It then generates the PS_TOKEN, which contains the same information. 9. PeopleSoft generates the application pages, subject to further authorization
verification within PeopleSoft.
Supported Version and Platforms
This chapter describes the integration of Oracle Access Manager 10g (10.1.4.0.1) with PeopleTools 8.47 and PeopleSoft Applications (HCM 8.9). However, any references to specific versions and platforms in this chapter are for demonstration purposes. To see the supported versions and platforms for this integration, refer to Metalink, as follows.
To view information on Metalink 1. Go to the following URL:
http://metalink.oracle.com 2. Click the Certify tab.
3. Click View Certifications by Product.
4. Select the Application Server option and click Submit. 5. Choose Oracle Application Server and click Submit.
Preparing Your Environment
Before you can integrate Oracle Access Manager with PeopleSoft, complete the following steps to prepare your environment.
Task overview: Preparing for the PeopleSoft integration
1. Install a supported directory server, according to vendor instructions.
2. Install and configure Oracle Access Manager using the directory server from the previous step as the LDAP repository.
3. Ensure that the PeopleSoft application pages are delivered using an HTTP Server. 4. Configure the Web browser to allow cookies, according to vendor instructions. 5. Follow the instructions in "Setting Up Oracle Access Manager Single Sign-On for
PeopleSoft" on page 7-5.
6. Follow the instructions in "Setting up PeopleSoft for Single Sign-On with Oracle Access Manager" on page 7-8.
Setting Up Oracle Access Manager Single Sign-On for PeopleSoft
The following procedure describes setting up Oracle Access Manager single sign-on for PeopleSoft.
See also: For more information on creating policy domains, policies, and associated authentication and authorization schemes, see the Oracle Access Manager Access System Administration Guide.
Setting Up Oracle Access Manager Single Sign-On for PeopleSoft
To set up Oracle Access Manager for the PeopleSoft integration
1. Install and configure Oracle Access Manager on a supported platform, using a supported LDAP server.
See the Oracle Access Manager Installation Guide for details. 2. Install a WebGate on the PeopleSoft HTTP Server.
Do not install the WebGate on an application server that supports HTTP services, for example, WebLogic. If your PIA application server is WebSphere or WebLogic, install an HTTP server, for example, Apache, iPlanet, or Oracle HTTP Server. You also need to configure the PIA so that PeopleSoft application pages can be accessed and are rendered through the HTTP server.
3. Create a host identifier for the PeopleSoft HTTP Server.
From the Access System landing page, select the Access System Console, click Access System Configuration, click Host Identifiers, and add information about the server.
4. Create a policy domain and policies to restrict access to PeopleSoft URLs.
From the Access System landing page, select the Policy Manager, then click create Policy Domain, and define a policy domain and policies.
The policy domain should protect all PeopleSoft URLs that users access. For example, if you use PeopleSoft Portal to consolidate access to various PeopleSoft applications, the policy must protect the portal and application URLs.
URL prefix formats are specific to your PeopleSoft implementation. For example, the version 8.47 URLs have the format /PORTAL/ps, HRMS/ps, and so on. The following screen shot illustrates a PeopleSoft policy domain.
5. After saving the new policy domain, define an authorization rule that controls who has access to the PeopleSoft resources.
If you are already viewing the new policy domain, click Authorization rules. Otherwise, click My Policy Domains, click the link for the policy domain, and click Authorization rules.
Setting Up Oracle Access Manager Single Sign-On for PeopleSoft
6. Define an authentication rule, for example, Oracle Access and Identity Basic Over LDAP, form authentication, and so on.
If you are already viewing the new policy domain, click Default Rules, then click Authentication Rule. Otherwise, click My Policy Domains, click the link for the policy domain, and click Default Rules, then click Authentication Rule.
The following is a screen shot of an Authentication Rule configuration page.
7. Define an authorization action that sets a custom HTTP header variable upon successful authorization.
If you are already viewing the new policy domain, click Authorization Rules, then click Actions. Otherwise, click My Policy Domains, click the link for the policy domain, click Authorization Rules, then click Actions.
The header variable should contain a value that maps to the PeopleSoft user ID. The following is a screen shot of a saved authorization action.
Setting up PeopleSoft for Single Sign-On with Oracle Access Manager
8. Define an access policy and add the PeopleSoft resources to it.
If you are already viewing the new policy domain, click Policies, then click Add. Otherwise, click My Policy Domains, click the link for the policy domain, click Policies, then click Add.
The following is a screen shot of a saved policy.
Setting up PeopleSoft for Single Sign-On with Oracle Access Manager
The following procedure describes setting up PeopleSoft for integration with Oracle Access Manager.To set up PeopleSoft for integration with Oracle Access Manager 1. Configure PeopleSoft to allow public access.
To do this, you modify the Web profile for the PeopleSoft environment that you are securing. In PeopleTools 8.47, the Web profile definition contains all the information that PIA needs to render the PeopleSoft pages.
Setting up PeopleSoft for Single Sign-On with Oracle Access Manager
To allow public (unprotected) access to PeopleSoft, PIA requires a PeopleSoft application user. PIA logs using this application user and renders the PeopleSoft pages. In the Web profile, provide a user ID and password of a PeopleSoft user. Ensure that this user has minimal applications privileges.
2. From the PeopleTools Application Designer, open the FUNCLIB_LDAP record.
Setting up PeopleSoft for Single Sign-On with Oracle Access Manager
In the getWWWAuthConfig() function, replace the value that is assigned to the &defaultUserId with the user ID that you defined in the Web profile.
Function getWWWAuthConfig()
/* Begin - New code to support Oracle Access Manager */ /* authentication */
/* NOTE: replace v01475 with the default userid */
&defaultUserId = "v01475"; /* &defaultUserId = "";*/
/* End - New code to support Oblix authentication */ End-Function;
4. Add a new function that will read the HTTP header variable that is set by Oracle Access Manager, as indicated in the following code sample.
Function Oracle_Access_Manager_Authentication()
/* Note: Following file will written to the default path.*/
/* Usually appserv/<instance name>/files */
&logfile = Getfile("oamaccess.log","A");
If &logfile.Isopen then
&logfile.Writeline("INFO: Netpoint_Authentication_Profile started"); &logfile.Writeline(String(%Datetime));
&logfile.Writeline("authMethod: " &authMethod)); End-If;
If %PSAuthResult = True And &authMethod <> "LDAP" And &authMethod <> "COREID" And &authMethod <> "SSO" Then If &logfile.Isopen then
&logfile.Writeline("INFO: AuthResult and AuthMethod ok."); End-If;
getWWWAuthConfig();
If &logfile.Isopen then
&logfile.Writeline("INFO: After get wwwauthconfig."); &logfile.Writeline(&defaultUserId);
End-If;
If %SignonUserId = &defaultUserId Then If &logfile.Isopen then
&logfile.Writeline("INFO: %SignonUserId = &defaultUserId "); End-If;
&userID = %Request.GetHeader("PS_SSO_UID");
If &logfile.Isopen then
&logfile.Writeline("INFO: After getting HTTPheader"); &logfile.Writeline(&userId); End-If; If &userID <> "" Then If &bConfigRead=False then getLDAPConfig(); If &logfile.Isopen then
&logfile.Writeline("INFO: After getLDAPConfig()"); &logfile.Writeline(&userId);
End-If;