Security

PeopleSoft Single Sign-On (SAML/ADFS): Why You Should Not Customize

By Greg Sosna • October 22, 2020

Don’t Risk the Security of your Data by Customizing an SSO Integration for PeopleSoft

I was on a discovery call recently, and the Senior Software Engineer shared how they’re “ripping out” a custom-built (for PeopleSoft) single sign-on solution (SSO). After acquiring an enterprise SSO, they attempted to build a custom integration with PeopleSoft that presented far more challenges than benefits – especially when users attempted to access with a deep link. Now they’re looking to remove the solution along with the additional infrastructure that was required. 

And here’s the sad part: they’re not the first organization I’ve encountered this month who are experiencing the same challenge. Across all verticals including healthcare, higher education, government, retail and more – PeopleSoft customers are rethinking their decision to enable their enterprise SSO solutions with custom coding, external gateway agents, and reverse proxies. Alternatively, implementing solutions that feature native SAML authentication handlers

Your Custom Single Sign-On Integration Was Not Designed with ERP Data Security in Mind 

These projects often start with the IT department recognizing that it can solve a business requirement by building the solution themselves or by using a generic gateway with copy-and-paste code off an internet forum. The main motivation? They possibly save the company some money, bypass the need for approvals or budget, and check a project off their list. Easy-peasy, right? As highlighted in the example above, it’s not always that straight forward.  

Often, these projects lack a thoughtful mindset and instead leverage code that is many years old, unsupported and public to developers and hackers alike. Here lies one of the biggest problems with customizing PeopleSoft for SSO authentication. Getting the integration to work “well enough” is often the goal, and since developers are not information security professionals – they may not have considered the ramifications of using code that hackers can reverse engineer, potentially exploiting loopholes to gain unauthorized access. As a former PSAdmin who personally retrofitted a custom PeopleSoft SSO solution in my past life, I can tell you that security implications are not on the forefront. Between IT wanting to be a good partner to the business and drowning in long-haul projects, “good enough” was often the goal.

The “Typical” Custom Single Sign-On Approach

There are a few ways to approach building a custom SSO solution. You could try linking SAML open-source code libraries, using reverse proxies, or having an external agent handle it. These solutions seem relatively simple at the outset, but the introduced vulnerabilities are often not obvious or ignored. The end result is that the SSO “works” but is plagued by technical, functional, and security issues once in production. 

Linking SAML Open Source Code Libraries 

A custom coding project typically begins with a review of PeopleBooks and a Google search to find a relatively quick way to write the code. PeopleCode allows you to link external open source java libraries inside PeopleSoft. This is code that you’re literally pulling from an old blog and has not been reviewed since the author first published it. Imagine using code from 2007 to secure your custom single sign-on project. It would never pass a security review!

Secondly, developing a solution yourself is tricky. It isn’t easy to write software that deals with passwords, identity, and authentication. Reputable IdPs spend tens of thousands of man-hours designing, coding, and testing, then supporting their solutions. The lone developer who built your custom solution is now responsible for supporting, maintaining, and upgrading the code. That’s excellent job security for him but a security liability for you. 

Reverse Proxies, Gateways, and External Authentication Agents 

This one is probably a favorite with system administrators who want to support a multitude of non-SAML apps with a one-size-fits-all solution. I’ve also implemented SSO like this in the past, so I can speak from experience about how this works and its risks. 

The short version of how this works is that the authentication is offloaded to a reverse-proxy, an agent, or a gateway, that sits outside PeopleSoft. Once the authentication process is successfully completed, only then is a connection made to PeopleSoft, and the authenticated user-ID passed to the HTTP header. Then that request has to be trusted by a custom Sign-on PeopleCode.  

Aside from the risky firewall configuration, another issue here is that it needs to be scaled carefully for bandwidth because all of the requests will now go through a new server and several new applications to complete the process. Now you have additional hardware, software, and customizations to maintain and patch in addition to your regular PeopleSoft duties. 

Why a Native SAML Handler is Best Practice

SSO is critical to help you increase your security posture within your organization while keeping your customers happy, so I don’t want to sound negative, and I’m not trying to put you off on installing an SSO solution in your environment. Instead, I want to make sure you do it correctly and aligned to security best practices.  

My advice is to use a solution that natively supports a SAML authentication handler and seamlessly and securely passes the token to PeopleSoft built-in authentication without customizations. The term “native” is extremely important here! The lack of native support is a critical issue that plagues custom solutions, creating more hoops to jump through to complete the project. 

Fortunately, Appsian delivers the SAML integration layer required to connect PeopleSoft, an IdP, and your enterprise Single Sign-On. This solution is natively installed right into the PeopleSoft Internet Architecture (PIA) and does not require the use of proxy servers, agents, or gateways. Furthermore, there are zero customizations, simple configuration with extensive support for SAML attributes, user-mapping, and the support and maintenance is offloaded from your team. 

