Presentation is loading. Please wait.

Presentation is loading. Please wait.

PeopleSoft Single Sign-On with SAML 2.0

Similar presentations


Presentation on theme: "PeopleSoft Single Sign-On with SAML 2.0"— Presentation transcript:

1 PeopleSoft Single Sign-On with SAML 2.0
102170 Vlad Kaminsky Senior Consultant GNC Consulting, Inc. @gncinc

2 Agenda Single Sign-On Overview SAML-based SSO Infrastructure
PeopleSoft Customization Tips and Lessons Learned Q & A

3 Speaker Profile Vlad Kaminsky Senior Consultant GNC Consulting, Inc.
10 years of PeopleSoft Implementation, Upgrade and Customization experience

4 Single Sign-On Overview

5 Why Single Sign-On? An average corporate user have 15 passwords
60% cannot memorize all their passwords 61% reuse their passwords among multiple applications 30% of all help desk calls are related to password resets Helpdesk password resets cost on average $30 per reset * Ping Identity

6 Non-SSO Scenario User names and passwords are stored in multiple databases Users are required to enter their login credentials in each application In theory this would be the most secure configuration if a strong unique password is used in each system. Users are likely to use weaker passwords that are easier to remember Multiple databases with user credentials increase security risk of phishing or hacking Multiple user names and passwords negatively affect user productivity and cause “password fatigue” This is why this configuration is less common than…

7 LDAP Authentication LDAP Authentication (Single Password) – using the same user name and password to access multiple applications Supported in PeopleSoft out of the box with minimal configuration. User credentials are stored in the Directory Server. Users are still required to enter their login credentials in each application This is not a true SSO but rather a single password authentication. Strong passwords are easier to enforce with just one password to remember

8 PeopleSoft-only SSO Users are required to enter their login credentials only once when they access PeopleSoft application Users are still required to enter their login credentials in other applications

9 True SSO Scenario True SSO – inputting the user name and password once and using multiple systems or applications without having to log in again In this scenario users are only required to enter their credentials when being authenticated by the Identity Provider (IdP) IdP creates a security token for the user and this token is used to access protected resources within Service Provider (SP)

10 Federated SSO Scenario
Federated SSO – signing on once and securely sharing user identity among multiple organizations and applications

11 Single Sign-On Benefits
Increased user productivity Just one password to remember No need to re-enter user credentials Increased IT productivity Less help desk calls about password resets = reduced IT costs One place to control and audit user access Improved Security Passwords are not stored or managed externally Easier to enforce strong passwords

12 SSO Security Consideration
Identity provider is a single point of failure Ideally SSO should be combined with strong authentication methods like smart cards and one-time password tokens Password-protected screensavers should be used to mitigate the risk of leaving an unattended and unlocked workstation

13 Single Sign-On Summary
LDAP Authentication (Single Password) – using the same user name and password to access multiple applications True SSO – inputting the user name and password once and using multiple systems or applications without having to log in again Federated SSO – signing on once and securely sharing user identity among multiple organizations and applications

14 SAML-based SSO Infrastructure

15 What is SAML? Security Assertion Markup Language
XML-based framework for exchanging user security information Developed by the OASIS group SAML 2.0 is the current version (since 2005) Typically used to enable Web SSO for enterprise users Works with in-house and cloud service providers

16 SAML Concepts Assertion – authentication, attributes and authorization information Protocol – defines requests and responses for obtaining assertions E.g. Request-Response Protocol Binding – a way to transport SAML requests and responses E.g. HTTP POST Profile – a pattern for how to make assertions about other information E.g. Web Browser SSO

17 SAML Response Token <samlp:Response...> <Assertion...>
<Issuer>...</Issuer> <ds:Signature...> ... </ds:Signature> <Subject> <NameID>TSAWYER</NameID> </Subject> <Conditions NotBefore="..." NotOnOrAfter="..."> </Conditions> </Assertion> </samlp:Response>

18 SP-initiated SSO Profile
1. The user requests access to a protected SP resource. The request is redirected to the federation server to handle authentication. 2. The federation server sends an HTML form back to the browser with a SAML request for authentication from the IdP. The HTML form is automatically posted to the IdP's SSO service. 3. If the user is not already logged on to the IdP site or if re-authentication is required, the IdP asks for credentials (e.g., ID and password) and the user logs on. 4. The IdP's SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the SP. 5. If the signature and the assertion are valid, the SP establishes a session for the user and redirects the browser to the target resource.

