PeopleSoft SSO – Single Sign On Solution

PeopleSoft SSO Integration Options

Why is PeopleSoft SSO important?

PeopleSoft SSO is most desired for PeopleSoft Portal implementations, as PeopleSoft Portal is the central and unified interface to access other PeopleSoft Applications, such as HCM or CRM.

PeopleSoft SSO authenticates the user during the first login to PeopleSoft Portal, then allows the user to access other PeopleSoft Applications without forcing the user to login to the each application over and over. Therefore, SSO is a must have for PeopleSoft Applications.

Security Concerns with PS_TOKEN – TokenChpoken Attack

Oracle PeopleSoft offers Single Sign On – SSO out of the box to offer the better user experience for its customers. This out of the box PeopleSoft SSO uses PS_TOKEN cookie to store the user or session information to pass from PeopleSoft Application to another.

PS_TOKEN cookie stores confidential information such as UserID – Name of the Authenticated User, Node Name – Node Name Authenticated the user, Date And Time – when the PS_TOKEN was issued, and SHA Signature in base64 encoded.

According to ERPScan report about Oracle PeopleSoft vulnerabilities, PeopleSoft Applications are susceptible to the TokenChpoken attack, which affects systems that use Single Sign On SSO, is possible because an PS_TOKEN Authentication cookie used by PeopleSoft Applications can be forged. When the PS_TOKEN is identified by a “brute force” TokenChpoken attack, it is possible to log in under a system account and gain access to all data from the compromised system. Read more at:

ERPScan Security Report about PeopleSoft Security Vulnerabilities
PeopleSoft Wikipedia
Understanding PeopleSoft Single Sign On

Solution for PS_TOKEN TokenChpoken Attack Vulnerability

  1. Disable out of the box SSO from PeopleSoft to eliminate PS_TOKEN completely.
  2. Enable External SSO for PeopleSoft with solutions such Microsoft Azure, CA Siteminder, Okta, Oracle Access Manager, and SSOGEN.
  3. Enable Multi Factor Authentication – MFA for PeopleSoft Applications
  4. Enable External SSO for all PeopleSoft Applications for seamless access

How to enable PeopleSoft Single Sign On?

Configure Web Server

Configure Web Server or Apache or HTTPD Server to front-end the PeopleSoft Servers and enable SSO protection for all PeopleSoft URLs.

 

 

Disable Direct Access

Ensure that all the traffic is routed through the web server and SSO protected. Disable any direct access to PeopleSoft URLs. 

 

 

Enable External SSO

Enable SSO at Web Server and Configure SSO in PeopleSoft. Header Injection and Cookie forgery are completely eliminated. 

 

 

PeopleSoft SSO Integration with LDAP Servers

PeopleSoft SSO Integration with SSOGEN opens up multiple options. Through SSOgen, PeopleSoft is SSO enabled with Windows Native Authentication – WNA or Kerberos or Desktop Authentication or Zero Touch SSO, and most of the Directory Servers – LDAP Version 2 and LDAP Version 3 servers. A quick list of PeopleSoft LDAP SSO Integration possibilities with SSOgen:

PeopleSoft Active Directory Authentication
PeopleSoft RadiantLogic Authentication
PeopleSoft UnboundID LDAP Authentication
PeopleSoft OpenDS Authentication
PeopleSoft OpenDJ Authentication
PeopleSoft CA Directory Authentication
PeopleSoft IBM Directory Authentication
PeopleSoft NetIQ Authentication
PeopleSoft OpenLDAP Authentication
PeopleSoft SLAPD Authentication
PeopleSoft 389 Directory Server Authentication
PeopleSoft Apache Directory Authentication
PeopleSoft OUD Authentication
PeopleSoft ODS Authentication

PeopleSoft SSO SAML Integrations

SSOGEN supports SAML IDP v1, SAML IDP v2, OpenID Providers for PeopleSoft Applications. With SSOgen Integration, PeopleSoft would be easily integrated with other SSO Solutions such as Okta, Oracle Identity Cloud Services – IDCS, OneLogin, Azure SSO, Azure ADFS, Microsoft ADFS, PingFederate, Shibboleth, OpenID Providers, and other popular SSO Solutions such as CA Siteminder, IBM Tivoli Access Manager, and Oracle Access Manager, and many more.

