Published on

Published in: Economy & Finance, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Good morning. Thank you for being here. The purpose of our presentation is to show you the method we have developed for authenticating PeopleSoft users with a centralized password management system using CGI scripts.
  • Tags

    1. 1. PeopleSoft 8 Security <ul><li>External Authentication Through CGI </li></ul>Shankar Mattay - smattay@uwaterloo.ca Steve Sangster - smsangst@uwaterloo.ca
    2. 2. Agenda <ul><li>University of Waterloo Environment </li></ul><ul><li>Security Strategy </li></ul><ul><li>Understanding the Signon Process </li></ul><ul><li>Implementation Steps </li></ul><ul><li>The Result </li></ul><ul><li>Questions & Answers </li></ul>
    3. 3. University of Waterloo <ul><li>Founded July 1957 </li></ul><ul><li>25000 Students </li></ul><ul><ul><li>20000 undergraduate students </li></ul></ul><ul><ul><li>2000 graduate students </li></ul></ul><ul><ul><li>3000 distance education students </li></ul></ul><ul><li>3500 Ongoing Employees </li></ul><ul><li>Best known for the largest co-op program in the world (approximately 10000 students) </li></ul>
    4. 4. UW PeopleSoft Environment <ul><li>HRMS and Payroll version 7.5 </li></ul><ul><ul><li>Currently upgrading to version 8.00 </li></ul></ul><ul><li>Student Administration version 7.6 </li></ul><ul><li>Custom Application (ACCESS) developed using PeopleTools 8.15.01 </li></ul>
    5. 5. ACCESS <ul><li>Co-operative Education & Career Services </li></ul><ul><li>5000+ students per term use ACCESS on a rotating basis </li></ul><ul><li>Students use ACCESS to search for jobs and view application and interview information </li></ul><ul><li>Most UW applications use a centralized authentication system </li></ul>
    6. 6. UWDIR <ul><li>Centralized authentication system is called UWDIR </li></ul><ul><li>Contains: </li></ul><ul><ul><li>Basic information for 50000+ users </li></ul></ul><ul><ul><li>Windows NT Domain (uwaterloo.ca) for central password storage and authentication </li></ul></ul><ul><li>Challenge was to integrate ACCESS with UWDIR </li></ul>
    7. 7. PeopleSoft Security Strategies <ul><li>Internal Authentication </li></ul><ul><ul><li>Users and Passwords are maintained within PeopleSoft </li></ul></ul><ul><ul><li>We cannot export passwords from UWDIR </li></ul></ul><ul><li>Lightweight Directory Access Protocol </li></ul><ul><ul><li>PeopleSoft supports out of the box </li></ul></ul><ul><ul><li>UW Active Directory is planned for future </li></ul></ul><ul><li>Web Server Exit </li></ul><ul><ul><li>Web Server performs authentication and passes user information to PeopleSoft, bypassing the PeopleSoft Signon screen </li></ul></ul><ul><ul><li>Requires maintaining multiple lists of users </li></ul></ul>
    8. 8. UW Security Strategy <ul><li>External Authentication through CGI </li></ul><ul><ul><li>Uses PeopleSoft Signon screen </li></ul></ul><ul><ul><li>Authenticate with UWDIR </li></ul></ul><ul><ul><li>Enables us to integrate authentication with one password system </li></ul></ul>
    9. 9. Loading User Information <ul><li>Nightly process adds and removes users </li></ul><ul><li>Internal passwords are irrelevant for external authentication strategies </li></ul>PSOPRDEFN PSOPRALIAS PSOPRCLS PSROLEUSER PS_ROLEXLATOPR PS_PERSONAL_DATA <ul><li>Load PeopleSoft security tables </li></ul>UWDIR Application Engine
    10. 10. Implementation <ul><li>Technical Walkthrough of the Implementation Steps </li></ul>
    11. 11. Understanding the Signon Process Signon Page Perl Script Main Menu UWDIR Internal Authentication Signon PeopleCode
    12. 12. Implementation Steps <ul><li>Modify the PeopleSoft Signon page </li></ul><ul><li>Write a Perl script to perform authentication with UWDIR and securely communicate result to PeopleSoft </li></ul><ul><li>Write a Signon PeopleCode function to enforce the result of the authentication </li></ul>
