Setting up Digital Certificates and Single Signon

This chapter discusses how to:

• Work with digital certificates.

• Set up single signon.

Working With Digital Certificates

The PeopleSoft system takes advantage of HTTPS, Secure Sockets Layer (SSL), and digital certificates to secure the transmission of data from the web server to an end user's web browser and also to secure the transmission of data between PeopleSoft servers and third-party servers (for business-to-business processing) over the internet.

PeopleSoft customers can implement PeopleSoft software using HTTP or HTTPS. The native SSL support in commercially available web browsers and web servers is used to provide HTTPS communication between the web browser and web server.

This section provides overviews of SSL and certificate authorities and discusses how to configure digital certificates.

Understanding SSL

With business-to-business applications, where systems communicate with each other over the internet, data must flow securely. As such, system-to-system authentication is critical. PeopleSoft uses HTTPS and digital certificates for secure transmission of data between systems and system-to-system authentication. The SSL implementation for secure HTTP is provided through the use of the Entrust/Toolkit™ for Java™ that is embedded within PeopleTools. This requires no additional Entrust Technologies licensing by PeopleSoft customers and is designed for use with digital certificates provided by popular certificate authorities including Entrust and VeriSign.

The PeopleSoft system uses Extensible Markup Language (XML) messaging over HTTPS for our Integration Broker and Business Interlink technologies to deliver system-to-system integration over the internet. HTTPS is used to guarantee secure transmission of the XML message. The digital signature of the XML message is used for authentication between systems. With digital certificates, XML messages are digitally signed to prove that the message came from the server that created and signed the message and to prove the message has not been altered.

The following table shows the PeopleSoft technologies that use HTTPS / SSL and how it is implemented in for each technology.

Understanding Certificate Authorities

Anytime you implement SSL with mutual authentication (both client and server authenticate each other) you need the following three items:

• Server Certificate (issued by some trusted third party or certificate authority).

• Client Certificate (issued by the same trusted third party or certificate authority).

• Client and server both need a copy of a root certificate for the trusted third party. The root certificate has the crypto keys (public and private key) of the authority. Using these keys and the client and server certificates, each party is able to authenticate the other.

When you logon to an SSL server using your browser, you don’t have to worry about a Root Certificate because they come bundled with the browser. You don’t have to worry about having a client certificate because the web server doesn’t require “Client Side Authentication”.

Important! When you are importing a digital certificate, you may receive an error message if you attempt to import the digital certificate immediately after downloading it from a certificate authority. This is due to issues related to "valid from" dates and times, and the inconsistencies in time settings between different computers. You should save the certificate to a Microsoft Windows 2000/NT workstation, right click on it using Microsoft Windows Explorer, and select Open. This opens the Certificate dialog box. Examine the information regarding the “valid from” and “to” dates. Make sure those dates are valid on the application server the certificate will be installed on. The Details tab on the Certificate dialog presents the most thorough information.

Configuring Digital Certificates

Select PeopleTools, Security, Security Objects, Digital Certificates.

The Digital Certificates page displays your inventory of server-side digital certificates. This page also enables you to import new certificates from a certificate authority.

Note. For user certificates, no redundant setup of user certificates is required. With a few lines of Signon PeopleCode, you can reuse the existing PKI server you have in place.

To view details regarding a particular certificate, click Details.

Type	Select the type of certificate. Local Node. Select this option when you are setting up a local node for the PeopleSoft messaging system (PeopleSoft Integration Broker). Root CA. Select this when you are adding a new Root CA to your key store. Remote. Select this option when you are setting up a remote node for the PeopleSoft messaging system (PeopleSoft Integration Broker).
Alias	Enables you to add a custom alias for identification purposes.
Issuer Alias	Contains the alias of the authority that issued the certificate.
Valid To	Shows how long the certificate is valid for use.
Detail	Launches a sub-page with more certificate information. The Certificate Detail page reveals subject and certificate information so you can determine such characteristics as the serial number, the fingerprint, the encryption algorithm, and so on. Note. Depending on the type of certificate you're adding, this link might be displayed as Add Root, Import, or Request.

Note. When adding a Local Node certificate and you click the Import link, the Request New Certificate page appears in which you need to add Subject information (Organization, Locality, and so on) and Key Pair information (encryption algorithm, and key size).

