logging in or signing up LDAP Integration WoodRock Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 1862 Category: News & Reports.. License: All Rights Reserved Like it (0) Dislike it (0) Added: September 24, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: nilaximec86 (14 month(s) ago) Hi...i NEED PPT ON LDAP FOR MYEMINAR KINDLY MAIN ON NILAXIMEC86@GMAIL.COM Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript LDAP Integration with PeopleSoft SA WHEPSUG 2003: LDAP Integration with PeopleSoft SA WHEPSUG 2003 Mark Rank UW-Platteville Introduction: Introduction Who am I? DBA and Manager of Development for UW-Platteville Where does this information come from? Summary information from IPS project Internal development documentation Outline: Outline Overview of Identity Provisioning at UW-P’ville Description of current system Summary of re-engineering efforts PeopleSoft and LDAP Some comments on supporting self-service UW-Platteville’s LDAP authentication solution Before we start: Before we start UW-Platteville is new to self-service We did not do anything with HTML Access Were waiting for the LDAP authentication Current status of this system at UW-Platteville Initial release moved to production 9/30/2003 Characteristics of an Identity Provision System: Characteristics of an Identity Provision System Need to accomplish three things Identity – 'Who are you?' Authentication - 'Are you who you say you are?' Authorization – 'What can you see?' The Identity Provisioning System (IPS) needs to either directly manage these tasks or provide information to other systems so that it can be managed internally The bigger picture: The bigger picture Interconnection to UW-System IAA project Our local IPS needs to operate with the IAA system in a federated manner Current IPS: Current IPS A custom solution created using OS scripts and various application utilities Over 8 years old with a history dating back to our mini-computer and legacy student system Current IPS: Current IPS Currently gets all of its information from the PeopleSoft SA system System maintains the UW-P username Uses this information to populate our Novell NDS directory which then provides an LDAP service Some limitations of the current system: Some limitations of the current system A batch system A custom solution that requires vendor specific solutions A 'brittle' system that is due for refactoring The future IPS: The future IPS We have started a re-engineering process to move to a vendor supplied solution We are looking to use Novell’s DirXML technologies in connection with PeopleSoft to do this An intermediate step: An intermediate step Our first goal is to decouple the account provisioning for Novell NDS from our legacy IPS system which is running on VMS (mini-computer). PeopleSoft and LDAP: PeopleSoft and LDAP Currently in the PeopleTools 8.1x environment, PeopleSoft delivers Business Interlinks for an LDAP bind and an LDAP search These can be called using signon PeopleCode to authenticate users to the PeopleSoft system Signon PeopleCode: Signon PeopleCode Signon PeopleCode: Signon PeopleCode PS delivers the signon code for LDAP as well as SSO in FUNCLIB_LDAP.LDAPAUTH After reviewing it, we cloned it and refactored to make it more streamlined for our application What about CDI?: What about CDI? We were looking to do something very specific and wanted a very 'clean' solution Did not really have time to implement CDI Because of where we are taking identity provisioning, do not plan to use CDI Some comments on supporting self-service: Some comments on supporting self-service UW-Platteville views LDAP integration as an enabling technology for self-service As such, how self-service is deployed and configured impacts the nature of the LDAP integration We wanted to address the assignment of self-service roles as part of the integration Role assignment for Self-Service: Role assignment for Self-Service Currently, UW-Platteville still handles authorization to PeopleSoft using static roles in the system There are processes that occur at log in and during a batch process that assign roles Want to explore dynamic assignment as we re-engineer our IPS How self-service roles are determined: How self-service roles are determined Student Role 'select emplid from ps_stdnt_enrl where emplid = :1 and stdnt_enrl_status = 'E'' Instructor Role 'select emplid from ps_class_instr where emplid = :1' Advisor Role 'select advisor_id from ps_stdnt_advr_hist where advisor_id = :1' UW-Platteville’s LDAP authentication solution: UW-Platteville’s LDAP authentication solution Keep in mind, we are leveraging our IPS As such, everything is driven off of people having active UW-P user accounts As I said before, we cloned the delivered code in PeopleTools and customized Custom configuration pages: Custom configuration pages Custom configuration pages: Custom configuration pages A note about LDAP and SSL: A note about LDAP and SSL It appears that the business interlinks that support LDAP used an older version of the Netscape SSL SDK If people want to use LDAP over