19 IdP-initiated SSO Profile
1. A user has logged on to the IdP. 2. The user clicks a link or otherwise requests access to a protected SP resource. 3. The IdP's SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the SP. 4. If the signature and the assertion are valid, the SP establishes a session for the user and redirects the browser to the target resource.

20 Is SAML supported in PeopleSoft?
Document ID (Updated on February 20, 2013) In PeopleTools 8.4x SAML is not supported In PeopleTools 8.5x SAML 1.1 is supported only for web services SAML is not supported for external SSO There are no plans of supporting SAML 2.0

21 PeopleSoft Customization

22 Client Environment PeopleSoft HCM 9.1 hosted in the cloud
PeopleTools 8.51 LDAP Authentication Domain Users External Users Active Directory and AD FS

23 Project Goals Enable SSO in PeopleSoft with SAML 2.0
Minimize the solution footprint SAML library in signon PeopleCode No third-party federation products IdP-initiated SSO profile Support for domain users and external users

24 IdP-initiated SSO Profile
We implemented an identity provider initiated SSO. In an IdP-initiated scenario, the user visits an IdP where they are already authenticated using a specialized link. The IdP builds an assertion representing the user's authentication state at the IdP and sends the user's browser over to the SP's assertion consumer service (ACS) using the HTTP POST binding. The ACS processes the assertion and creates a local security context for the user at the SP. The processing is as follows: 1 The AD FS server challenges the user for credentials. 2. The user provides their credentials to AD FS server. 3. The user navigates to the SSO service at the identity provider using the specialized HCM SSO link. 4. The SSO service validates the request and responds with a document containing an HTML form. The value of the SAMLResponse parameter is the Base64 encoding of the following Response element. 5. The user agent issues a POST request to the assertion consumer service at the service provider. 6. The assertion consumer service processes the response, creates a security context at the service provider and redirects the user agent to the target resource.

25 Implementation Details
AD FS configuration PeopleSoft configuration SAML Authentication PeopleCode

26 AD FS Configuration The IdM team configured AD FS for IdP-initiated SSO We provided the Target URL and they configured the SSO URL Target URL – the HCM home page https://hcm.acme.com/psp/hcm9prod/EMPLOYEE/HRMS/h/?tab=DEFAULT SSO URL – used to initiate SSO access https://idm.acme.com/adfs/ls/idpinitiatedsignon.aspx?loginToRp=HCM9PROD AD FS Metadata – contains the public key and other IdP information https://idm.acme.com/FederationMetadata/ /FederationMetadata.xml

27 PeopleSoft Configuration
Signon PeopleCode Public User Web Profile PIA Site Digital Certificate Content Files Java Files

28 Signon PeopleCode

29 Public User Profile

30 Web Profile: Security

31 Web Profile: Look and Feel
Page HTML Action Expire expire.html Redirect to the SSO URL Exception exception.html Display the exception details Signon signon.html Signon Error z_signonerror.html Display the error details Logout signin.html

32 Digital Certificate Add the AD FS X.509 Certificate (Public Key)
Should be communicated by the IDM team Can be extracted from the AD FS Metadata

33 OpenSAML Java Library OpenSAML - open source C++ & Java libraries meant to support developers working with SAML Documentation and Downloads https://wiki.shibboleth.net/confluence/display/OpenSAML/Home/

