Useful tips for implementing authentication to PeopleSoft using LDAP over SSL based on my recent experience in implementing this solution for HCM 9.2 application on PeopleTools 8.54 and Microsoft Active Directory.
Oracle’s red paper LDAP Authentication with PeopleTools is a must-read before designing your solution. This document created in 2007 has evolved with each tools version and is a comprehensive guide. (Oracle Support login required)
Implementing this solution involves performing following tasks in PeopleSoft. While Peoplebooks and red paper provide detailed instruction on these tasks, noting few additional learning in this post.
Setting up SSL for LDAP connection
- Starting PeopleTools 8.53 ‘cert7.db’ is not required and certificates are stored in PS database, loaded thru online configuration pages
- Make sure any intermediate certificates are loaded in addition to Root CA. Use certificate type of ‘Root CA’ for intermediate certificate as well.
Configure LDAP Directory settings
- Even if you intend to use SSL for authentication, configure non-SSL port in this step as it helps in testing and performing next step
- Proceed to next step ONLY after both SSL and non-SSL handshake between PS application server and LDAP server is established. Use ‘Test Connectivity’ page.
Caching Directory Schema
- As this step is performed by Application Engine process running on a process scheduler server, make sure it can communicate with LDAP server.
Note 1: Connectivity test performed at end of step 2 is between PS application server and LDAP server, it is no guarantee that your process scheduler server can communicate with LDAP as well. (Oracle Doc ID – 641054.1)
Note 2: As this step is typically a one-time setup task, you can opt to execute the application engine process via application designer connected to application server instead of running it online via process scheduler server. As of PeopleTools 8.54 this schema caching process ONLY works on non-SSL connection to LDAP. (Oracle Doc ID – 620168.1).So during this setup phase make sure non-SSL port in LDAP is open for communication. Schema data retrieved from LDAP in this step is not user-sensitive and there is no security risk in performing this one-time setup activity over non-SSL port.
Setup Authentication Map
- Map the unique user id attribute that PS will pass to LDAP for authentication
Setup User Profile Map
- Map the attribute corresponding to PS Operator ID that LDAP will return on successful authentication
Note: If LDAP doesn’t store the PS Operator ID, it can return any value that can be uniquely mapped to a PS Operator ID. Sign-on Peoplecode in PS can be then updated to perform the mapping between returned value and PS operator Id.
Setup security definitions to invoke LDAP Authentication Peoplecode
- Though not mandatory, its recommended to create a specific Permission list, Role and User Profile definition to use as ‘Invoke As’ user Id for sign-on Peoplecode execution configured in next step
Setup Sign-on Peoplecode
- Configure ‘Invoke As’ option and use the user profile created in previous step, enable LDAP authentication Peoplecode and make sure ‘Exec Auth Fail’ property is enabled.
PS: As Oracle constantly review and update the documentation in its support site, I have made references to these live documents instead attaching the documents in this post.