Setting Up Single Signon

This section provides an overview of single signon and discusses:

• Working with the Single Signon page.

• Defining nodes for single signon.

• Sample single signon transaction.

• Single signon configuration considerations.

• Single signon configuration examples.

• Making the PeopleSoft single signon token secure.

• Using the single signon API.

• Configuring single signoff.

Understanding Single Signon

PeopleSoft software supports single signon within PeopleSoft applications. Within the context of your PeopleSoft system, single signon means that after a user has been authenticated by one PeopleSoft application server, that user can access a second PeopleSoft application server without entering an ID or a password. Although the user is actually accessing different applications and databases, the user navigates seamlessly through the system. Recall that each suite of PeopleSoft applications, such as HR or CRM, resides in its own database.

Note. The PeopleSoft single signon solution applies only to PeopleSoft applications.

After the first application server/node authenticates a user, the system delivers a web browser cookie containing an authentication token. Pure Internet Architecture uses web browser cookies to store a unique access token for each user after they are authenticated initially. When the user connects to another PeopleSoft application server/node, the second application server uses the token in the browser cookie to re-authenticate the user behind the scenes so they don’t have to complete the signon process again.

Single signon is critical for PeopleSoft portal implementations because the portal integrates content from various data sources and application servers and presents them in a unified interface. When the users sign on through the portal, they always take advantage of single signon. Users need to signon once and be able to navigate freely without encountering numerous signon screens. Because single signon is so integral to the portal, you always need to configure it before deploying a live portal solution.

Note. The browser cookie is an in-memory cookie and is never written to disk. The cookie is also encrypted to prevent snooping and digitally signed using a check sum to prevent tampering.

The following table presents the fields that appear in the PeopleSoft authentication token:

signature =  SHA1_Hash ( UserID + Lang + Date 
Time issued + Issuing System + Local Node Pswd )

Note. Single signon does not depend on Lightweight Directory Access Protocol (LDAP) directory authentication. You can implement single signon and not LDAP, you can implement LDAP and not single signon, or you can implement both LDAP and single signon.

The key security features of the cookie authentication token are:

• The cookie exists in memory; it is not written to disk.

• There is no password stored in the cookie.

• You can set the expiration of the cookie to be a matter of minutes or hours, which is hardly enough time for a hacker to decrypt the information.

Working with the Single Signon Page

Select PeopleTools, Security, Security Objects, Single Signon to access the Single Signon page.

Expiration time in minutes	You need to set an expiration time for tokens this system accepts for authentication. Otherwise, once the user is authenticated, the user could be authenticated and signed on to the system with the token for as long as it stays up and running. You can set the authentication interval to be minutes, hours, or days depending on your signon strategy. The value is in minutes. For example, 480 minutes is 8 hours. This is global setting for all users of your PeopleSoft system that get issued the cookie. A short expiration period is more secure, but less convenient because users need to enter their passwords more frequently. The system accepting the token controls the expiration time, not the issuing system. For example, Node HCM_WEST, which has an expiration time of 100 minutes, issues a token to a user. The user attempts to use that token to sign on to Node FIN_EAST, which has an expiration time set to 60 minutes. If a period greater than 60 minutes has transpired, Node FIN_EAST rejects the token. When a node rejects a single signon token, the system prompts the user to enter a user ID and password on the standard signon screen. Note. This expiration time is separate from the timeouts you specify in the Permission Lists and the web server configuration files.
Message Node name	Shows the name of the Message Node. In order to share authentication tokens between nodes, the nodes need to trust each other. By adding a node to this grid, you indicate that a particular node is known to the system and trusted. When a node is trusted, the local node accepts tokens issued by it. By default, no nodes appear in the trusted nodes list. If you want to implement single signon, you need to explicitly configure your system to support it by adding trusted nodes. First, you need to add the local node to the grid as a node must be able to trust its own tokens. When you sign on to the portal, the system authenticates users with a single signon token issued by the local system. The portal won't be able to sign on unless the local node is trusted. Then you add the names of other nodes in the system that should be trusted. Note. You define nodes in Portal, Node Definitions.
Local Node	Indicates whether the node is local or not.

Note. After you update the list of trusted nodes, the system automatically recognizes the new list. Rebooting the application server is not required.

Defining Nodes for Single Signon

Select PeopleTools, Portal, Node Definitions to access the Node Definitions page.

