View
219
Download
0
Tags:
Embed Size (px)
Citation preview
Integrating PeopleSoft and Integrating PeopleSoft and Oracle Collaboration Suite into Oracle Collaboration Suite into
uPortaluPortal
June 13, 2005
Summer JA-SIGBaltimore, Maryland
San Luis Obispo, CASan Luis Obispo, CAInformation Technology ServicesInformation Technology Services
Darren KrakerDarren Kraker
Ken SperowKen Sperow
CAS implementationPeopleSoft HRPeopleSoft FinancialsOracle Collaboration Suite
calendaremail
Integration as uPortal channels (IFrame)PeopleSoft Self Service linksOracle Portlets
OverviewOverview
HistoryHistory
PeopleSoft Impl / IntegrationPeopleSoft Impl / Integration
OCS Impl /IntegrationOCS Impl /Integration
Issues Issues
Questions Questions
AgendaAgenda
Cal PolyCal Poly – Who are we?San Luis Obispo100 Years Old20,000 StudentsPolytechnic
University Engineering, Agriculture,
Architecture, Science
“Learn by Doing”: technical and professional curricula with arts and humanities.
Live with uPortal 1.6 Fall 2001 UNICON assisted LDAP implementation
Motivated to implement SSO Campus introduction PeopleSoft HR
Politically / strategically required for Enterprise Portal
History
System Overview
CAS servers Central Authentication Server 2.0 Servers: Sun Netra T1 500 mhz, 1 GB RAM Solaris 9
Three servers high availability Cisco switches provide failover
Technical Specifications
LDAP servers Oracle Internet Directory: 9.2.0.6 Servers: Sun Netra T1 500 mhz, 1 GB RAM Solaris 9
Three servers for high availability Cisco hardware provides load balancing and failover
Technical Specifications
uPortal server uPortal 2.1.4 One server: Sun E450 4 - 400 mhz, 4 GB RAM Solaris 9Planned upgrade to 2.5.X Fall
Technical Specifications
WebLogin
Service
UserWeb
Application
1 User requests access2 Browser redirected to Login
Service
6 Applicatio
n validates
ticket
9 User gets access
4 Login Service
provides ticket
5 Ticket provided to application
7 Username provided
to application
8 Application decides if
user is authorized
User interaction
No user interaction
CASAuthenticatio
n Flow
3 Web Login Service
recognizes user session
Making PeopleSoft use a central authentication service Evaluate known solutions Integration with CAS
PeopleSoft
Accept a ticket and then validate it Make PeopleSoft accept a CAS ticket parameter as part of login Implement PeopleCode calls Java client CAS java client performs the CAS validation
PeopleSoft - Implementation
Function VALIDATE_TICKET() /* [email protected] 20030122 Trusted Authentication Impl */ If %PSAuthResult = False Then
&validator = GetJavaClass("PSCASClient");/* retrieve fullUrl and ticket value from HTTP request */&fullUrl = %Request.FullURI | "?" | %Request.QueryString;&ticket = %Request.GetParameter("ticket");If &ticket <> "" Then
/* have a ticket, load CAS client class and attempt to validate */
&cas_result = &validator.validate(&fullUrl, &ticket);If &cas_result <> "" Then
/* ResultDocument (3rd parm) seems to be ignored by front end */
SetAuthenticationResult( True, &cas_result, "", False);
&authMethod = "SLO";Return;
End-If; /* got username back from CAS */End-If; /* got ticket */
End-If; /* user not yet authenticated */End-Function;
PeopleSoft - Implementation
URL u = new URL(URL u = new URL(validateURL + "?ticket=" + ticket + "&service=" + service);validateURL + "?ticket=" + ticket + "&service=" + service);BufferedReader in = new BufferedReader(BufferedReader in = new BufferedReader(new InputStreamReader(u.openStream()));new InputStreamReader(u.openStream()));if (in == null){if (in == null){
return null;return null;}else {}else {
String line1 = in.readLine();String line1 = in.readLine();String line2 = in.readLine();String line2 = in.readLine();if (line1.equals("no")){if (line1.equals("no")){
return null;return null;}else{}else{// make fully qualified username ("[email protected]")// make fully qualified username ("[email protected]")
// into PSFT username ("jdoe")// into PSFT username ("jdoe")return line2;.substring(0, line2.indexOf('@')).toUpperCase();return line2;.substring(0, line2.indexOf('@')).toUpperCase();
}}}}
17
PSCASClient.java
Configure SLO_AUTH hook in PeopleSoft Sign-on Page (Exec Auth Fail)
PeopleSoft - Implementation
Set Exec Auth Fail PeopleCode
Customize HTML files now that original sign-on page is obsolete
• index.html• Logout_page.html (new) • Signin_alternate (new)• Signon.html • signonError.html (new)• Cookiesrequired.html
Modify configuration.properties to point to new HTML files Install CAS client jar, class files
PeopleSoft - Implementation
It’s never that easy . . . Service URL we use for CAS had to contain userid/pwd parameter PeopleSoft cookies After PTools upgrade (2003) HTTP GET no longer worked, POST required
Issues
The next step . . . deep linking More direct and intuitive method for accessing services Add embedded PeopleSoft content within an IFrame using nested URL
uPortal Integration
Oracle Collaboration Suite (OCS)
What is OCS?“Oracle Collaboration Suite is
an integrated database-based email, voicemail, calendaring, web-based meeting, files and search capability that is accessible via all of the interfaces that you currently know and use.”
