Thursday, December 23rd, 2010

Single Sign On with PeopleSoft CRM & SAP HR

Integration between systems is hot these days, especially with the emerging packages like Fusion. Yet organizations are still inclined not to use them and develop their own ways of integrating. Sometimes this means totally new products, other situations you will see different packages being tied together. Is one better than the other? Not necessarily, there are several reasons for going into direction A or B.

In this post I would like to talk about a way of integrating PeopleSoft CRM with SAP HR. The requirements for this integration were the following:

  • Single Sign On between the two systems
  • PeopleSoft CRM used as HR Helpdesk on the support end of the organization
  • SAP HR for normal HR related business done by the HR department
  • Two work lists to work as one
  • SAP HR pages shown within PeopleSoft CRM as it was one application

Several options were investigated and the final decision made was to use an Open Source application called Central Authentication Server (CAS) as the point of single entry and single sign on solution. This package supports several ways of interacting with applications about user credentials.

For the more graphically minded people:

The way CAS works is like many other authentication systems. The user logs in using their credentials, CAS then checks that against the authorization package configured within itself (note – CAS is an Authentication service, it does not regulate your authorization). When the user credentials are good, a ticket is initialized and the user is sent to the default application tied to CAS. The application the user is being redirected to then checks if a valid ticket is present with CAS. When this checks out, the application lets the user in and CAS removes the token so that it can’t be used for a second time.

The login flow described above can also be put into a more graphical form:

For this flow to work with PeopleSoft CRM a custom PeopleCode function and Java class had to be created. The PeopleCode would be configured in PeopleSoft CRM under PeopleTools > Utilities > Signon PeopleCode.

A custom record was made to facilitate the function concerning Single Sign On. In this function the following logic was built:

Retrieve ticket from URI

Check ticket with CAS using Java class



Check if user credentials have expired

Show CAS error screen


Not expired

Redirect to change password page in PeopleSoft

Show normal PeopleSoft home screen

 In this schema there is mention of a Java Class. This was built to interface with CAS to make it easier to validate the inbound ticket with the validate service.

The Java class was built as follows:

Accept URI, ticket and validate URL as values

Strip “?ticket=<value>” from URI value

Pass the values for ticket and stripped URI to the validate URL

Check returned webpage

Has value yes

Has no value

Return value

Return empty value

 Fortunately CAS support various ways of authenticating against its ticketing system. For SAP this was a necessity since it’s portal does not support any other ways of using Single Sign On besides their own. One of those is with the use of Security Assertion Markup Language (SAML). For this to work I had to change the default way CAS sends it’s user information, because SAP has only one format that it recognizes. This was merely the way CAS reads and sends out its SAML messages. I added this as a new function within CAS and configured the application so that it would use it when SAP knocks on its door for the validation of a ticket.

Finally each page within SAP is accessed through CAS to make sure sessions are valid. For the end user this all looks as one application after style sheets are synchronized between the different applications.


 Viewed 1313 times by 510 visitors

Category: CRM / Technical
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses (last comment shown first)

February 15, 2011
Mike Attridge
Mike Attridge

I have a simple, pseudo-SAML java and Sign-On PeopleCode-based very low-cost SSO solution to PeopleSoft, Tools 8.50 or higher. Not just for between PeopleSoft sites … for getting into PS!!
and it’s extremely secure.

Please email for more information.

[Reply to this comment]