The two options related to single signon are:

See Also

Renaming or Deleting Node Definitions

Implementing Authentication and Nonrepudiation

Sample Single Signon Transaction

Now that you have a general understanding of why a single signon implementation is useful, and some of the details involved with PeopleSoft single signon, this section presents an example of how the PeopleSoft single signon scheme works.

Suppose there are two databases, or nodes: an HCM database and Financials database. Recall that the terms database and node are synonymous. Each database has one application server and one web server. The following steps describe the "under-the-covers" events that occur when a user signs on to the HCM database, completes a transaction, and then click a link that targets a page in the Financials database.

Step 1: User Signs on to HCM Application

The following occurs:

• User PTDMO goes to link http://HCM.peoplesoft.com/peoplesoft8/signon.html

• User enters ID and Password at the signon page, clicks login.

Step 2: Application Server Authenticates User

The following occurs:

• Web server relays login request to HCM application server.

• Application server authenticates the user.

Step 3: Application Server Generates Single Signon Token

The following occurs:

• If the signon attempt to the HCM application server is successful, the application server generates a single signon token. This token contains the following fields: User ID, Language Code, Date and Time Issued, Issuing System, and Signature.

• Application server encrypts and encodes the token (base 64).

• Application server sends the token to the web server, along with a return code indicating that the system authenticated the user.

Step 4: Web Server Creates Cookie in User's Browser

When the web server receives the single signon token from the application server, it creates a cookie and inserts the cookie in the user's browser.

If the browser is configured to show the Security Alert dialog, then the user sees a message similar to the following example. In most cases, you don't configure browsers to show this dialog; this dialog box is just an example of the data that’s the browser receives.

The cookie that the web server distributes for PeopleSoft single signon is named PS_TOKEN. In this case the domain rt-sun23.peoplesoft.com set the cookie.

Notice that the cookie expires at the end of session. This indicates that the system never writes the cookie to disk, the cookie exists in the memory of the browser for the duration of the session.

The web server inserts the single signon token within the Data field of the cookie. So that the system can send the binary data across the HTTP protocol, the token data is encrypted and base 64 encoded.

Step 5: User Needs to Access Financial Application

After the user completes a few transactions in the HCM system, suppose they arrive at a page containing a link to the Financial system. The user clicks the link, and because they've already signed on (entered their ID and Password) to the HCM system they don't need to sign on again.

The user's browser sends the PS_TOKEN cookie to the Financials web server.

Step 6: Financials Web Server Receives PS_TOKEN Cookie

The Financials web server detects that the user hasn't been authenticated by the Financials system yet, however, because the web server received the signon cookie it does not display the signon page.

To retrieve the page the user requested (by way of the link in the HCM application), the Financials web server attempts to connect to the Financials application server. It passes only the Data field from the PS_TOKEN cookie; the application server needs only the information in the Data portion.

Step 7: Financials Application Server Authenticates PS_TOKEN

The Financials application server performs the following checks against the PS_TOKEN Data field before allowing the user to connect:

• Trusted Node?

  The application server checks to see that the message node name listed as the Issuing System is a trusted node. The list of trusted nodes for the Financials system resides in the PSTRUSTNODES table. You configure the list using PeopleTools, Security Objects, Single Signon. The Single Signon page enables the administrator of the Financials system to "trust" authentication tokens generated from HCM as well as any other nodes deemed trusted.

• Has the token expired?

  The application server checks that the authentication token hasn't expired. Using the Issued Date and Time field within the token, the Financials application server makes sure that the token was issued within the interval between the timeout minutes value and the current time. You configure a token's expiration time on the Single Signon page.

  Note. It is important to note that the expiration parameter specified in the Financials system is the relevant value, not the expiration value specified in HCM. This enables the Financials administrator to control the maximum age of an acceptable token. It's also important to consider that all times are in Greenwich Mean Time (GMT), so it doesn't matter what time zones the systems are in.

• Has the signature been tampered with?

  The application server checks that the signature is valid. The Financials application server takes all the fields in the token and the Node password for the issuing node and generates a hash. The token is valid only if the signature within the token exactly matches the one generated by the Financials application server. Because an exact match is the only acceptable situation, Financials can be sure that HCM generated the token, and that it hasn't been tampered with since it was generated. If a hacker intercepted the token in transit and changed the User ID, Language, and so on, the signatures wouldn't match and as a result the Financials application server would reject the token.

