Your SlideShare is downloading. ×
Tags
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Tags

1,455
views

Published on

Published in: Economy & Finance, Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,455
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Good morning. Thank you for being here. The purpose of our presentation is to show you the method we have developed for authenticating PeopleSoft users with a centralized password management system using CGI scripts.
  • Transcript

    • 1. PeopleSoft 8 Security
      • External Authentication Through CGI
      Shankar Mattay - smattay@uwaterloo.ca Steve Sangster - smsangst@uwaterloo.ca
    • 2. Agenda
      • University of Waterloo Environment
      • Security Strategy
      • Understanding the Signon Process
      • Implementation Steps
      • The Result
      • Questions & Answers
    • 3. University of Waterloo
      • Founded July 1957
      • 25000 Students
        • 20000 undergraduate students
        • 2000 graduate students
        • 3000 distance education students
      • 3500 Ongoing Employees
      • Best known for the largest co-op program in the world (approximately 10000 students)
    • 4. UW PeopleSoft Environment
      • HRMS and Payroll version 7.5
        • Currently upgrading to version 8.00
      • Student Administration version 7.6
      • Custom Application (ACCESS) developed using PeopleTools 8.15.01
    • 5. ACCESS
      • Co-operative Education & Career Services
      • 5000+ students per term use ACCESS on a rotating basis
      • Students use ACCESS to search for jobs and view application and interview information
      • Most UW applications use a centralized authentication system
    • 6. UWDIR
      • Centralized authentication system is called UWDIR
      • Contains:
        • Basic information for 50000+ users
        • Windows NT Domain (uwaterloo.ca) for central password storage and authentication
      • Challenge was to integrate ACCESS with UWDIR
    • 7. PeopleSoft Security Strategies
      • Internal Authentication
        • Users and Passwords are maintained within PeopleSoft
        • We cannot export passwords from UWDIR
      • Lightweight Directory Access Protocol
        • PeopleSoft supports out of the box
        • UW Active Directory is planned for future
      • Web Server Exit
        • Web Server performs authentication and passes user information to PeopleSoft, bypassing the PeopleSoft Signon screen
        • Requires maintaining multiple lists of users
    • 8. UW Security Strategy
      • External Authentication through CGI
        • Uses PeopleSoft Signon screen
        • Authenticate with UWDIR
        • Enables us to integrate authentication with one password system
    • 9. Loading User Information
      • Nightly process adds and removes users
      • Internal passwords are irrelevant for external authentication strategies
      PSOPRDEFN PSOPRALIAS PSOPRCLS PSROLEUSER PS_ROLEXLATOPR PS_PERSONAL_DATA
      • Load PeopleSoft security tables
      UWDIR Application Engine
    • 10. Implementation
      • Technical Walkthrough of the Implementation Steps
    • 11. Understanding the Signon Process Signon Page Perl Script Main Menu UWDIR Internal Authentication Signon PeopleCode
    • 12. Implementation Steps
      • Modify the PeopleSoft Signon page
      • Write a Perl script to perform authentication with UWDIR and securely communicate result to PeopleSoft
      • Write a Signon PeopleCode function to enforce the result of the authentication
    • 13. Signon Page
      • PeopleSoft web servlet retrieves signin.html from the Web Server and delivers it to the client
    • 14. Signon Page
      • Servlet replaces embedded variables with PeopleSoft parameters before delivery
      • Dynamic paths, error messages, etc.
    • 15. Signon Page
      • Modify form to post data to our own Perl script instead of to PeopleSoft servlet
      • Pass the location of the PeopleSoft servlet to the script as part of the path
    • 16. Signon Page
      • Results of our HTML modifications
      • Make use of PeopleSoft Style Sheets and error messages
    • 17. Perl Script
      • Accepts data entered in Signon page
      • Performs authentication with the NT Domain using SMB library
      • If authentication is successful
        • Generates random cookie file name
        • Writes a cookie file on the Web Server with the generated file name
        • File contains UserId, IP address, and time stamp
      • If authentication fails
        • Cookie name is blank and file is not written
    • 18. Perl Script
      • Reads PATH_INFO to determine the URL of the PeopleSoft servlet
      • Appends additional parameters on PeopleSoft servlet URL
        • AUTH contains the cookie name
        • userid provides a fake user name to PeopleSoft
        • pwd provides a fake password to PeopleSoft
      • Redirects the user to this new URL avoiding PeopleSoft Signon
    • 19. Avoiding PeopleSoft Signon
      • PeopleSoft servlet sees the userid and pwd parameters and thinks the user filled in the Signon page
      • When the user is redirected to:
      • Internal Authentication is performed
      • Signon PeopleCode is executed to enforce the result of External Authentication
    • 20. Signon PeopleCode
      • Signon PeopleCode is a function created in Record Field PeopleCode
    • 21. Signon PeopleCode Function
      • Reads the AUTH parameter in the URL using the %Request object to determine the cookie file name
      • Ignores the userid parameter in the URL
      • Opens the cookie file and reads the UserId
      • Calls SetAuthenticationResult() and sets AuthResult to:
        • True to allow the user access with the specified UserId, trusting the Perl Script
        • False to deny access if AUTH parameter not present, file not found, or other problem occurs
    • 22. Enabling Signon PeopleCode
      • Add and Enable PeopleCode Function
      • Check ExecAuthFail because Internal Authentication will fail
      • Restart Application Server
    • 23. The Result
      • Brief Demonstration of Various Signon Scenarios
    • 24. The Result
      • User enters Signon information
    • 25. The Result
      • External Authentication fails
      • Signon PeopleCode rejects the Signon attempt
    • 26. The Result
      • External Authentication successful but user does not exist in PSOPRDEFN
      • Signon PeopleCode accepts login attempt but PeopleSoft rejects it because UserId is not found
    • 27. The Result
      • User attempts to access the URL to avoid Signon using a forged cookie
      • Signon PeopleCode rejects the Signon attempt because cookie file does not exist
    • 28. The Result
      • External Authentication successful and UserId exists in PSOPRDEFN
      • User successfully signs on
    • 29. Questions & Answers
      • Shankar Mattay - smattay@uwaterloo.ca
      • Steve Sangster - smsangst@uwaterloo.ca

    ×