    13. 13. Signon Page <ul><li>PeopleSoft web servlet retrieves signin.html from the Web Server and delivers it to the client </li></ul>
    14. 14. Signon Page <ul><li>Servlet replaces embedded variables with PeopleSoft parameters before delivery </li></ul><ul><li>Dynamic paths, error messages, etc. </li></ul>
    15. 15. Signon Page <ul><li>Modify form to post data to our own Perl script instead of to PeopleSoft servlet </li></ul><ul><li>Pass the location of the PeopleSoft servlet to the script as part of the path </li></ul>
    16. 16. Signon Page <ul><li>Results of our HTML modifications </li></ul><ul><li>Make use of PeopleSoft Style Sheets and error messages </li></ul>
    17. 17. Perl Script <ul><li>Accepts data entered in Signon page </li></ul><ul><li>Performs authentication with the NT Domain using SMB library </li></ul><ul><li>If authentication is successful </li></ul><ul><ul><li>Generates random cookie file name </li></ul></ul><ul><ul><li>Writes a cookie file on the Web Server with the generated file name </li></ul></ul><ul><ul><li>File contains UserId, IP address, and time stamp </li></ul></ul><ul><li>If authentication fails </li></ul><ul><ul><li>Cookie name is blank and file is not written </li></ul></ul>
    18. 18. Perl Script <ul><li>Reads PATH_INFO to determine the URL of the PeopleSoft servlet </li></ul><ul><li>Appends additional parameters on PeopleSoft servlet URL </li></ul><ul><ul><li>AUTH contains the cookie name </li></ul></ul><ul><ul><li>userid provides a fake user name to PeopleSoft </li></ul></ul><ul><ul><li>pwd provides a fake password to PeopleSoft </li></ul></ul><ul><li>Redirects the user to this new URL avoiding PeopleSoft Signon </li></ul>
    19. 19. Avoiding PeopleSoft Signon <ul><li>PeopleSoft servlet sees the userid and pwd parameters and thinks the user filled in the Signon page </li></ul><ul><li>When the user is redirected to: </li></ul><ul><li>Internal Authentication is performed </li></ul><ul><li>Signon PeopleCode is executed to enforce the result of External Authentication </li></ul>
    20. 20. Signon PeopleCode <ul><li>Signon PeopleCode is a function created in Record Field PeopleCode </li></ul>
    21. 21. Signon PeopleCode Function <ul><li>Reads the AUTH parameter in the URL using the %Request object to determine the cookie file name </li></ul><ul><li>Ignores the userid parameter in the URL </li></ul><ul><li>Opens the cookie file and reads the UserId </li></ul><ul><li>Calls SetAuthenticationResult() and sets AuthResult to: </li></ul><ul><ul><li>True to allow the user access with the specified UserId, trusting the Perl Script </li></ul></ul><ul><ul><li>False to deny access if AUTH parameter not present, file not found, or other problem occurs </li></ul></ul>
    22. 22. Enabling Signon PeopleCode <ul><li>Add and Enable PeopleCode Function </li></ul><ul><li>Check ExecAuthFail because Internal Authentication will fail </li></ul><ul><li>Restart Application Server </li></ul>
    23. 23. The Result <ul><li>Brief Demonstration of Various Signon Scenarios </li></ul>
    24. 24. The Result <ul><li>User enters Signon information </li></ul>
    25. 25. The Result <ul><li>External Authentication fails </li></ul><ul><li>Signon PeopleCode rejects the Signon attempt </li></ul>
    26. 26. The Result <ul><li>External Authentication successful but user does not exist in PSOPRDEFN </li></ul><ul><li>Signon PeopleCode accepts login attempt but PeopleSoft rejects it because UserId is not found </li></ul>
    27. 27. The Result <ul><li>User attempts to access the URL to avoid Signon using a forged cookie </li></ul><ul><li>Signon PeopleCode rejects the Signon attempt because cookie file does not exist </li></ul>
    28. 28. The Result <ul><li>External Authentication successful and UserId exists in PSOPRDEFN </li></ul><ul><li>User successfully signs on </li></ul>
    29. 29. Questions & Answers <ul><li>Shankar Mattay - smattay@uwaterloo.ca </li></ul><ul><li>Steve Sangster - smsangst@uwaterloo.ca </li></ul>