  Note. You should use digital certificate authentication when implementing single signon.

Single Signon Configuration Considerations

The following topics describe some items you might want to consider as you implement your single signon configuration.

Single Authentication Domain Limitation

Web servers must be assigned to the same authentication domain — the server name in the URLs used to access them must contain the same domain name. A browser sends a cookie back only to the same domain from which it received the cookie.

On PeopleSoft systems, an authentication domain is not the same thing as an internet protocol (IP) address. It's a logical URL address that you specify during Pure Internet Architecture setup, and its purpose is to associate different web servers (even at different physical locations) so that they appear to be at the same location to the PeopleSoft applications that use those web servers.

Important! Specifying authentication domains incorrectly for multiple Pure Internet Architecture installations can produce single signon errors.

If you want to keep two PeopleSoft applications from erroneously attempting to employ single signon, make sure that the authentication domain you specify for one application's web server is not a subset of the authentication domain you specify for the other. For example, if your CRM web server has an authentication domain of .user.mycompany.com, your Financials web server authentication domain must not be .mycompany.com (the parent of the CRM server domain) or .fin.user.mycompany.com (a child of the CRM server domain). It can, however, be .fin.mycompany.com (or any child of that domain).

If you do want two PeopleSoft applications to employ single signon, you must ensure that each application contains a definition of the other as a trusted node, and you must specify the same authentication domain for both applications' web servers during Pure Internet Architecture setup.

Furthermore, the web server that generates the cookie must have the domain that shares the PS_TOKEN cookie specified in the web profile of the local Pure Internet Architecture web site. For example, in the context of our HCM to Financials example, the web profile for the HCM web server must contain the value of .peoplesoft8.com in the Authentication Domain property.

Note. You must specify the leading dot (.).

The single domain issues occur in the following situations:

• You're using straight Pure Internet Architecture, as in you are deploying applications but not by way of the portal.

• You're using the portal with frame-based templates. All PeopleSoft portal solutions products (Enterprise, Employee, Customer, Supplier portals) are built using frame-based templates.

Frame-based templates aren't proxied automatically. Proxying refers to when the system rewrites the URL to point to a location on the portal servlet, rather than the original location of the URL.

Single Signon Between Machines without DNS Entries

If you're setting up single signon between machines that don't have DNS entries, you need to modify the hosts file on the machine that's running the web browser. For example, let’s say that you are using machine a.peoplesoft.com to signon to the web server a.peoplesoft.com, and then access b.peoplesoft.com using single signon. In this situation, you would need to update the hosts file on a.peoplesoft.com as follows.

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
216.131.221.88  a.peoplesoft.com
66.122.220.101  b.peoplesoft.com

See Enterprise PeopleTools 8.46 PeopleBook: Internet Technology.

Domain Names

You need to use a fully qualified domain name when addressing the web server in your browser. For example, you would need to enter the following:

http://hcm.peoplesoft.com/myapplication/signon.html

as opposed to the following:

http://hcm/myapplication/signon.html

When using the portal, the domain name that you specified in the Portal URI Text edit box on the Content Provider administration pages needs to match the fully qualified domain name you entered for the authentication domain. For example, you would need to specify serverX.peoplesoft.com/servlets, not serverX/servlets.

Cross Domain Single Signon

The current PeopleSoft single signon solution deals mainly with systems where there is only one DNS domain. Many sites need to deploy the PeopleSoft Portal in multi-domain environments. For example, you might want to have the portal in one domain—www.PSFT_ecenter.com, for example—and the HCM database in another domain, such as www.yourcompany.com.

You can configure your environment to support cross-domain single signon by completing the following configuration tasks.

• Setup a third-party web security product that supports multi-domain single signon and supports LDAP user profiles.

  There are several industry-standard products on the market.

• Configure the portal and content provider web servers to trust the web server for authentication.

  For PeopleSoft software, this involves enabling the public access feature.

• Set up the PeopleSoft systems to download the user profiles from the same LDAP server that the web security product uses.

  This means that the DN that comes from the subject field of the certificate has to be a valid DN for the directory that the LDAP_profilesynch function references. Because of this you need to build a user profile cache map that points to the same directory that generated the subject's DN.

