SlideShare a Scribd company logo

Tags

J
jcvengal

The University of Waterloo wanted to integrate their custom PeopleSoft application (ACCESS) with their centralized user directory (UWDIR) for single sign-on. They implemented external authentication through a CGI script that authenticates users against UWDIR and passes authentication results to PeopleSoft using cookies. The PeopleSoft signon page was modified to call the CGI script, which sets a cookie if authentication succeeds. Signon PeopleCode enforces the cookie result, allowing access if authenticated and denying it otherwise. This allows ACCESS to use UWDIR credentials without changing the PeopleSoft security model.

Economy & FinanceTechnology
1 of 29
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
PeopleSoft 8 Security External Authentication Through CGI Shankar Mattay - smattay@uwaterloo.ca Steve Sangster - smsangst@uwaterloo.ca
Agenda University of Waterloo Environment Security Strategy Understanding the Signon Process Implementation Steps The Result Questions & Answers
University of Waterloo Founded July 1957 25000 Students 20000 undergraduate students 2000 graduate students 3000 distance education students 3500 Ongoing Employees Best known for the largest co-op program in the world (approximately 10000 students)
UW PeopleSoft Environment HRMS and Payroll version 7.5 Currently upgrading to version 8.00 Student Administration version 7.6 Custom Application (ACCESS) developed using PeopleTools 8.15.01
ACCESS Co-operative Education & Career Services 5000+ students per term use ACCESS on a rotating basis Students use ACCESS to search for jobs and view application and interview information Most UW applications use a centralized authentication system
UWDIR Centralized authentication system is called UWDIR Contains: Basic information for 50000+ users Windows NT Domain (uwaterloo.ca) for central password storage and authentication Challenge was to integrate ACCESS with UWDIR
PeopleSoft Security Strategies Internal Authentication Users and Passwords are maintained within PeopleSoft We cannot export passwords from UWDIR Lightweight Directory Access Protocol PeopleSoft supports out of the box UW Active Directory is planned for future Web Server Exit Web Server performs authentication and passes user information to PeopleSoft, bypassing the PeopleSoft Signon screen Requires maintaining multiple lists of users
UW Security Strategy External Authentication through CGI Uses PeopleSoft Signon screen Authenticate with UWDIR Enables us to integrate authentication with one password system
Loading User Information Nightly process adds and removes users Internal passwords are irrelevant for external authentication strategies PSOPRDEFN PSOPRALIAS PSOPRCLS PSROLEUSER PS_ROLEXLATOPR PS_PERSONAL_DATA Load PeopleSoft security tables UWDIR Application Engine
Implementation Technical Walkthrough of the Implementation Steps
Understanding the Signon Process Signon Page Perl Script Main Menu UWDIR Internal Authentication Signon PeopleCode
Implementation Steps Modify the PeopleSoft Signon page Write a Perl script to perform authentication with UWDIR and securely communicate result to PeopleSoft Write a Signon PeopleCode function to enforce the result of the authentication
Signon Page PeopleSoft web servlet retrieves signin.html from the Web Server and delivers it to the client
Signon Page Servlet replaces embedded variables with PeopleSoft parameters before delivery Dynamic paths, error messages, etc.
Signon Page Modify form to post data to our own Perl script instead of to PeopleSoft servlet Pass the location of the PeopleSoft servlet to the script as part of the path
Signon Page Results of our HTML modifications Make use of PeopleSoft Style Sheets and error messages
Perl Script Accepts data entered in Signon page Performs authentication with the NT Domain using SMB library If authentication is successful Generates random cookie file name Writes a cookie file on the Web Server with the generated file name File contains UserId, IP address, and time stamp If authentication fails Cookie name is blank and file is not written
Perl Script Reads PATH_INFO to determine the URL of the PeopleSoft servlet Appends additional parameters on PeopleSoft servlet URL AUTH contains the cookie name userid provides a fake user name to PeopleSoft pwd provides a fake password to PeopleSoft Redirects the user to this new URL avoiding PeopleSoft Signon
Avoiding PeopleSoft Signon PeopleSoft servlet sees the userid and pwd parameters and thinks the user filled in the Signon page When the user is redirected to: Internal Authentication is performed Signon PeopleCode is executed to enforce the result of External Authentication
Signon PeopleCode Signon PeopleCode is a function created in Record Field PeopleCode
Signon PeopleCode Function Reads the AUTH parameter in the URL using the %Request object to determine the cookie file name Ignores the userid parameter in the URL Opens the cookie file and reads the UserId Calls SetAuthenticationResult() and sets AuthResult to: True to allow the user access with the specified UserId, trusting the Perl Script False to deny access if AUTH parameter not present, file not found, or other problem occurs
Enabling Signon PeopleCode Add and Enable PeopleCode Function Check ExecAuthFail because Internal Authentication will fail Restart Application Server
The Result Brief Demonstration of Various Signon Scenarios
The Result User enters Signon information
The Result External Authentication fails Signon PeopleCode rejects the Signon attempt
The Result External Authentication successful but user does not exist in PSOPRDEFN Signon PeopleCode accepts login attempt but PeopleSoft rejects it because UserId is not found
The Result User attempts to access the URL to avoid Signon using a forged cookie Signon PeopleCode rejects the Signon attempt because cookie file does not exist
The Result External Authentication successful and UserId exists in PSOPRDEFN User successfully signs on
Questions & Answers Shankar Mattay - smattay@uwaterloo.ca Steve Sangster - smsangst@uwaterloo.ca

