Integration between systems is hot these days, especially with the emerging packages like Fusion. Yet organizations are still inclined not to use them and develop their own ways of integrating. Sometimes this means totally new products, other situations you will see different packages being tied together. Is one better than the other? Not necessarily, there are several reasons for going into direction A or B.
In this post I would like to talk about a way of integrating PeopleSoft CRM with SAP HR. The requirements for this integration were the following:
Several options were investigated and the final decision made was to use an Open Source application called Central Authentication Server (CAS) as the point of single entry and single sign on solution. This package supports several ways of interacting with applications about user credentials.
For the more graphically minded people:
The way CAS works is like many other authentication systems. The user logs in using their credentials, CAS then checks that against the authorization package configured within itself (note – CAS is an Authentication service, it does not regulate your authorization). When the user credentials are good, a ticket is initialized and the user is sent to the default application tied to CAS. The application the user is being redirected to then checks if a valid ticket is present with CAS. When this checks out, the application lets the user in and CAS removes the token so that it can’t be used for a second time.
The login flow described above can also be put into a more graphical form:
For this flow to work with PeopleSoft CRM a custom PeopleCode function and Java class had to be created. The PeopleCode would be configured in PeopleSoft CRM under PeopleTools > Utilities > Signon PeopleCode.
A custom record was made to facilitate the function concerning Single Sign On. In this function the following logic was built:
Retrieve ticket from URI
Check ticket with CAS using Java class
Check if user credentials have expired
Show CAS error screen
Redirect to change password page in PeopleSoft
Show normal PeopleSoft home screen
In this schema there is mention of a Java Class. This was built to interface with CAS to make it easier to validate the inbound ticket with the validate service.
The Java class was built as follows:
Accept URI, ticket and validate URL as values
Strip “?ticket=<value>” from URI value
Pass the values for ticket and stripped URI to the validate URL
Check returned webpage
Has value yes
Has no value
Return empty value
Fortunately CAS support various ways of authenticating against its ticketing system. For SAP this was a necessity since it’s portal does not support any other ways of using Single Sign On besides their own. One of those is with the use of Security Assertion Markup Language (SAML). For this to work I had to change the default way CAS sends it’s user information, because SAP has only one format that it recognizes. This was merely the way CAS reads and sends out its SAML messages. I added this as a new function within CAS and configured the application so that it would use it when SAP knocks on its door for the validation of a ticket.
Finally each page within SAP is accessed through CAS to make sure sessions are valid. For the end user this all looks as one application after style sheets are synchronized between the different applications.
Viewed 1313 times by 510 visitors
I have a simple, pseudo-SAML java and Sign-On PeopleCode-based very low-cost SSO solution to PeopleSoft, Tools 8.50 or higher. Not just for between PeopleSoft sites … for getting into PS!!
and it’s extremely secure.
Please email for more information. firstname.lastname@example.org
[Reply to this comment]
Notify me of follow-up comments via e-mail