There is Beauty in Customization but Comfort in ERP Data Security 

Part of PeopleSoft’s beauty and power is that you can customize the system to improve your business processes. However, one thing you shouldn’t take into your own hands is authentication, and indirectly, security. Your IT team, system admins, and developers should spend their time supporting and customizing your system to provide outstanding service to the business units and keeping the system running smoothly. Why add more hardware, software, applications, and customization than necessary? 

Contact us today to learn how Appsian solves the SAML integration challenge by providing the only configurable SSO for PeopleSoft.

Stay Updated

Accessibility, Security

Why Colleges and Universities are Rushing to Implement Single Sign-On for PeopleSoft

By Scott Lavery • August 4, 2020

It’s not uncommon for higher education institutions to approach us (with great haste) about our Single Sign-On (SSO) solution for PeopleSoft Campus Solutions. Lately, I’ve noticed an uptick in the urgency. Nobody’s hair is literally on fire, but after speaking with a handful of universities, it sure feels that urgent. Here’s what’s happening. 

The COVID-19 Pivot Strikes Again 

When COVID-19 first caused colleges and universities to shut down their campuses and rapidly switch to online learning, that was their primary focus. Pretty much all non-essential IT (and PeopleSoft) projects were immediately put on hold. After an intense focus on student, staff, and faculty safety and performing herculean feats to enable remote learning and remote access for thousands, IT departments are back to focusing on data security and access.  

This summer, many institutions around the country were cautiously optimistic they could reopen in the fall and were making plans to welcome back faculty and students into something they hope will resemble normal campus life. IT and security teams were also busy, reviewing priorities, projects, and budgets. They know that thousands of students, faculty, and staff depend on the institution’s applications to keep operations running smoothly.  

Unfortunately, all this planning and optimism might be for naught. Almost daily, universities that had released detailed plans for in-person classes in the Fall have reversed themselves and said they will go almost entirely online. Because of these sudden changes, some IT departments are quickly pivoting to adapt their systems to better handle remote access and excessive self-service demands.  

And that’s the urgency we’re experiencing: To improve productivity, enhance security, and improve the overall user experience, universities are (urgently) turning to a SAML SSO solution for PeopleSoft Campus Solutions. Why? Because the first step in addressing usability is ensuring authentication is secure, without causing user friction. 

Enable PeopleSoft SSO with SAML-Based IdPs 

The good news is that Appsian can help universities meet this urgent request in two weeks or less. We provide the only turnkey SAML integration solution for PeopleSoft without any custom development or additional hardware. You can allow thousands of users (students and faculty) to access multiple applications, not just PeopleSoft, using a single login on any device.  

Customers can also use multiple IdPs concurrently, including Okta, Ping, ADFS, Shibboleth, Azure, and more, ensuring that any patchwork of systems used across groups, buildings, and departments are accessible and secure. 

The More Things Change, the More Changes You Have to Make 

COVID-19 has utterly wrecked the college experience for students, but requirements for accessing and securing applications for the upcoming school year haven’t changed for IT departments.  

What’s changed is the urgency to make sure that applications, data, transactions, and lectures are accessible and secure.  

At the end of the day, institutions must pivot their operations to ensure that applications can be seamlessly accessed. For no other reason than friction causes abandon – and when students are 100% virtual, abandon is far more likely. 

The quickest way to improve usability and security for PeopleSoft Campus Solutions is with a SAML Single Sign-On SSO. 

Contact us today to learn how you can make this happen in 2 weeks! 

Stay Updated

Tips and Techniques

Evaluating a PeopleSoft Single Sign-On (SSO) Solution: 6 Questions to Ask Your Vendor

By Scott Lavery • September 6, 2019

Single Sign-On (SSO) solutions have emerged as the gold standard in identity management. While poor password practices continue to prevail, the effectiveness of the ‘username and password’ as the main authentication model has deteriorated.

Password management can be a nightmare for IT, as it reduces department productivity and increases service costs. However, SSO solutions allow administrators to centralize identity management, as end-users utilize a single set of credentials to access every enterprise application.  

Establishing an SSO for PeopleSoft 

PeopleSoft applications are a vital part of an organization’s enterprise architecture, and unfortunately, integrating PeopleSoft into an enterprise Single Sign On can present challenges. This has lead administrators to look to the market for help – and as you evaluate an SSO solution for PeopleSoft, you should ALWAYS ask these 6 questions – the answer will be the difference between project success and failure:

How Does Your Product Interact with PeopleSoft?   

To successfully implement an SSO solution, organizations first need to integrate all applications with a centralized ID provider. Most popular ID providers such as Microsoft Azure Active Directory, OKTA, etc., use SAML – the open federation standard that allows identity providers (IdP) to communicate with enterprise applications.  