SSL, a certificate database (cert7.db) needs to be generated in the same format Easiest way to do it is to export the certificate out of a 4.X version of Netscape browser LDAP Authentication PeopleCode: LDAP Authentication PeopleCode General flow for the authentication code Through the restricted session function, have the ability to easily restrict access for maintenance LDAP Authentication PeopleCode: LDAP Authentication PeopleCode Because UW-Platteville keeps our profile name the same as our username we can build the distinguished name instead of looking it up Currently, we have users in two contexts so need to look in two places, thus the multiple DN support. LDAP Authentication PeopleCode: LDAP Authentication PeopleCode The function to set the authentication result is the final step The globals are set to keep track of what profile id was finally used to log on Globals are used by the profile sync later LDAP Profile Synchronization PeopleCode: LDAP Profile Synchronization PeopleCode Code checks for a global distinguished name This indicates the authentication was successful To make life easier, all profiles are upper cased LDAP Profile Synchronization PeopleCode: LDAP Profile Synchronization PeopleCode Need to instantiate an instance of the USER_PROFILE component interface Look to see if we need to create or modify the user LDAP Profile Synchronization PeopleCode: LDAP Profile Synchronization PeopleCode Build or modify the profile based on information in the PS database and the defaults on the configuration page Run the process to maintain the self-service roles Steps to implement LDAP authentication - IPS: Steps to implement LDAP authentication - IPS Remember, we have an existing IPS Building an IPS is not trivial Need to set the scope Need to find a technology platform Need to define authoritative sources Need to build it, test it and then deploy it Steps to implement LDAP authentication – PS to LDAP: Steps to implement LDAP authentication – PS to LDAP For UW-Platteville’s custom solution, build the online objects in PeopleSoft If you are using LDAPS, place the certificate database file in the domain directory of the app servers Configure it Enable signon PeopleCode Restart the app servers Summary: Summary Overview of Identity Provisioning at UW-P’ville Description of current system Summary of re-engineering efforts PeopleSoft and LDAP Some comments on supporting self-service UW-Platteville’s LDAP authentication solution Questions and Discussion: Questions and Discussion You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
LDAP Integration WoodRock Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 1862 Category: News & Reports.. License: All Rights Reserved Like it (0) Dislike it (0) Added: September 24, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: nilaximec86 (14 month(s) ago) Hi...i NEED PPT ON LDAP FOR MYEMINAR KINDLY MAIN ON NILAXIMEC86@GMAIL.COM Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript LDAP Integration with PeopleSoft SA WHEPSUG 2003: LDAP Integration with PeopleSoft SA WHEPSUG 2003 Mark Rank UW-Platteville Introduction: Introduction Who am I? DBA and Manager of Development for UW-Platteville Where does this information come from? Summary information from IPS project Internal development documentation Outline: Outline Overview of Identity Provisioning at UW-P’ville Description of current system Summary of re-engineering efforts PeopleSoft and LDAP Some comments on supporting self-service UW-Platteville’s LDAP authentication solution Before we start: Before we start UW-Platteville is new to self-service We did not do anything with HTML Access Were waiting for the LDAP authentication Current status of this system at UW-Platteville Initial release moved to production 9/30/2003 Characteristics of an Identity Provision System: Characteristics of an Identity Provision System Need to accomplish three things Identity – 'Who are you?' Authentication - 'Are you who you say you are?' Authorization – 'What can you see?' The Identity Provisioning System (IPS) needs to either directly manage these tasks or provide information to other systems so that it can be managed internally The bigger picture: The bigger picture Interconnection to UW-System IAA project Our local IPS needs to operate with the IAA system in a federated manner Current IPS: Current IPS A custom solution created using OS scripts and various application utilities Over 8 years old with a history dating back to our mini-computer and legacy student system Current IPS: Current IPS Currently gets all of its information from the PeopleSoft SA system System maintains the UW-P username Uses this information to populate our Novell NDS directory which then provides an LDAP service Some limitations of the current system: Some limitations of the current system A batch system A custom solution that requires vendor specific solutions A 'brittle' system that is due for refactoring The future IPS: The future IPS We have started a re-engineering process to move to a vendor supplied solution We are looking