PeopleSoft Okta Integration
PeopleSoft OneLogin Integration
PeopleSoft Shibboleth SAML Integration
PeopleSoft PingFederate Integration
PeopleSoft Integration with IDCS
PeopleSoft Azure ADFS Integration
PeopleSoft Microsoft ADFS Integration
PeopleSoft Siteminder Integration
PeopleSoft Integration with IBM Tivoli AM
PeopleSoft NetIQ Integration

PeopleSoft – Okta, Azure ADFS, and SAML Integrations

SSOgen Unique Benefits

Learn more about the only FREE Multi-Factor Authentication for PeopleSoft Applications

PeopleSoft SSO Configuration

Step by step instructions to enable SSO for PeopleSoft are described below. This SSO integration follows Oracle  Standard Guidelines to enable SSO for PeopleSoft.

Logon to PeopleSoft Console http://ps.example.com:8000/psp/ps/?cmd=start using Admin credentials(Example: PS/PS).

PeopleSoft Single Sign On Integration

Navigate to PeopleTools >> Security >> User Profiles >> User Profiles to create a new user profile

User ID: SSO
Symbolic ID: Blank
ID Type: None
Role: PeopleSoft User

PeopleSoft Single Sign On Integration
PeopleSoft Single Sign On Integration

Edit the current Web Profile to configure SSO user for the Public Access

Navigation: PeopleTools >> Web Profile >> Web Profile Configuration >> Search >> PROD >> Security

 Input the User ID and password created earlier and Save.

PeopleSoft Single Sign On Integration

Edit Signon PeopleCode to enable SSOGEN Authentication

Navigation: PeopleTools >> Security >> Security Objects >> Signon PeopleCode

 >>Create a line with SSOGEN_AUTHENTICATION

>>Enable the Check Box as shown below.

PeopleSoft Single Sign On Integration

Save and Restart PeopleSoft Services

Test PeopleSoft SSO logins at /psp/ps/?cmd=start

Example: http://pslabvm102.example.com/psp/ps/?cmd=start

Optionally, update index.html in PORTAL.war with the SSO Login Redirect.

$ cat /home/psadm2/psft/pt/8.57/webserv/peoplesoft/applications/peoplesoft/PORTAL.war/index.html
 <HTML>
<HEAD>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta HTTP-EQUIV='Refresh' CONTENT='0; URL=/psp/ps/?cmd=start'>
</HEAD>
</HTML>
$

Test PeopleSoft SSO logins without cmd=start explicit parameters.

Example: http://pslabvm102.example.com/

Questions? Leave a Comment Below!

34 Comments

  1. Is PeopleSoft SAML Integration possible with ssogen? What types of PeopleSoft SAML Integrations are supported here?

    Reply
  2. Thanks for contacting us, Andrew.

    Yes, PeopleSoft SSO SAML Integration is supported for SAML IDP v1, SAML IDP v2, OpenID Providers. SSOGEN enables Okta, OneLogin, Azure SSO a.k.a Azure ADFS, Microsoft ADFS, PingFederate SAML IDP SSO for PeopleSoft Applications safely and securely. SSOGEN solves the security vulnerabilities with PeopleSoft out of the box SSO.

    Reply
  3. Let me understand this better.. do you guys offer a free multi-factor authentication?

    Reply
  4. Yes, SSOgen offers a free multi-factor authentication app for iOS and Android to all of its customers. The soft token from the mobile app acts as a second factor for MFA SSO here.

    Reply
  5. So, this solution addresses PS_TOKEN security vulnerability issue?

    Reply
  6. Yes, as mentioned above, this solution eliminates the need for PS_TOKEN completely.

    Reply
  7. Does this integration need OID License from Oracle?

    Reply
    • Thomas,

      No, this solution does not use OID or OAM.

      Reply
  8. This solution works with Azure AD authentication, which is in Microsoft Azure Cloud?