Note. This cross-domain limitation does not apply to the portal if the content from the provider in a different domain is wrapped in an HTML template. However, this limitation does apply for any content in the portal that is wrapped in a frame template. Because the Enterprise, Customer, Supplier, and Employee portals shipped with PeopleTools all include frame templates as defaults, you'll need to perform the extra configuration steps to support cross-domain single signon in multi-domain environments. This limitation also applies to Pure Internet Architecture-to-Pure Internet Architecture (iClient-to-iClient) single signon.

Single Signon Configuration Examples

The following topics describe examples of single signon configurations and the steps required to implement them.

One Database and Two Web Servers

In this scenario there is one database and two or more web servers. While single signon is configured at the database level (that is, you specify timeout minutes and trusted nodes for the entire database), it’s actually used any time two different PeopleSoft servlets connect to the same database.

To set up single signon with one database and multiple web servers:

1. Select PeopleTools, Portal, Node Definitions and make sure that at least one node is defined as the Default Local Node.

   In the results on the search page, you can determine this by looking for a Y in the Default Local Node column.

2. Select PeopleTools, Security, Security Objects, Single Signon and set the following:

   • Make sure the Default Local Node appears in the list under Trust Authentication Tokens issued by these Nodes.

   • Set the timeout minutes to an appropriate value (the default is 720).

3. Access the web profile for each web server and modify the Authentication Domain property.

   Because single signon is implemented using browser cookies, it must be configured so that the user's browser sends the single signon cookie to each web server machine involved. By default, the browser only sends cookies back to the machine that set the cookie. So if web server a.peoplesoft.com sets a cookie after the user is authenticated, the browser (by default) only sends the cookie to a.peoplesoft.com. By default, the browser would not send the cookie to b.peoplesoft.com. To make the browser send the single signon cookie to all servers at in a domain (peoplesoft.com), access the Web Profile Configuration - General page and set a value of .peoplesoft.com for the Authentication Domain property.

   Note. You need the leading period (.) before the domain. It should appear as “.peoplesoft.com,” not “peoplesoft.com.”
   
   If you use only one web server, you don’t need to modify the Authentication Domain property. A web server is designed to accept the cookies it distributes.

Two Databases and Two Web Servers

To set up single signon with multiple databases and multiple web servers:

1. Select PeopleTools, Portal, Node Definitions for each node that you want to involve in the single signon configuration and check the following:

   • Make sure that at least one node definition is defined as the Default Local Node for each database.

     In the results on the search page, you can determine this by looking for a Y in the Default Local Node column.

   • Make sure that each database contains a node definition for the other nodes in the single signon configuration.

   • Make sure that the Authentication Option is set correctly.

     For example, if you are using password authentication make sure that the node password for node ‘X’ is the same in each node definition for node ‘X’ in each database.

     You should use digital certificate authentication. Make sure the certificates are properly installed in the PeopleSoft Keystore before setting the node’s Authentication Option to Certificate.

2. Select PeopleTools, Security, Security Objects, Single Signon and set the following:

   • Make sure the Default Local Node appears in the list under Trust Authentication Tokens issued by these Nodes.

   • Set the timeout minutes to an appropriate value (the default is 720).

3. Access the web profile on your web server and modify the Authentication Domain property.

   Because single signon is implemented using browser cookies, it must be configured so that the user's browser sends the single signon cookie to each web server machine involved. By default, the browser only sends cookies back to the machine that set the cookie. So if web server a.peoplesoft.com sets a cookie after the user is authenticated, the browser (by default) only sends the cookie to a.peoplesoft.com. By default, the browser would not send the cookie to b.peoplesoft.com. To make the browser send the single signon cookie to all servers at in a domain (peoplesoft.com), modify the authentication domain as follows.

See Working With Digital Certificates, Employing LDAP Directory Services.

Single Signon with Third Party Authentication

This section presents a simple example of how to implement single signon when you have implemented a third-party authentication system at the web server level. This applies to both portal and intranet web servers.

Note. This example does not cover authentication. This example assumes that you have set up your third-party authentication correctly. Third-party authentication is out of the scope for PeopleSoft support and documentation.

Note. Also, this discussion assumes that you have enabled public user access in the web profile for the appropriate site.