34 SAML_AUTHENTICATION Function
Based on the delivered WWW_AUTHENTICATION function Trusts that the AD FS authenticated the user Expects that the AD FS passed the SAML assertion Retrieves the SAML response from %Request object Validates the response and the assertion Validates the User ID from the assertion SetAuthenticationResult sets the session to the User ID

35 SAML_AUTHENTICATION Function
Function SAML_AUTHENTICATION() If %PSAuthResult = True And &authMethod <> "LDAP" Then Local string &defaultUserId = "PUBLIC_USER"; If %SignonUserId = &defaultUserId Then Local ResponseProxy &responseProxy = create ResponseProxy(); Local AssertionProxy &assertionProxy = create AssertionProxy(&responseProxy); Local ResponseValidator &responseValidator = create ResponseValidator(); Local NameIDValidator &nameIDValidator = create NameIDValidator(); try /* Validate the response and user ID */ &responseValidator.Validate(&responseProxy); &nameIDValidator.Validate(&assertionProxy.NameID); /* Authentication successful */ SetAuthenticationResult( True, &assertionProxy.NameID, "", False); &authMethod = "SAML"; catch Exception &e /* Authentication unsuccessful */ SetAuthenticationResult( False, &defaultUserId, &e.ToString( False), False); end-try; End-If; End-Function; The SAML_AUTHENTICATION function trusts that the AD FS server authenticated the user and passed the SAML assertion on to the app server. This function retrieves the SAML response from %Request. The app server validates the assertion and reads the PS user ID from the assertion. Once the user ID is validated, SetAuthenticationResult sets the user context. Otherwise, the error is displayed to the user.

36 Custom Application Package
Proxy Classes are PeopleCode interfaces to OpenSAML Java classes ResponseValidator verifies if the SAML response can be trusted NameIDValidator verifies if the user has an unlocked user profile and is an active employee or has a special role

37 ResponseProxy Class An interface to the OpenSAML Response Java class
class ResponseProxy method ResponseProxy(); property JavaObject StatusCode get; property JavaObject Assertion get; private instance JavaObject &response; end-class; The corresponding Response XML element <samlp:Response...> <Issuer...>...</Issuer> <samlp:Status> <samlp:StatusCode... /> </samlp:Status> <Assertion...> </Assertion> </samlp:Response>

38 ResponseProxy Constructor
Extracts the SAMLResponse parameter from the %Request object Decodes the Base64-encoded response Unmarshalls the XML (parses and converts it to a Java object)

39 Unmarshalling SAML Response
/* Get the request parameter */ &requestParameter = %Request.GetParameter("SAMLResponse"); /* Initialize the library */ GetJavaClass("org.opensaml.DefaultBootstrap").bootstrap(); /* Get SAML schema builder */ &schema = GetJavaClass("org.opensaml.common.xml.SAMLSchemaBuilder").getSAML11Schema(); /* Get parser pool manager */ &parserPoolManager = CreateJavaObject("org.opensaml.xml.parse.BasicParserPool"); &parserPoolManager.setNamespaceAware( True); &parserPoolManager.setIgnoreElementContentWhitespace( True); &parserPoolManager.setSchema(&schema);

40 Unmarshalling SAML Response
/* Parse metadata file */ &decodedResponse = GetJavaClass("org.opensaml.xml.util.Base64").decode(&requestParameter); &inputStreamResponse = CreateJavaObject("java.io.ByteArrayInputStream", &decodedResponse); &document = &parserPoolManager.parse(&inputStreamResponse); &element = &document.getDocumentElement(); /* Get apropriate unmarshaller */ &unmarshallerFactory = GetJavaClass("org.opensaml.xml.Configuration").getUnmarshallerFactory(); &unmarshaller = &unmarshallerFactory.getUnmarshaller(&element); /* Unmarshall using the document root element */ %This.response = GetJavaClass("com.acme.hcm.TypeCastHelper"). castToResponse(&unmarshaller.unmarshall(&element));

