoft SSO Integration with LDAP Servers
PeopleSoft SSO Integration with SSOGEN opens up multiple options. Through SSOgen, PeopleSoft is SSO enabled with Windows Native Authentication – WNA (a.k.a Kerberos or Desktop Authentication or Zero Touch SSO) and many Directory Servers – LDAP 2 and LDAP 3 servers. Here is list of PeopleSoft SSO Integration possibilities with SSOgen
PeopleSoft Active Directory Integration
PeopleSoft RadiantLogic Integration
PeopleSoft UnboundID LDAP Integration
PeopleSoft OpenDS Integration
PeopleSoft OpenDJ Integration
PeopleSoft CA Directory Integration
PeopleSoft IBM Directory Integration
PeopleSoft NetIQ Integration
PeopleSoft OpenLDAP Integration
PeopleSoft SLAPD Integration
PeopleSoft 389 Directory Server Integration
PeopleSoft Apache Directory Integration
PeopleSoft Oracle Unified Directory - OUD Integration
PeopleSoft Oracle Directory Server - ODS Integration
PeopleSoft SSO SAML Integrations
SSOGEN supports SAML IDP v1, SAML IDP v2, OpenID Providers for PeopleSoft Applications. With SSOgen Integration, PeopleSoft would be easily integrated with other SSO Solutions such as Okta, Oracle Identity Cloud Services – IDCS, OneLogin, Azure SSO, Azure ADFS, Microsoft ADFS, PingFederate, Shibboleth, OpenID Providers, and other popular SSO Solutions such as CA Siteminder, IBM Tivoli Access Manager, and Oracle Access Manager, and many more.
PeopleSoft Okta Integration
PeopleSoft OneLogin Integration
PeopleSoft Shibboleth SAML Integration
PeopleSoft PingFederate SAML SSO Integration
PeopleSoft Integration with Oracle Identity Cloud Services – IDCS
PeopleSoft Azure ADFS - Azure SSO Integration
PeopleSoft Microsoft ADFS Integration
PeopleSof Siteminder Integration
PeopleSoft Integration with IBM Tivoli Access Manager - TAM
PeopleSoft NetIQ Integration
SSOgen Unique Benefits
Learn more about the only FREE Multi-Factor Authentication for PeopleSoft Applications
PeopleSoft SSO Configuration
Logon to Peoplesoft Console http://ps.example.com:8000/psp/ps/?cmd=start using Admin credentials(Example: PS/PS).
Navigate to Peopletools >> Security >> User Profiles >> User Profiles to create a new user profile, for example: OAMPSFT and Add Peoplesoft User.
Peopletools >> Security >> Security Objects >> Signon PeopleCode – Uncheck all options and check ‘OAMSSO_AUTHENTICATION’.
In Application Designer, Click Open and Select ‘Record’, and Open ‘FUNCLIB_LDAP’ and click Open.
Update Peoplecode of LDAPAUTH for getWWWAuthConfig() function to update defaultUserID to OAMPSFT that we have just created.
Update the user Header with PS_SSO_UID for OAMSSO_AUTHENTICATION function. SSOGEN_USER is another header variable, which is good for this function. SSOGEN_USER is available out of the box for SSOgen Integrations.
Restart PeopleSoft Services and perform SSO Login use cases.
Function OAMSSO_AUTHENTICATION() If %PSAuthResult = True And &authMethod <> "LDAP" And &authMethod <> "WWW" And &authMethod <> "OSSO" And &authMethod <> "SSO" Then getWWWAuthConfig(); If %SignonUserId = &defaultUserId Then &userID = %Request.GetHeader("PS_SSO_UID"); If &userID <> "" Then If &bConfigRead = False Then getLDAPConfig(); End-If; SetAuthenticationResult(True, &userID, "", False); &authMethod = "OAMSSO"; End-If; End-If; End-If; End-Function;
Completely Free POC
Contact us to inquire about our free proof of concept for 30 days
Learn more about product features, unique benefits, and cost savings