    Reply
  9. PeopleSoft can be SSO enabled with CA Siteminder SSO with this gateway? Our IT Security team does not support SAML Authentication for PeopleSoft..

    Reply
    • Yes, Siteminder SSO is enabled through SSOgen SSO Gateway, and it does not require CA Federation – SAML Services. Please reach out to info@ssogen.com for a quick proof of concept.

      Reply
  10. How does SSOgen multi factor authentication work?

    Reply
  11. How long would it take to implement SSOgen for PeopleSoft?

    Reply
    • Typical SSO implementation takes about 30 minutes for PeopleSoft.

      Reply
  12. Do we need LDAP Directory for SSO Integration

    Reply
    • LDAP Directory is not required, as SSO is configured to authenticate users with Azure AD, Oracle IDCS, Okta, or PING SSO.

      However, if customer wishes to host some users in SSOgen, we offer a free directory.

      Reply
  13. You say that dependency on PS_TOKEN is completely eliminated.

    But what happens in a cluster setup (like in our organization, we have HCM, FSCM, ELM) and functionalities like
    1. Unified Navigation
    2. Remote Tiles
    3. Cluster Elastic Search (Setting up a global search, where results are rendered across multiple instances)
    4. Cluster Approvals
    5. Push Notifications

    that require the PS_TOKEN/Single Signon configurations to be in place?

    Reply
    • Though PS_TOKEN is used internally, all the PeopleSoft URLs are going to be protected by a SSO Client[Web Server Plug-in] in the web server.

      Reply
  14. Does it work with Okta Verify?

    Reply
    • Yes, Okta Verify is fully compatible with PeopleSoft SSO Logins, via SSOgen SSO Gateway.

      Reply
  15. Is this based on HTTP Header injection?

    Reply
    • No, this is not based on HTTP Header Injection coming from a network device.

      SSOgen SSO Client (Web Server Plug-in) acts as a SSO Policy Enforcement Agent, and any HTTP headers injected by the user/browser/network devices are discarded by the SSO client sitting on the web server.

      Reply
  16. Peoplesoft HCM 9.2 will be called in the embedded browser in an mobile app.
    How can we do SSO between the mobile app (ASDK, OAM) and peoplesoft HCM 9.2., can you please help ?

    Reply
  17. Peoplesoft HCM 9.2 Fluid will be opened in an embedded browser in a Mobile App.

    How can we establish SSO between the MObile App (ASDK, OAM) and Peoplesoft HCM 9.2? can you please help.

    Reply
  18. Is SSO supported for older PeopleTools version (8.49) and HRMS 8.8 application release? I am exploring MFA for this system for all users including self-service members. Can we implement MFA for all users who have an user ID in the PeopleSoft?

    Reply
  19. My authentication identity is Oracle Peoplesoft Campus, I need those users to interface with Microsoft Active Directory users, since the product we use is VMware Horizon v8 and to work it requires Active Directory users (For Authentication and Resource Allocation).

    Reply
    • Microsoft Active Directory and ADFGS authentication with PeopleSoft is a popular integration. Please send out an email to info@ssogen.com for any additional help.

      Reply
  20. Is this a cloud solution? Can it be implemented on-prem?

    Reply
    • SSOGEN is a complete on-premises solution that runs on PeopleSoft Web Server, and it requires no customizations in PeopleSoft. SSOGEN follows Oracle Standard Integration method to enable SSO in PeopleSoft. You may want to try it yourself in your environment.

      Reply
  21. Will it work with excel to ci upload files with SSO?

    Reply
  22. Can SSOGEN SSO solution for PeopleSoft work with DUO MFA?

    Reply
  23. How it will work with Excel to CI upload files with SSO

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Request More Info

Contact us to request More Information, Demo Webinar, and Free Trial Access for 30 days.

4 + 8 =

Request a Quote

Request a quote for your environment and SSO use case. Our pricing is affordable for all businesses.

3 + 6 =

Customer Reviews

We would appreciate your feedback, thank you!

We appreciate your feedback. Click to rate this product/article.
[Total: 73 Average: 5]