For PeopleSoft application single signon, the PeopleSoft system needs to know the user ID to be used for the web session. If implementing this configuration, you are required to address the following:

1. Authenticate the web user.

2. Determine which PeopleSoft User ID to use for this web user.

3. Send the User ID to the PeopleSoft application server.

4. Write signon PeopleCode to retrieve the User ID from wherever step 3 sent it.

5. Reauthenticate the User ID during signon PeopleCode.

6. Indicate to the PeopleSoft application server to use the User ID for all subsequent service requests.

The following examples address items 3, 4, and 6.

The following HTML applies to step 3 above. You can change the JavaScript function to set the cookie name and value that you want. Also, change the location to point to the PeopleSoft page to which you want to redirect users, for example:

<html>
<head>
<title>PeopleSoft 8 Single Sign-On Example</title>
</head>

<!--
PeopleSoft 8 Single Sign-On Example

In this example, security is non-existent.  In a production
system, the UserId could come from your site's single signon
tool.  Other information could also be included.  For this
example, only the UserId is saved into cookie.  This cookie then
gets sent to the PIA Web Servlet which passes it on to the
PeopleSoft Application Server.  A piece of signon PeopleCode is
needed to extract the UserId from the cookie and call
SetAuthorizationResult in order to "sign on" the user.

o  Change the domain value of the cookie to your domain.
o  Change the location ref to the target URL within your PeopleSoft site.
//-->

<body>
<script language=JavaScript>
var cookie = "ThirdPartyUserId=PS; Domain=.peoplesoft.com; path=/; MaxAge=1";
document.cookie = cookie;
location="https://hcm.peoplesoft.com/servlets/iclientservlet/hrdb/?ICType=Panel&Menu=ROLE_EMPLOYEE&Market=GBL&PanelGroupName=IT_TIME_OFF&RL=&target=main1"
</script>
</body>

</html>

The following Signon PeopleCode example applies to steps 4 and 6 above. The Signon PeopleCode needs to retrieve &UserID from where the third-party portal put it in the HTTP Request. For example,

Function SSO_EXAMPLE()
   
/*This is step 4*/
   &TPUserId = %Request.GetCookieValue("ThirdPartyUserId");
   /*This is step 6*/
   If &TPUserId <> "" Then
      SetAuthenticationResult( True, &TPUserId, "", False);
   End-If
End-Function;

After you write the program, you need to enable the program using the Signon PeopleCode page. (PeopleTools, Security, Security Objects, Signon PeopleCode.

Making the PeopleSoft Single Signon Token Secure

PeopleSoft single signon functionality also applies at the web server level. For example, let's say that you have two web servers: server X and server Y. Assume that web server X is a SSL site, and assume that web server Y is not. In these situations, many sites want server Y to trust the authentication token, PS_TOKEN, issued by server X. This requires that the PS_TOKEN be set to be secure.

If the PS_TOKEN is not marked as secure, then when a user signs on through server Y, the browser sends PS_TOKEN to server Y over the unencrypted, non-SSL link. This is typical behavior for browsers when dealing with non-secure cookies. Potentially, in this situation a hacker could identify this token from the clear network and use it to signon to the SSL-secure server X.

Another important use of this feature relates specifically to the PeopleSoft Portal. When the portal proxies content with an HTML template, it should forward PS_TOKEN cookies that are marked secure only over SSL connections.

To resolve this potential security issue, select the Secure Cookie with SSL check box on the Web Profile Configuration - Security page. You use this property to control the secure attribute of the single signon cookie. If you enable the property, and the scheme of the current request is HTTPS (an SSL server), the system sets the secure attribute of the single signon cookie (PS_TOKEN) to true. This prevents the single signon token from travelling over an insecure network.

Note. If you enable this property, you are effectively disabling single signon to any non-SSL servers.

If, at your site, you want users to signon to an HTTPS server, and then want to do single signon with HTTP servers, set this property to false, which allows single signon between HTTPS and HTTP servers.

Note. If you can tolerate the security risk, and want single signon between secure and non-secure links, you can set this flag to false. However, before doing this you need to make sure you are aware of all the security implications, such as the security of the HTTPS server may be compromised.

Using the Single Signon API

PeopleSoft provides a component interface named PRTL_SS_CI that enables external applications to seamlessly integrate a single signon solution with the PeopleSoft portal applications. This ensures that users who have already signed in to the portal don't have to sign in again for every system you reference in your portal.