More Related Content

PPTX
Creating a Sign On with Open id connect
Derek Binkley
 
PPT
Open Id, O Auth And Webservices
Myles Eftos
 
PPTX
Office 365 Authentication Process (oAuth Service Integration) - iXora Tech Se...
iXora Solution Ltd.
 
PPTX
MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...
Nur Fatihah Mat Ali
 
PDF
CIS14: OAuth and OpenID Connect in Action
CloudIDSummit
 
PPT
CAS Enhancement
Guo Albert
 
PDF
Design and Implementation of an IP based authentication mechanism for Open So...
WilliamJohn41
 
PDF
Feide Connect – Standard Norge February 2015
Andreas Åkre Solberg
 
Creating a Sign On with Open id connect
Derek Binkley
 
Open Id, O Auth And Webservices
Myles Eftos
 
Office 365 Authentication Process (oAuth Service Integration) - iXora Tech Se...
iXora Solution Ltd.
 
MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...
Nur Fatihah Mat Ali
 
CIS14: OAuth and OpenID Connect in Action
CloudIDSummit
 
CAS Enhancement
Guo Albert
 
Design and Implementation of an IP based authentication mechanism for Open So...
WilliamJohn41
 
Feide Connect – Standard Norge February 2015
Andreas Åkre Solberg
 

What's hot (20)

PPT
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
PDF
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
PPTX
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
DOCX
Pots pan workpackage 3 pilot 1
Tony Toole
 
PPT
Digg Third Party Authentication
Bill Shupp
 
PPTX
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
PDF
SAP Cloud for Customer - User Creation & Password issue Handling
Rishikesh Sah
 
PPT
Street conf overview
ericsachs
 
PDF
Full stack security
DPC Consulting Ltd
 
PPTX
AD FS Workshop | Part 2 | Deep Dive
Granikos GmbH & Co. KG
 
PPT
Jasig Central Authentication Service in Ten Minutes
Andrew Petro
 
PDF
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
PPTX
OpenID Connect 1.0 Explained
Eugene Siow
 
PDF
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
Artur Barseghyan
 
PDF
Iam f42 a
SelectedPresentations
 
PPTX
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
PDF
OW2con'14 - LemonLDAP::NG 1.4 New features, Linagora
OW2
 
PDF
eSign Brochure1.5
DigiLocker
 
PPT
Mailing Website
Mohammed Sajid
 
PPTX
Secure Code Warrior - Secure by default
Secure Code Warrior
 
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
Pots pan workpackage 3 pilot 1
Tony Toole
 
Digg Third Party Authentication
Bill Shupp
 
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
SAP Cloud for Customer - User Creation & Password issue Handling
Rishikesh Sah
 
Street conf overview
ericsachs
 
Full stack security
DPC Consulting Ltd
 
AD FS Workshop | Part 2 | Deep Dive
Granikos GmbH & Co. KG
 
Jasig Central Authentication Service in Ten Minutes
Andrew Petro
 
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
OpenID Connect 1.0 Explained
Eugene Siow
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
Artur Barseghyan
 
Iam f42 a
SelectedPresentations
 
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
OW2con'14 - LemonLDAP::NG 1.4 New features, Linagora
OW2
 
eSign Brochure1.5
DigiLocker
 
Mailing Website
Mohammed Sajid
 
Secure Code Warrior - Secure by default
Secure Code Warrior
 
Ad

Viewers also liked (9)

PDF
Boardwalk - Landscapers
Natasha Lueder, CLCS
 
PPTX
Photo shoot contact sheet
felicityputman
 
PPTX
Tugas tik jaringan komputer aldi , puji
089626885974
 
DOCX
Leadership Ethics at the Movies
Dan Twomey, Jr.
 