uPortal entry point for Email and Calendar Making OCS use a central authentication service Integration with CAS
Oracle Collaboration Suite (OCS) Objectives
Logical Architecture
Hardware - IllustrationTier 1 : Infrastructure
2 Node (Red Hat Cluster Server)
Dell Power Edge 26502 * 2.8 GHz4 GB RAM
2 * 36GB HD3* GIG-E NIC
HBA ’s (to EMC)
Tier 2 : Application MT4 Nodes + BI 1 Node
Tier 3 : Database4 Node Oracle RAC
9.2.0.4
Dell Power Edge 66504 * 2.8 GHz16 GB RAM2 * 36GB HD4* GIG-E NIC
9iRACHBA ’s (to EMC)
Dell Power Edge 26502 * 2.8 GHz2 GB RAM
2 * 36GB HD2* 73 GB HD2* GIG-E NIC
HBA ’s (to EMC)
Tier 2 : Calendar2 Node
Dell Power 66504 * 2.8 GHz16 GB RAM2 * 36GB HD2* GIG-E NIC
Storage: EMC DMX1000
OCS, Central Authentication & uPortal
OCS DB9.2.0.5
OCS Middle Tier
BI DB
Oracle BI Middle Tier
OCS Infrastructure(Shared between OCS and BI)
Central Authentication Services
Corporate Portal (uPortal)
Oracle Portal WebWeb
Calendar
Outlook
Other CampusApplications
(SCT, PeopleSoft
Etc..)
Oracle Collaboration Suite (OCS) Integration
ObjectivesuPortal entry point for Email
and Calendar SSOuPortal channels - simplified
view of Email and CalendarAbility to render Oracle
Portlets within uPortal
OCS Integration - Solutions
uPortal entry point ---> CAS-enable OCS
uPortal channels ---> Custom channels- Oracle’s APIs?- Query DB---> Pre-existing Oracle Portlets
Oracle Portlets“External JSP”Direct URL
CAS Enabling OCS
Oracle SSOWeb based applicationsIntegrates with external login
sourceSolution required the use of cookiesAll code written in PL/SQL
Requires Oracle Internet Directory (OID)Users must be populated in OIDFERPA
WebLogin
Service
UserOracleWeb
Application
1 User requests access
2 Browser redirected to Oracle SSO
12 A
ppli
cati
on v
alid
ates
tick
et
15 User gets access
6 L
ogin Service provides ticket for O
SS
O
11 OSSO Ticket provided to application
13 U
sername provided to application
14 Application
decides if user is authorized
5 W
eb L
ogin
Ser
vice
aut
hent
icat
ion
requ
ired
OracleSSO
8 OSSO validates ticket
9 Username provided to OSSO
4 Browser redirected to W
eb Login Service
3 Oracle
SSO authen
ticati
on require
d
7 Ticket
provided to
OSSO
10 Oracle SSO ticket provided for application
OCS - Rendering Oracle Portlets
External JSPMakes a portlet available through a
JSPNot well documentedIs not supported in a “Partial SSL
configuration”uPortal Inline Frame points to
external JSP
OCS - Rendering Oracle Portlets
Direct Access URLAccess to Oracle Portal page
through user-friendly URLCreate Oracle Portal Page
No header/border/templatePut portlet on pageAttach stylesheet to pagePoint uPortal Inline frame to URL
OCS - Rendering Oracle Portlets (cont.)
AuthorizationControl access to uPortal
channels through Groups??Needed way to restrict access
to Oracle pageSolution: Pull groups tables
into OID nightly
OCS Integration Issues ISSUE:
When users subscribe to more than one channel containing Oracle Portlet content, the channel may respond with browser error messages resulting in no content displayed.
ROOT CAUSE:
This problem is a result of multiple uPortal channels attempting to establish an Oracle Portal session at the same time.
OCS Integration Issues (cont.)
Possible Solutions
Introduce a Delay with Consecutive Page Requests.
Introduce an Intermediate Page at CAS Login.
Send all requests through a single threaded servlet.
CAS Enabling OCS Resources
Oracle9iAS Single Sign-On Administrator's Guide Release 2 (9.0.2) Part Number A96115-01 Chapter 5 - Third-Party Single Sign-On Chapter 8 - Customizing the Single Sign-On
Interface
Metalink Documents: Note:191299.1 Note:244557.1 Note:191345.1
PeopleSoft Applications: HR total accounts: 2,500 (admin accounts: 700) Concurrent users average: 22 (high 75) Finance total admin accounts: 700 Concurrent users average: 23 (high 95)
Single Sign-on Unique Users per month: Approx: 12,000 - 28,000 Average: 20,000 (including summer quarters)
Single Sign-on Unique users per DAY Maximum: 14,000 Average: 5,700
Single Sign-on Concurrent users of the Portal: High: 2,800
Statistics on Usage
Single clicks to HR PRD and FS PRD per month
2,200 – 6,100 Average: 4,200 (including summer quarters)
Single Sign-on Outages Unplanned: Less than 1/2 hour per month Planned:
4 hours/month Updates, new application rollouts Users CAN authenticate to PS and other applications
Statistics on Usage
CAS http://www.yale.edu/tp/cas/
This Presentation, Cal Poly’s documents and code on CAS Enabling OCS, and PeopleSoft Single Sign-on Guides
http://myportal.calpoly.edu/downloads
PeopleBooks
References
Questions?Questions? Darren Kraker
Software [email protected]
Ryan MattesonWeb Architect and Info
Security [email protected]
Melinda RojoOracle Portal [email protected]
Ken SperowSoftware [email protected]
u
Dan MaloneOracle SSO [email protected]
u