To take advantage of the Single Signon API, you need to create a custom API, which includes building the dynamic link libraries, classes, and registry settings necessary to enable an external application to communicate with PeopleSoft software.

Note. Due to constraints imposed by the PeopleCode SwitchUser built-in function, PRTL_SS_CI does not work properly when called from PeopleCode. Only external applications, such as Java, Visual Basic, and C/C++ programs, can access PRTL_SS_CI.

The files of your custom API need to reside on the client machine; that is, the web server for ASP, and the machine running the Java program for Java. The registry file may also need to be executed to update the registry with the new libraries.

Understanding the Signon Process with the API

The PRTL_SS_CI Component Interface contains two user-defined methods:

• Authenticate

  Your external authentication program distributes an authentication token that can be retrieved from a cookie in the browser. The Authenticate function determines if an authentication token is valid.

• GetUserID

  If the token is valid, you use the GetUserID function to retrieve the User ID associated with the authentication token.

Before we describe the development requirements of your API, PeopleSoft recommends that you take a moment to examine the steps that occur internally when you use the API in conjunction with the delivered PRTL_SS_CI.

Developing your External Application to Support Single Signon

Developers of the external applications need to alter the signon process to conform to the following requirements.

1. Check for the PS_TOKEN cookie.

   If the cookie doesn’t exist, continue with your normal signon process. Otherwise, bypass the signon screen.

2. Retrieve the authentication token from the PS_TOKEN cookie.

3. Make a connection to the PeopleSoft system through the PRTL_SS_CI API.

4. Pass the authentication token to the Authenticate function of the API.

5. If Authenticate returns True, you then retrieve the User ID associated with the authentication token by using the Get_UserID function.

Note. The component interface is not mapped to data because the key field for the data would be the authentication token. This token is dynamically assigned when the user signs on to the portal, and it is not stored anywhere in the system as data. Therefore, there are no key fields and the token is passed directly to the user defined functions.

Configuring Single Signoff

In addition to single signon, the PeopleSoft system also signs the user off of content providers when the user signs off. However, there are some exceptions to the sign-off functionality.

The portal only signs off content providers that meet the following criteria:

• Content providers are accessed only through HTML templates.

• Content providers are all PeopleSoft 8.x applications.

This means that for content providers accessed through frame templates, single sign-out is not automatically enabled when you configure single signon. This section describes the steps you need to complete to configure single sign-off for content providers being accessed through frame templates, which includes all of the PeopleSoft Portal solutions (Employee, Customer, and so on).

The following procedure covers inserting an HTML image tag (img) containing a logout command into a set of files on the web server. When the user signs off, the browser attempts to download the images using an "HTTP get," which causes the system to send the logout command to each specified content provider.

This procedure is not appropriate for content that is never accessed using a frame, as in it is accessed from the content source using an iScript and a business interlink, such as Lotus Notes integration.

To configure single sign-off for frame content:

1. On your web server, locate and open signin.html.

2. Open signin.html, select Save As, and enter the name signout.html.

3. Open signout.html, expire.html, and exception.html.

4. Add the following image tags to these files.

   You need to add one image tag to each of these files for each content provider that requires single signoff.

   Add the tags just before the closing body tag, as shown:

   <! add tags here>
   </body>

   If you have three content providers that require single signoff, such as HCM, FIN, and HTML Access, you need to add three image tags to each file.

   For example:

   <IMG src="http://hcm.peoplesoft.com/servlets/psp/ps/hrdb/?cmd=logout" 
   height=0 width=0 border=0>
   <IMG src="http://fin.peoplesoft.com/servlets/psp/ps/hrdb/?cmd=logout" 
   height=0 width=0 border=0>
   <IMG src="http://htmlaccess.peoplesoft.com/html_access/system/init_asp/logout.asp?cmd=dummy" 
   height=0 width=0 border=0>

   The previous code is an example. To determine the exact URL you need to add for your implementation, right-click the logout link of each content provider. You can usually view the logout link when accessing the application outside of the portal. Examine the properties of this link, and add the specified URL to the image tag.

   Note. The string "cmd=dummy" is required in the image tag for HTML Access to make sure that the browser doesn't attempt to cache the image, which would prevent it from issuing the logout command.

5. In PIA, select PeopleTools, Web Profile, Web Profile Configuration, Look and Feel on your web server.

   In the Signon/Logout Pages group box, change the value of the Logout Page field to signout.html.