Sunday, March 22, 2009

PeopleSoft as a Password Authentication "Ticket" Server

My post Generating an AuthToken for SwitchUser demonstrates how to acquire and expire PeopleSoft authentication tokens. Using this approach, you could hook any custom application into the PeopleSoft security model, allowing PeopleSoft to manage security for many of your custom enterprise applications. Continuous token (ticket) validation could be implemented through a very simple web service that calls SwitchUser and returns the result. If SwitchUser returns true, then the token is valid.

Really, if you are interested in a centeralized, integrated security solution, then you should speak with your Oracle rep about Oracle's Identity Management Suite.

8 comments:

Kevin Weaver said...

Hi Jim,

I have a question regarding Portal and HCM authentication. I looking at an issue that we keep seeing in our logs with an error homepageT. The odd thing is that when I see this error I notice that the appserver is returning a TOKEN with a datetime in the past?

Here is an example that I pulled out of the logs using splunk. It is from last night at 6:42 PM, but the PS_TOKEN is from around 1 PM.

11/30/16
6:42:30.000 PM
PSAPPSRV.25861 (2237) [2016-11-30T18:42:30.855 GetCertificate](3) Returning context. ID=KCW002, Lang=ENG, UStreamId=184230855_25861.2237, Token=PSFT_PA/2016-11-30-12.42.30.154553/KCW002/ENG/jF5gZnpx36fbqtZ1/Ui6/l2EH+Q=

11/30/16
6:42:31.000 PM
PSAPPSRV.17534 (7567) [2016-11-30T18:42:31.230 KCW002@mydata.intranet.umb.com (IE 11.0; WIN7) HomepageTemplate](0) Duplicate cookie PS_TOKEN received. Value1=PSFT_HR/2016-11-30-12.34.08.336246/KCW002/ENG/mqOGbeHMB8V7U0eYA/cA6fAGW4g=, Value2=PSFT_PA/2016-11-30-12.42.30.154553/KCW002/ENG/jF5gZnpx36fbqtZ1/Ui6/l2EH+Q=.

What do you think is going on here and how do you think we can fix it?


Oh, and Congrats on your new job!

Jim Marion said...

@Kevin, it is a great question. I have no idea.

Raj Pasham said...

Hello Jim,

I 'm looking to create PS_TOKEN for a particular userID not %operatorID. Do you already post anything of this sort ?

Jim Marion said...

@Raj, a different user than the one that is already logged in? If you have the User ID and password, then the code in this listing will work.

Raj Pasham said...

Hi jim,

I'm tryng to access the full url at sign on peoplecode. I'm thinking to achieve the same using javascript window.location.href command and assign it to peoplesoft variable. can you please let me know on how to achieve this ?

Jim Marion said...

@Raj, The %Request object is available to Signon PeopleCode it has properties that provide the full URL to signon PeopleCode. Since JavaScript runs in a completely separate container, that is going to be challenging. I suppose one approach would be to move any variables into cookies, since those become HTTP headers that would also be part of the Request object. They could also be moved into query string parameters, since the URL is available to Signon PeopleCode. But since the URL is already available, that would just be a solution for any other variables.

Raj Pasham said...

Thanks Jim !! I have one more question. We are redirecting user to Java system but the URL was dynamic and it changes each time. We want to delete the cookies before we redirect the user.

Jim Marion said...

I don't have a good solution for cookie deletion. Cookies are just HTTP headers, so you may be able to work with the collection directly. If not, you may need a ServletFilter to filter the response.