PeopleSoft Kerberos Authentication (Desktop Single Signon) – Signon PeopleCode and Security

Overview

In my last couple of posts I covered the creation of the Domain Account, SPN and Keyfile, I also covered the required configuration on the web and application server. This final post will cover the required PeopleCode and security changes.

Signon PeopleCode

Login to the target environment with Application Designer.

Open the FUNCLIB_LDAP Record, Right Click the LDAPAUTH field, and select the View PeopleCode

peoplecode-1

peoplecode-2

Locate the function getWWWAuthConfig

Edit the &defaultUserId to the default guest user that will defined later

Function getWWWAuthConfig()
   &defaultUserId = "PS_GUEST";
End-Function;

Add the following code at the end of the file. Notice that we use Application Server authentication.

/*/////////////////////////////////////////////////////////////////////////////////////////////
KRB_AUTHENTICATION used for Kerberos Single Sign On
App server authentication 
////////////////////////////////////////////////////////////////////////////////////////////*/
Function KRB_AUTHENTICATION()
   
   If %PSAuthResult = True And
         &authMethod <> "WWW" And
         &authMethod <> "OAMSSO" And
         &authMethod <> "OSSO" And
         &authMethod <> "SSO" And
         &authMethod <> "LDAP" Then
      getWWWAuthConfig();
      If %SignonUserId = &defaultUserId Then
         Local string &krbToken = %Request.GetHeader("Authorization");
         If Len(&krbToken) > 12 Then
            &krbToken = Substring(&krbToken, 11, Len(&krbToken) + 1);
            &validator = GetJavaClass("com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOValidator").getInstance();
            Local string &userName = &validator.validate(&krbToken);
            If &userName <> "NULL" Then
               Local number &foundDelim = Find("@", &userName);
               If (&foundDelim > 0) Then
                  &userName = Substring(&userName, 1, &foundDelim - 1);
               End-If;
               SetAuthenticationResult( True, Upper(&userName), "", False);
               &authMethod = "KRB";
            End-If;
         End-If;
      End-If;
   End-If;
End-Function;

Save the record.

PeopleSoft Users and Roles

Two users are required in PeopleSoft for the authentication to work:

PS_GUEST: used in the webprofile for the initial anonymous login.
PS_SIGNON: used to execute the signon peoplecode.

Create PS_GUEST User ID

Login to the target PIA environment. Navigate PeopleTools > Security > User Profiles

Add a new user: PS_GUEST with a secure password. Nothing else needs to be configured.

ps_guest-1

On the ID tab, set None for ID Type:

ps_guest-2

No roles should be assigned:

ps_guest-3

Save the User ID

Create PS_SIGNON Permission List

Navigate PeopleTools > Security > Permissions & Roles > Permission List

Create a new Permission List: PS_SIGNON

ps_signon-1

Click the Component Interfaces tab, and add USER_PROFILE

ps_signon-2

Save the permission list

Create PS_SIGNON Role

Navigate PeopleTools > Security > Permissions & Roles > Roles

Create a new Role: PS_SIGNON

ps_signon-3

Grant the PS_SIGNON Permission List

ps_signon-4

Save the Role

Create PS_SIGNON User

Navigate PeopleTools > Security > User Profiles > User Profiles

Create a new User: PS_SIGNON

ps_signon-5

Set the ID Type to None, and add a description

ps_signon-6

Assign the PS_SIGNON Role

ps_signon-7

Save the user id

Update Web Profile

Navigate PeopleTools > Web Profile > Web Profile Configuration

Open the relevant web profile and click the Security tab. Add the Public Users configuration:

web-profile

Save the web profile

Signon PeopleCode

Navigate PeopleTools >  Security > Security Objects > Signon PeopleCode

Change the Invoke as user to PS_SIGNON and add the KRB_AUTHENTICATION sequence as shown:

signon-1

Save the configuration.

Clear Cache and Restart

Clear the application server cache and restart the Application server and PIA.

Internet Explorer Configuration

In order for Internet Explorer to automatically send the user’s credentials to the website, configure the browser as follows.

Click Tools > Internet options

ie-1 ie-2

Click the Security tab, and make sure the site is a Trusted Site (if not, add it using Sites). Click Custom level, scroll to the bottom and select “Automatic login with current user name and password”

Firefox Configuration

Navigate to the URL about:config.
Click past the warning of harmful consequences.
Type negotiate-auth into the filter at the top of the page, in order to remove most of the irrelevant settings from the list.
Double-click on network.negotiate-auth.trusted-uris. A dialogue box for editing the value should appear.
Enter the required hostname(s) and/or URL prefix(es) then click OK. (<env>.smartpeoplesoftadmin.com)

firefox

Leave a Reply

Your email address will not be published. Required fields are marked *