PDF
Jornal Paraná Notícias
Ed Claudio Cruz
 
PDF
Solving Quadratics by Factoring.pdf
bwlomas
 
ODP
Tecnologias da minha escola
6945
 
PDF
Music Video Treatment
Sarah Dade
 
PPT
Ana profile in cvd
Asha damodar
 
Boardwalk - Landscapers
Natasha Lueder, CLCS
 
Photo shoot contact sheet
felicityputman
 
Tugas tik jaringan komputer aldi , puji
089626885974
 
Leadership Ethics at the Movies
Dan Twomey, Jr.
 
Jornal Paraná Notícias
Ed Claudio Cruz
 
Solving Quadratics by Factoring.pdf
bwlomas
 
Tecnologias da minha escola
6945
 
Music Video Treatment
Sarah Dade
 
Ana profile in cvd
Asha damodar
 
Ad

Similar to Tags (20)

PPTX
Crypto passport authentication
Fraboni Ec
 
PPTX
Crypto passport authentication
James Wong
 
PPTX
Crypto passport authentication
Luis Goldster
 
PPTX
Crypto passport authentication
Harry Potter
 
PPTX
Crypto passport authentication
David Hoen
 
PPTX
Crypto passport authentication
Tony Nguyen
 
PPTX
Crypto passport authentication
Young Alista
 
PPT
Intro to Web Application Security
Rob Ragan
 
PDF
Cybersecurity State of the Union
Mark Niebergall
 
PPTX
PeopleSoft: HACK THE Planet^W university
Dmitry Iudin
 
PDF
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
Hackito Ergo Sum
 
PPT
Application Security
nirola
 
PPTX
Secure coding - Balgan - Tiago Henriques
Tiago Henriques
 
PDF
13. Neville Varnham - PeopleSoft Cyber Security
Cedar Consulting
 
PPT
Phpnw security-20111009
Paul Lemon
 
PDF
Web Development Security
Rafael Monteiro
 
PPTX
Software Security information security
mubeen arshad
 
PPT
Oracle UCM Security: Challenges and Best Practices
Brian Huff
 
PDF
The top 10 security issues in web applications
Devnology
 
PDF
Lesser Known Security Problems in PHP Applications
ZendCon
 
Crypto passport authentication
Fraboni Ec
 
Crypto passport authentication
James Wong
 
Crypto passport authentication
Luis Goldster
 
Crypto passport authentication
Harry Potter
 
Crypto passport authentication
David Hoen
 
Crypto passport authentication
Tony Nguyen
 
Crypto passport authentication
Young Alista
 
Intro to Web Application Security
Rob Ragan
 
Cybersecurity State of the Union
Mark Niebergall
 
PeopleSoft: HACK THE Planet^W university
Dmitry Iudin
 
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
Hackito Ergo Sum
 
Application Security
nirola
 
Secure coding - Balgan - Tiago Henriques
Tiago Henriques
 
13. Neville Varnham - PeopleSoft Cyber Security
Cedar Consulting
 
Phpnw security-20111009
Paul Lemon
 
Web Development Security
Rafael Monteiro
 
Software Security information security
mubeen arshad
 
Oracle UCM Security: Challenges and Best Practices
Brian Huff
 
The top 10 security issues in web applications
Devnology
 
Lesser Known Security Problems in PHP Applications
ZendCon
 

Recently uploaded (20)

PDF
Principal of magaement is good fundamentals in economics
rajgolder3
 
PPTX
Very useful ppt for your banking assignments Banking.pptx
smitraiyni07
 
PDF
Pitch Deck.pdf .pdf all about finance in
k3aamanda
 
PPTX
lesson in englishhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
JERALLIROSEVALENCIAH
 
PDF
2018_Simulating Hedge Fund Strategies Generalising Fund Performance Presentat...
mkgyver
 