41 AssertionProxy Class An interface to the OpenSAML Assertion Java class
class AssertionProxy method AssertionProxy(&responseProxy As Z_SECURITY:SAML20:ResponseProxy); property JavaObject Issuer get; property JavaObject Signature get; property string NameID get; property JavaObject Recipient get; property JavaObject NotBefore get; property JavaObject NotOnOrAfter get; property JavaObject Audience get; private instance Z_SECURITY:SAML20:ResponseProxy &parent; end-class;

42 Assertion XML Element The corresponding Assertion XML element
<Issuer>http://idm.acme.com/adfs/services/trust</Issuer> <ds:Signature...> ... </ds:Signature> <Subject> <NameID>TSAWYER</NameID> <SubjectConfirmation...> <SubjectConfirmationData NotOnOrAfter="..." Recipient="..." /> </SubjectConfirmation> </Subject> <Conditions NotBefore="..." NotOnOrAfter="..."> <AudienceRestriction> <Audience>HCM9PROD</Audience> </AudienceRestriction> </Conditions> </Assertion>

43 SignatureValidatorProxy Class
An interface to the OpenSAML SignatureValidator Java class class SignatureValidatorProxy method SignatureValidatorProxy(); method ValidateSignature(&signature As JavaObject); method RefreshCertificateData(); property string CertificateData get; private instance JavaObject &signatureValidator; end-class;

44 SignatureValidatorProxy Method
Creates an X.509 digital certificate object Generates a public key to validate the signature Creates an X.509 credential Creates the SignatureValidator object

45 Creating X.509 Digital Certificate
/* Create X.509 digital certificate */ &certificateData = CreateJavaObject("java.lang.String", %This.CertificateData).getBytes(); &inputStreamCertificate = CreateJavaObject("java.io.ByteArrayInputStream", &certificateData); &certificateFactory = GetJavaClass("java.security.cert.CertificateFactory").getInstance("X.509"); &certificate = GetJavaClass("com.acme.hcm.TypeCastHelper"). castToX509Certificate(&certificateFactory.generateCertificate(&inputStreamCertificate));

46 Getting Certificate from Storage
Local string &certificateData; Local ApiObject &certificate; Local ApiObject &session = GetSession(); Local string &certType = "ROOT"; Local string &certAlias = "ADFS Signing - idm.acme.com"; /* Connect to the application server */ &session.Connect(1, "EXISTING", "", "", 0); /* Get the certificate from the storage */ &certificate = &session.keyStore.GetCertificate(&certType, &certAlias); /* Get the PEM certificate data */ &certificateData = &certificate.toPKCS7(); /* Set unserializable object to null */ &certificate = Null;

47 Creating SignatureValidator
/* Generate public key to validate signature */ &publicKeySpec = CreateJavaObject("java.security.spec.X509EncodedKeySpec", &certificate.getPublicKey().getEncoded()); &keyFactory = GetJavaClass("java.security.KeyFactory").getInstance("RSA"); &publicKey = &keyFactory.generatePublic(&publicKeySpec); /* Create a credential */ &publicCredential = CreateJavaObject("org.opensaml.xml.security.x509.BasicX509Credential"); &publicCredential.setPublicKey(&publicKey); /* Create SignatureValidator */ &signatureValidator = CreateJavaObject("org.opensaml.xml.signature.SignatureValidator", &publicCredential);

48 SAML Response Validation
The token is correctly formatted The token has been received within its validity period The token has not been tampered with The token is coming from the intended authority The token is meant for the current application

49 ResponseValidator Class
This class verifies if the SAML response can be trusted class ResponseValidator method ResponseValidator(); method Validate(&responseProxy As Z_SECURITY:SAML20:ResponseProxy); private method ValidateResponseStatus(&responseProxy As Z_SECURITY:SAML20:ResponseProxy); method ValidateNotBefore(&assertionProxy As Z_SECURITY:SAML20:AssertionProxy); method ValidateNotOnOrAfter(&assertionProxy As Z_SECURITY:SAML20:AssertionProxy); method ValidateSignature(&assertionProxy As Z_SECURITY:SAML20:AssertionProxy); method ValidateIssuer(&assertionProxy As Z_SECURITY:SAML20:AssertionProxy); method ValidateRecipient(&assertionProxy As Z_SECURITY:SAML20:AssertionProxy); method ValidateAudience(&assertionProxy As Z_SECURITY:SAML20:AssertionProxy); method ValidateCertificate(&assertionProxy As Z_SECURITY:SAML20:AssertionProxy); end-class;