to use Novell’s DirXML technologies in connection with PeopleSoft to do this An intermediate step: An intermediate step Our first goal is to decouple the account provisioning for Novell NDS from our legacy IPS system which is running on VMS (mini-computer). PeopleSoft and LDAP: PeopleSoft and LDAP Currently in the PeopleTools 8.1x environment, PeopleSoft delivers Business Interlinks for an LDAP bind and an LDAP search These can be called using signon PeopleCode to authenticate users to the PeopleSoft system Signon PeopleCode: Signon PeopleCode Signon PeopleCode: Signon PeopleCode PS delivers the signon code for LDAP as well as SSO in FUNCLIB_LDAP.LDAPAUTH After reviewing it, we cloned it and refactored to make it more streamlined for our application What about CDI?: What about CDI? We were looking to do something very specific and wanted a very 'clean' solution Did not really have time to implement CDI Because of where we are taking identity provisioning, do not plan to use CDI Some comments on supporting self-service: Some comments on supporting self-service UW-Platteville views LDAP integration as an enabling technology for self-service As such, how self-service is deployed and configured impacts the nature of the LDAP integration We wanted to address the assignment of self-service roles as part of the integration Role assignment for Self-Service: Role assignment for Self-Service Currently, UW-Platteville still handles authorization to PeopleSoft using static roles in the system There are processes that occur at log in and during a batch process that assign roles Want to explore dynamic assignment as we re-engineer our IPS How self-service roles are determined: How self-service roles are determined Student Role 'select emplid from ps_stdnt_enrl where emplid = :1 and stdnt_enrl_status = 'E'' Instructor Role 'select emplid from ps_class_instr where emplid = :1' Advisor Role 'select advisor_id from ps_stdnt_advr_hist where advisor_id = :1' UW-Platteville’s LDAP authentication solution: UW-Platteville’s LDAP authentication solution Keep in mind, we are leveraging our IPS As such, everything is driven off of people having active UW-P user accounts As I said before, we cloned the delivered code in PeopleTools and customized Custom configuration pages: Custom configuration pages Custom configuration pages: Custom configuration pages A note about LDAP and SSL: A note about LDAP and SSL It appears that the business interlinks that support LDAP used an older version of the Netscape SSL SDK If people want to use LDAP over SSL, a certificate database (cert7.db) needs to be generated in the same format Easiest way to do it is to export the certificate out of a 4.X version of Netscape browser LDAP Authentication PeopleCode: LDAP Authentication PeopleCode General flow for the authentication code Through the restricted session function, have the ability to easily restrict access for maintenance LDAP Authentication PeopleCode: LDAP Authentication PeopleCode Because UW-Platteville keeps our profile name the same as our username we can build the distinguished name instead of looking it up Currently, we have users in two contexts so need to look in two places, thus the multiple DN support. LDAP Authentication PeopleCode: LDAP Authentication PeopleCode The function to set the authentication result is the final step The globals are set to keep track of what profile id was finally used to log on Globals are used by the profile sync later LDAP Profile Synchronization PeopleCode: LDAP Profile Synchronization PeopleCode Code checks for a global distinguished name This indicates the authentication was successful To make life easier, all profiles are upper cased LDAP Profile Synchronization PeopleCode: LDAP Profile Synchronization PeopleCode Need to instantiate an instance of the USER_PROFILE component interface Look to see if we need to create or modify the user LDAP Profile Synchronization PeopleCode: LDAP Profile Synchronization PeopleCode Build or modify the profile based on information in the PS database and the defaults on the configuration page Run the process to maintain the self-service roles Steps to implement LDAP authentication - IPS: Steps to implement LDAP authentication - IPS Remember, we have an existing IPS Building an IPS is not trivial Need to set the scope Need to find a technology platform Need to define authoritative sources Need to build it, test it and then deploy it Steps to implement LDAP authentication – PS to LDAP: Steps to implement LDAP authentication – PS to LDAP For UW-Platteville’s custom solution, build the online objects in PeopleSoft If you are using LDAPS, place the certificate database file in the domain directory of the app servers Configure it Enable signon PeopleCode Restart the app servers Summary: Summary Overview of Identity Provisioning at UW-P’ville Description of current system Summary of re-engineering efforts PeopleSoft and LDAP Some comments on supporting self-service UW-Platteville’s LDAP authentication solution Questions and Discussion: Questions and Discussion