PPTX
Group Presentation Development Econ and Envi..pptx
sesconnicole
 
PPT
CompanionAsset_9780128146378_Chapter04.ppt
PENGFEIGAO7
 
PPTX
28 - relative valuation lecture economicsnotes
ShashankShetty45
 
PPTX
ML Credit Scoring of Thin-File Borrowers
Deepa Shukla
 
PPTX
Module5_Session1 (mlzrkfbbbbbbbbbbbz1).pptx
emiledxpe
 
PDF
Statistics for Management and Economics Keller 10th Edition by Gerald Keller ...
solutionsmanual3
 
PPTX
PROFITS AND GAINS OF BUSINESS OR PROFESSION 2024.pptx
Vxx001
 
PDF
DTC TRADIND CLUB MAKE YOUR TRADING BETTER
dtctechnicalteam
 
PDF
Unkipdf.pdf of work in the economy we are
k3aamanda
 
PPTX
OAT_ORI_Fed Independence_August 2025.pptx
hiddenlevers
 
PPTX
General-Characteristics-of-Microorganisms.pptx
neilfrancisfernandez
 
PDF
2012_The dark side of valuation a jedi guide to valuing difficult to value co...
mkgyver
 
PDF
Truxton Capital: Middle Market Quarterly Review - August 2025
truxtontrust
 
DOCX
Final. 150 minutes exercise agrumentative Essay
lamluanvan.net Viết thuê luận văn
 
PPTX
2. RBI.pptx202029291023i38039013i92292992
heebahilal497
 
Principal of magaement is good fundamentals in economics
rajgolder3
 
Very useful ppt for your banking assignments Banking.pptx
smitraiyni07
 
Pitch Deck.pdf .pdf all about finance in
k3aamanda
 
lesson in englishhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
JERALLIROSEVALENCIAH
 
2018_Simulating Hedge Fund Strategies Generalising Fund Performance Presentat...
mkgyver
 
Group Presentation Development Econ and Envi..pptx
sesconnicole
 
CompanionAsset_9780128146378_Chapter04.ppt
PENGFEIGAO7
 
28 - relative valuation lecture economicsnotes
ShashankShetty45
 
ML Credit Scoring of Thin-File Borrowers
Deepa Shukla
 
Module5_Session1 (mlzrkfbbbbbbbbbbbz1).pptx
emiledxpe
 
Statistics for Management and Economics Keller 10th Edition by Gerald Keller ...
solutionsmanual3
 
PROFITS AND GAINS OF BUSINESS OR PROFESSION 2024.pptx
Vxx001
 
DTC TRADIND CLUB MAKE YOUR TRADING BETTER
dtctechnicalteam
 
Unkipdf.pdf of work in the economy we are
k3aamanda
 
OAT_ORI_Fed Independence_August 2025.pptx
hiddenlevers
 
General-Characteristics-of-Microorganisms.pptx
neilfrancisfernandez
 
2012_The dark side of valuation a jedi guide to valuing difficult to value co...
mkgyver
 
Truxton Capital: Middle Market Quarterly Review - August 2025
truxtontrust
 
Final. 150 minutes exercise agrumentative Essay
lamluanvan.net Viết thuê luận văn
 
