Your SlideShare is downloading. ×
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply



Published on

Published in: Economy & Finance, Technology

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Good morning. Thank you for being here. The purpose of our presentation is to show you the method we have developed for authenticating PeopleSoft users with a centralized password management system using CGI scripts.
  • Transcript

    • 1. PeopleSoft 8 Security
      • External Authentication Through CGI
      Shankar Mattay - Steve Sangster -
    • 2. Agenda
      • University of Waterloo Environment
      • Security Strategy
      • Understanding the Signon Process
      • Implementation Steps
      • The Result
      • Questions & Answers
    • 3. University of Waterloo
      • Founded July 1957
      • 25000 Students
        • 20000 undergraduate students
        • 2000 graduate students
        • 3000 distance education students
      • 3500 Ongoing Employees
      • Best known for the largest co-op program in the world (approximately 10000 students)
    • 4. UW PeopleSoft Environment
      • HRMS and Payroll version 7.5
        • Currently upgrading to version 8.00
      • Student Administration version 7.6
      • Custom Application (ACCESS) developed using PeopleTools 8.15.01
    • 5. ACCESS
      • Co-operative Education & Career Services
      • 5000+ students per term use ACCESS on a rotating basis
      • Students use ACCESS to search for jobs and view application and interview information
      • Most UW applications use a centralized authentication system
    • 6. UWDIR
      • Centralized authentication system is called UWDIR
      • Contains:
        • Basic information for 50000+ users
        • Windows NT Domain ( for central password storage and authentication
      • Challenge was to integrate ACCESS with UWDIR
    • 7. PeopleSoft Security Strategies
      • Internal Authentication
        • Users and Passwords are maintained within PeopleSoft
        • We cannot export passwords from UWDIR
      • Lightweight Directory Access Protocol
        • PeopleSoft supports out of the box
        • UW Active Directory is planned for future
      • Web Server Exit
        • Web Server performs authentication and passes user information to PeopleSoft, bypassing the PeopleSoft Signon screen
        • Requires maintaining multiple lists of users
    • 8. UW Security Strategy
      • External Authentication through CGI
        • Uses PeopleSoft Signon screen
        • Authenticate with UWDIR
        • Enables us to integrate authentication with one password system
    • 9. Loading User Information
      • Nightly process adds and removes users
      • Internal passwords are irrelevant for external authentication strategies
      • Load PeopleSoft security tables
      UWDIR Application Engine
    • 10. Implementation
      • Technical Walkthrough of the Implementation Steps
    • 11. Understanding the Signon Process Signon Page Perl Script Main Menu UWDIR Internal Authentication Signon PeopleCode
    • 12. Implementation Steps
      • Modify the PeopleSoft Signon page
      • Write a Perl script to perform authentication with UWDIR and securely communicate result to PeopleSoft
      • Write a Signon PeopleCode function to enforce the result of the authentication
    • 13. Signon Page
      • PeopleSoft web servlet retrieves signin.html from the Web Server and delivers it to the client
    • 14. Signon Page
      • Servlet replaces embedded variables with PeopleSoft parameters before delivery
      • Dynamic paths, error messages, etc.
    • 15. Signon Page
      • Modify form to post data to our own Perl script instead of to PeopleSoft servlet
      • Pass the location of the PeopleSoft servlet to the script as part of the path
    • 16. Signon Page
      • Results of our HTML modifications
      • Make use of PeopleSoft Style Sheets and error messages
    • 17. Perl Script
      • Accepts data entered in Signon page
      • Performs authentication with the NT Domain using SMB library
      • If authentication is successful
        • Generates random cookie file name
        • Writes a cookie file on the Web Server with the generated file name
        • File contains UserId, IP address, and time stamp
      • If authentication fails
        • Cookie name is blank and file is not written
    • 18. Perl Script
      • Reads PATH_INFO to determine the URL of the PeopleSoft servlet
      • Appends additional parameters on PeopleSoft servlet URL
        • AUTH contains the cookie name
        • userid provides a fake user name to PeopleSoft
        • pwd provides a fake password to PeopleSoft
      • Redirects the user to this new URL avoiding PeopleSoft Signon
    • 19. Avoiding PeopleSoft Signon
      • PeopleSoft servlet sees the userid and pwd parameters and thinks the user filled in the Signon page
      • When the user is redirected to:
      • Internal Authentication is performed
      • Signon PeopleCode is executed to enforce the result of External Authentication
    • 20. Signon PeopleCode
      • Signon PeopleCode is a function created in Record Field PeopleCode
    • 21. Signon PeopleCode Function
      • Reads the AUTH parameter in the URL using the %Request object to determine the cookie file name
      • Ignores the userid parameter in the URL
      • Opens the cookie file and reads the UserId
      • Calls SetAuthenticationResult() and sets AuthResult to:
        • True to allow the user access with the specified UserId, trusting the Perl Script
        • False to deny access if AUTH parameter not present, file not found, or other problem occurs
    • 22. Enabling Signon PeopleCode
      • Add and Enable PeopleCode Function
      • Check ExecAuthFail because Internal Authentication will fail
      • Restart Application Server
    • 23. The Result
      • Brief Demonstration of Various Signon Scenarios
    • 24. The Result
      • User enters Signon information
    • 25. The Result
      • External Authentication fails
      • Signon PeopleCode rejects the Signon attempt
    • 26. The Result
      • External Authentication successful but user does not exist in PSOPRDEFN
      • Signon PeopleCode accepts login attempt but PeopleSoft rejects it because UserId is not found
    • 27. The Result
      • User attempts to access the URL to avoid Signon using a forged cookie
      • Signon PeopleCode rejects the Signon attempt because cookie file does not exist
    • 28. The Result
      • External Authentication successful and UserId exists in PSOPRDEFN
      • User successfully signs on
    • 29. Questions & Answers
      • Shankar Mattay -
      • Steve Sangster -