Single Sign On with PeopleSoft CRM & SAP HR

Integration between systems is hot these days, especially with the emerging packages like Fusion. Yet organizations are still inclined not to use them and develop their own ways of integrating. Sometimes this means totally new products, other situations you will see different packages being tied together. Is one better than the other? Not necessarily, there are several reasons for going into direction A or B.

In this post I would like to talk about a way of integrating PeopleSoft CRM with SAP HR. The requirements for this integration were the following:

• Single Sign On between the two systems
• PeopleSoft CRM used as HR Helpdesk on the support end of the organization
• SAP HR for normal HR related business done by the HR department
• Two work lists to work as one
• SAP HR pages shown within PeopleSoft CRM as it was one application

Several options were investigated and the final decision made was to use an Open Source application called Central Authentication Server (CAS) as the point of single entry and single sign on solution. This package supports several ways of interacting with applications about user credentials.

For the more graphically minded people:

The way CAS works is like many other authentication systems. The user logs in using their credentials, CAS then checks that against the authorization package configured within itself (note – CAS is an Authentication service, it does not regulate your authorization). When the user credentials are good, a ticket is initialized and the user is sent to the default application tied to CAS. The application the user is being redirected to then checks if a valid ticket is present with CAS. When this checks out, the application lets the user in and CAS removes the token so that it can’t be used for a second time.

The login flow described above can also be put into a more graphical form:

For this flow to work with PeopleSoft CRM a custom PeopleCode function and Java class had to be created. The PeopleCode would be configured in PeopleSoft CRM under PeopleTools > Utilities > Signon PeopleCode.

A custom record was made to facilitate the function concerning Single Sign On. In this function the following logic was built:

 In this schema there is mention of a Java Class. This was built to interface with CAS to make it easier to validate the inbound ticket with the validate service.

The Java class was built as follows:

 Fortunately CAS support various ways of authenticating against its ticketing system. For SAP this was a necessity since it’s portal does not support any other ways of using Single Sign On besides their own. One of those is with the use of Security Assertion Markup Language (SAML). For this to work I had to change the default way CAS sends it’s user information, because SAP has only one format that it recognizes. This was merely the way CAS reads and sends out its SAML messages. I added this as a new function within CAS and configured the application so that it would use it when SAP knocks on its door for the validation of a ticket.

Finally each page within SAP is accessed through CAS to make sure sessions are valid. For the end user this all looks as one application after style sheets are synchronized between the different applications.

References:

• PeopleSoft HR Helpdesk – http://www.oracle.com/us/products/applications/peoplesoft-enterprise/hcm/052830.html
• CAS – http://www.jasig.org/cas/about
• Tomcat – http://tomcat.apache.org/
• SAML – http://en.wikipedia.org/wiki/SAML

 Viewed 1313 times by 510 visitors

Posted by: John van der Kooij (2 post(s)).

Technical PeopleSoft Consultant

1. Single Sign On with PeopleSoft CRM & SAP HR « BAOA … – _Hosted UniverseThe reference for the cloud