2. RBI.pptx202029291023i38039013i92292992
heebahilal497
 

Tags

  • 1. PeopleSoft 8 Security External Authentication Through CGI Shankar Mattay - smattay@uwaterloo.ca Steve Sangster - smsangst@uwaterloo.ca
  • 2. Agenda University of Waterloo Environment Security Strategy Understanding the Signon Process Implementation Steps The Result Questions & Answers
  • 3. University of Waterloo Founded July 1957 25000 Students 20000 undergraduate students 2000 graduate students 3000 distance education students 3500 Ongoing Employees Best known for the largest co-op program in the world (approximately 10000 students)
  • 4. UW PeopleSoft Environment HRMS and Payroll version 7.5 Currently upgrading to version 8.00 Student Administration version 7.6 Custom Application (ACCESS) developed using PeopleTools 8.15.01
  • 5. ACCESS Co-operative Education & Career Services 5000+ students per term use ACCESS on a rotating basis Students use ACCESS to search for jobs and view application and interview information Most UW applications use a centralized authentication system
  • 6. UWDIR Centralized authentication system is called UWDIR Contains: Basic information for 50000+ users Windows NT Domain (uwaterloo.ca) for central password storage and authentication Challenge was to integrate ACCESS with UWDIR
  • 7. PeopleSoft Security Strategies Internal Authentication Users and Passwords are maintained within PeopleSoft We cannot export passwords from UWDIR Lightweight Directory Access Protocol PeopleSoft supports out of the box UW Active Directory is planned for future Web Server Exit Web Server performs authentication and passes user information to PeopleSoft, bypassing the PeopleSoft Signon screen Requires maintaining multiple lists of users
  • 8. UW Security Strategy External Authentication through CGI Uses PeopleSoft Signon screen Authenticate with UWDIR Enables us to integrate authentication with one password system
  • 9. Loading User Information Nightly process adds and removes users Internal passwords are irrelevant for external authentication strategies PSOPRDEFN PSOPRALIAS PSOPRCLS PSROLEUSER PS_ROLEXLATOPR PS_PERSONAL_DATA Load PeopleSoft security tables UWDIR Application Engine
  • 10. Implementation Technical Walkthrough of the Implementation Steps
  • 11. Understanding the Signon Process Signon Page Perl Script Main Menu UWDIR Internal Authentication Signon PeopleCode
  • 12. Implementation Steps Modify the PeopleSoft Signon page Write a Perl script to perform authentication with UWDIR and securely communicate result to PeopleSoft Write a Signon PeopleCode function to enforce the result of the authentication
  • 13. Signon Page PeopleSoft web servlet retrieves signin.html from the Web Server and delivers it to the client
  • 14. Signon Page Servlet replaces embedded variables with PeopleSoft parameters before delivery Dynamic paths, error messages, etc.
  • 15. Signon Page Modify form to post data to our own Perl script instead of to PeopleSoft servlet Pass the location of the PeopleSoft servlet to the script as part of the path
  • 16. Signon Page Results of our HTML modifications Make use of PeopleSoft Style Sheets and error messages
  • 17. Perl Script Accepts data entered in Signon page Performs authentication with the NT Domain using SMB library If authentication is successful Generates random cookie file name Writes a cookie file on the Web Server with the generated file name File contains UserId, IP address, and time stamp If authentication fails Cookie name is blank and file is not written
  • 18. Perl Script Reads PATH_INFO to determine the URL of the PeopleSoft servlet Appends additional parameters on PeopleSoft servlet URL AUTH contains the cookie name userid provides a fake user name to PeopleSoft pwd provides a fake password to PeopleSoft Redirects the user to this new URL avoiding PeopleSoft Signon
  • 19. Avoiding PeopleSoft Signon PeopleSoft servlet sees the userid and pwd parameters and thinks the user filled in the Signon page When the user is redirected to: Internal Authentication is performed Signon PeopleCode is executed to enforce the result of External Authentication
  • 20. Signon PeopleCode Signon PeopleCode is a function created in Record Field PeopleCode
  • 21. Signon PeopleCode Function Reads the AUTH parameter in the URL using the %Request object to determine the cookie file name Ignores the userid parameter in the URL Opens the cookie file and reads the UserId Calls SetAuthenticationResult() and sets AuthResult to: True to allow the user access with the specified UserId, trusting the Perl Script False to deny access if AUTH parameter not present, file not found, or other problem occurs
  • 22. Enabling Signon PeopleCode Add and Enable PeopleCode Function Check ExecAuthFail because Internal Authentication will fail Restart Application Server
  • 23. The Result Brief Demonstration of Various Signon Scenarios
  • 24. The Result User enters Signon information
  • 25. The Result External Authentication fails Signon PeopleCode rejects the Signon attempt
  • 26. The Result External Authentication successful but user does not exist in PSOPRDEFN Signon PeopleCode accepts login attempt but PeopleSoft rejects it because UserId is not found
  • 27. The Result User attempts to access the URL to avoid Signon using a forged cookie Signon PeopleCode rejects the Signon attempt because cookie file does not exist
  • 28. The Result External Authentication successful and UserId exists in PSOPRDEFN User successfully signs on
  • 29. Questions & Answers Shankar Mattay - smattay@uwaterloo.ca Steve Sangster - smsangst@uwaterloo.ca

Editor's Notes

  • #2: Good morning. Thank you for being here. The purpose of our presentation is to show you the method we have developed for authenticating PeopleSoft users with a centralized password management system using CGI scripts.