Integrate PingFederate and PeopleSoft for standards-based single sign-on

PEGRight deployed a proven integration pattern to SAML-enable the PeopleSoft suite of applications. The solution utilizes the PingFederate Service Provider (SP) endpoint to receive a SAMLv2 assertion from any SAMLv2 compliant SSO Identity Provider (IdP), for example PingOne, OneLogin, Okta, CA SiteMinder. Using PingFederate’s OpenToken for last mile integration, the contents of the SAMLv2 assertion are delivered to PeopleSoft. The solution allows for the traditional PeopleSoft login screen to be bypassed for SSO-enforced users, as well as continuing support for Administrative Console direct access.

1. Update the PeopleSoft WebLogic web server with a Java Filter that processes incoming HTTP Servlet requests

The Java Filter implements logic to detect when a redirect to PingFederate is needed requesting SSO. In brief, the Java Filter will check for either an existing PeopleSoft browser session, or the presence of an OpenToken in the request. If neither exists, the user is redirected to the PingFederate SSO SP server that will handle requesting authentication via any SSO IdP Server using the SAMLv2 protocol.

2. Update the PeopleSoft WebLogic application server to leverage the delivered OpenToken for handling authentication

This requires the development of a Signon PeopleCode function for handling the OpenToken. This function will fetch the user’s identity from the OpenToken, and can still integrate with a back-end AD/LDAP to validate the user and retrieve additional attributes/roles/user goodness. For security the OpenToken will be sent in a secure cookie that must be on the same domain as the PingFederate SSO SP server.

3. Configure the PingFederate SSO SP server with a PeopleSoft connection to request authentication via an SSO IdP Server