PeopleTools Security - External Security and Provisioning

PeopleTools exposes a number of mechanisms which can be invoked by external systems to provide enterprise wide single signon (SSO) and resource protection, Federated Identity single signon and policy driven resource provisioning, including user profile creation. This includes the collaborative development between PeopleSoft PeopleTools and the Oracle Identity Management teams.

Click Here for the PeopleSoft Security PeopleBook

User Authentication and Single Signon

  • Privacy
    Privacy is normally implemented with some type of encryption. Encryption is the scrambling of information such that no one can read it unless they have a piece of data known as a key. PeopleSoft delivers PeopleSoft (Pluggable) Encryption Technology PET
  • Integrity
    Integrity can be accomplished with simple checksums or, better, with more complex cryptographic checksums known as one-way hashes, and often with digital signatures as well. PeopleSoft supports Data in Flight by supporting SSL for all data transport - Web, Integration and LDAP.
  • Authentication
    Authentication can be accomplished using passwords, or with digital signatures, which are by far the most popular and most reliable method of authentication. As well as internal Password Controls, PeopleSoft supports certificate based single signon and the range of Oracle's Access Management products and those supplied by security vendor partners.
  • Access
    Access can be controlled using Roles and Permission Lists. Permission Lists also define available periods, i.e. signon and signoff times.
  • Authorization
    Authorization is supported in PeopleTools by Query and Row Level Security. Applications provide additional authorization with extended Row Level and Field Security and through the use of Business Unit and SETID. Permission Lists also control the user's rights to View, Add, Update and Correct information.

Defining Row-Level Security and Query Security Records

  • WWW_Authentication
    This provides for unchallenged signon to PeopleSoft where the browser user  workstation has a "User Certificate" installed which is associated with the "Server Certificate" installed on the web server.
  • LDAP_Authentication
    LDAP authentication is NOT single signon. It is classified as external or centralized authentication. The user is challenged, but the challenge response are forwarded to the LDAP server for authentication. The LDAP server typically feeds the PeopleSoft user ID back to PeopleSoft so that the user can be provided access. The LDAP DN is mapped to a unique PeopleSoft user ID.
  • SSO_Authentication
    This is a customizable function in delivered Signon PeopleCode, although PeopleTools delivers pre-configured code to support Oracle Access Manager. Third party SSO vendors deliver custom code to support their solution. With an SSO authentication, SSO server can provide the PeopleSoft user ID in an additional token, or Signon PeopleCode can invoke a function to pass the SSO token back to the SSO server to retrieve the PeopleSoft user ID.

WWW_Authentication, LDAP_Authentication and SSO_Authentication can invoke LDAP_ProfileSynch which will use attribute values in the retrieved LDAP user object to create the user profile for a user who exists in the external user repository but for whom no profile exists in the PeopleSoft application.

PeopleTools Security Administration PeopleBooks includes the steps to implement Oracle Oracle Access Manager solutions with PeopleSoft applications.

Provisioning

Where PeopleSoft is one of the managed resources in an enterprise provisioning system, PeopleTools provides a number of mechanisms to support PeopleSoft as a source of record. PeopleTools provides event driven and effective dated messaging. For instance, adding an employee in PeopleSoft HCM doesn't automatically create a user profile for that employee, but a message can be created on the save event on the Workforce Management page which will gather a payload of necessary attributes and deliver them to the provisioning system. On the return, PeopleTools exposes the USERPROFILE_CI component interface as an API into the user management component. In this case the provisioning system would be set up as a user with rights to Add, Update and Delete user profiles. PeopleSoft Application Messaging is effective dated which means that the message will be sent to the provisioning system when the change is due to take place. This means that changing a person's position or reporting structure in HCM, which may change their rights in the application will occur on the day the change is supposed to take place, rather than the day the change is created in Workforce Management.

Oracle Identity Manager (OIM) is implemented with PeopleSoft using this approach.

Documentation Archive http://www.oracle.com/technetwork/documentation/psftarch-096292.html

Oracle 1-800-633-0738