PEGRight deployed a proven integration pattern to SAML-enable the PeopleSoft suite of applications. The solution utilizes the PingFederate Service Provider (SP) endpoint to receive a SAMLv2 assertion from any SAMLv2 compliant SSO Identity Provider (IdP), for example PingOne, OneLogin, Okta, CA SiteMinder. Using PingFederate’s OpenToken for last mile integration, the contents of the SAMLv2 assertion are delivered to PeopleSoft. The solution allows for the traditional PeopleSoft login screen to be bypassed for SSO-enforced users, as well as continuing support for Administrative Console direct access.
Here is the high level flow:
And here are the implementation steps:
- Update the PeopleSoft WebLogic web server with a Java Filter that processes incoming HTTP Servlet requests. The Java Filter implements logic to detect when a redirect to PingFederate is needed requesting SSO. In brief, the Java Filter will check for either an existing PeopleSoft browser session, or the presence of an OpenToken in the request. If neither exists, the user is redirected to the PingFederate SSO SP server that will handle requesting authentication via any SSO IdP Server using the SAMLv2 protocol.
- Update the PeopleSoft WebLogic application server to leverage the delivered OpenToken for handling authentication. This requires the development of a Signon PeopleCode function for handling the OpenToken. This function will fetch the user’s identity from the OpenToken, and can still integrate with a back-end AD/LDAP to validate the user and retrieve additional attributes/roles/user goodness. For security the OpenToken will be sent in a secure cookie that must be on the same domain as the PingFederate SSO SP server.
- Configure the PingFederate SSO SP server with a PeopleSoft connection to request authentication via an SSO IdP Server. The configuration will also receive the SAMLv2 assertion from the SSO IdP Server and mediate the contents into an OpenToken that will be sent to the PeopleSoft server where the Java Filter and PeopleSoft Code will process the user identity and create a PS_TOKEN session within PeopleSoft.
That’s pretty much it – those are the steps to SAML-enable a PeopleSoft on-premise deployment using PingFederate. Contact us if you have questions or if you need help making the most of your Ping Identity investment.