50 ValidateSignature Method
method ValidateSignature /+ &assertionProxy as Z_SECURITY:SAML20:AssertionProxy +/ Local Z_SECURITY:SAML20:SignatureValidatorProxy &signatureValidatorProxy = create Z_SECURITY:SAML20:SignatureValidatorProxy(); &signatureValidatorProxy.ValidateSignature(&assertionProxy.Signature); end-method;

51 NameID Validation The user has an unlocked user profile in PeopleSoft
The user is an active employee or has a special role

52 NameIDValidator Class
This class verifies if the user is authorized to access PeopleSoft. class NameIDValidator method NameIDValidator(); method Validate(&NameID As string); private method ValidateProfileAttribute(&SQL As string, &NameID As string) Returns boolean; method PersonProfileExists(&NameID As string) Returns boolean; method PersonProfileActive(&NameID As string) Returns boolean; method UserProfileExists(&NameID As string) Returns boolean; method UserProfileActive(&NameID As string) Returns boolean; method UserProfileSpecial(&NameID As string) Returns boolean; end-class;

53 Validate Method If Not %This.PersonProfileExists(&NameID) And
Not %This.UserProfileSpecial(&NameID) Then throw create Z_SECURITY:Exception:PersonProfileMissingException(&NameID); End-If; If %This.PersonProfileActive(&NameID) And Not %This.UserProfileExists(&NameID) Then throw create Z_SECURITY:Exception:UserProfileMissingException(&NameID); If Not %This.UserProfileActive(&NameID) Or Not %This.PersonProfileActive(&NameID) And throw create Z_SECURITY:Exception:AccessNotAuthorizedException(&NameID);

54 Tips and Lessons Learned

55 Tips and Lessons Learned
We redirected users from the old PIA site to the new SSO site for seamless transition A non-SSO PIA site was created so administrative users could sign in with different user IDs for troubleshooting We hid the Sign Out link as we did not implement the SAML Single Logout profile

56 Language Code The sign on page where users normally select their preferred language is not available The users select the preferred language on the My System Profile page Admin users can change the language on the User Profile page We set the language code on the public user profile to blank (via SQL) so it does not override the user’s language code

57 Helper Java Classes PeopleCode does not support type casting that is available in Java PeopleCode cannot call an overloaded Java method when the only difference between the overloaded versions is the parameter type A workaround is to write simple helper classes in Java or using reflection

58 Helper Java Classes public final class TypeCastHelper {
public static Assertion castToAssertion(Object o) { return (Assertion)o; } ... public static Response castToResponse(Object o) { return (Response)o; public static X509Certificate castToX509Certificate(Object o) { return (X509Certificate)o; public final class MethodOverloadHelper { public static void validateSignature(SignatureValidator signatureValidator, Signature signature) throws org.opensaml.xml.validation.ValidationException { signatureValidator.validate(signature); }

59 Using Helper Java Classes
get Assertion /+ Returns JavaObject +/ Return GetJavaClass("com.acme.hcm.TypeCastHelper"). castToAssertion(%This.response.getAssertions().get(0)); end-get; method ValidateSignature /+ &signature as JavaObject +/ GetJavaClass("com.acme.hcm.MethodOverloadHelper"). validateSignature(%This.signatureValidator, &signature); end-method;

60 Reviewing SAML Response
We used Notepad++ to Base64-decoding and XML formatting

61 Q & A

62 102170


Download ppt "PeopleSoft Single Sign-On with SAML 2.0"

Similar presentations


Ads by Google