Many off-the-shelf SSO vendors claim to support PeopleSoft. However, they ignore the fact that PeopleSoft applications do not natively support SAML. With a conventional SSO solution, PeopleSoft applications are likely to stay alienated from the rest of the organization’s business applications. Organizations must ensure that their SSO provider addresses the SAML problem upfront. Or it can lead to a ripple of problems with the implementation (ex. inflated budget, time lines, complexity, etc.) 

Is There a Need for Customizations?

Exclusive to PeopleSoft, most SSO providers are required to build an extensive framework of customizations. Customizations demand extra resources and prolong the implementation timeline – thus, increasing the project liability. Even after that, custom SSO solutions can be insecure, fragile, lack functionality for some transactions, and be prone to problems that are difficult to troubleshoot. Moreover, building and maintaining a customized framework requires both coding and PeopleTools expertise – which is a rare skill combination. Alternatively, PeopleSoft customers can seek a configurable SSO based on logic workflows built outside of the PeopleCode. 

Are there Additional Hardware/Server Requirements?   

In most cases, organizations will be required to purchase additional hardware to support the customizations designed to simulate communication between PeopleSoft and their respective Identity Provider. The procurement of new infrastructure (reverse proxy servers) is not ideal and can result in unexpected project budget overruns. 

Does the Solution Support Deep Embedded Links? 

One of the primary benefits of an SSO solution is allowing users to bypass login with the use of deep links or embedded links. These links, when sent to a user, can take them to a specific transaction using the previously authenticated SSO session. Thus, saving time and increasing user satisfaction and productivity. However, most off-the-shelf SSO providers don’t support this functionality. With increasing remote access on mobile devices, deep-link navigation can be important to usability and engagement. For instance, a user can go straight to an intended transaction by following a link (sent via email, text, etc.) even if they are required to authenticate an SSO session on a device they don’t use frequently.  

How Does the Solution Impact PeopleTools Lifecycle Management? 

PeopleSoft’s native functionality is continuously evolving with every single image released via the PeopleSoft Update Manager (PUM). These updates include frequent changes in the authentication model, which means that a customized solution would demand excessive upgrade and alteration with each update. The constant need for upkeep can adversely affect the adequate use of customer resources and time, making room for an increased scope of errors and subsequent troubleshooting. 

What if We Decide to Switch an SSO Identity Provider? 

One of the most important decisions organizations need to make while choosing an SSO solution is the flexibility of adaptation if and when they decide to switch SSO identity providers. Ideally, organizations must look for a configurable SSO instead of a coded (customized) one. The reason being, when an organization plans to switch to a new SSO identity provider, a custom solution would require building a whole integration framework. Therefore, a custom SSO can prove tedious and time-consuming, unlike a configurable SSO that can allow a seamless switch. 

Appsian’s PeopleSoft SSO Connector  

Designed to create a simple, extensible, and easy-to-maintain approach to the implementation of modern authentication, Appsian’s PeopleSoft SSO Connector is the only turnkey solution for native SAML-compatibility in PeopleSoft – enabling customers to:

  • Leverage existing investment in SSO solutions with PSFT 
  • Authenticate PSFT sessions via SAML-based Identity Providers 
  • Access PeopleSoft via deep link navigation  
  • Support multiple IdPs concurrently 
  • Deploy SSO for PeopleSoft in as quick at 7 days  
  • Implemented without additional hardware or custom coding  

To learn more, Request a Demo with a PeopleSoft security expert or write to us at info@appsian.com

Stay Updated

Security

December is Prime “ERP Data Breach” Season… Be Prepared!

By Scott Lavery • November 28, 2018

Establishing security best practices for your PeopleSoft applications is always a work in progress. As newer, more advanced threats come to light, staying current can feel like a daunting task. While PeopleSoft systems are inherently robust and secure, a constantly evolving threat landscape, PLUS new data regulations have paved the way for several necessary security enhancements. As the end of 2018 draws near, now more than ever, organizations must be aware of the myriad of threats that are well-aware that “year-end” bonus season is coming… and are preparing their tactics to redirect your employees hard-earned payroll/bonuses.

What is the weakest link in your ERP security chain?

Threats today have become increasingly user-centric. The targets for malicious hackers have shifted from entire networks to applications. By leveraging phishing and social engineering attacks, most ERP breaches are now originating from the unauthorized use of valid login credentials – stolen directly from the user themselves. Thus, making your users (and their passwords) by far, the weakest link in your security chain.

Recommendations for mitigating the “human error” element

Inspired by dozens of successful PeopleSoft security projects, security experts at Appsian have compiled a list of best practices that every organization must utilize, and details the steps that should be taken to implement a layered approach to securing PeopleSoft. Rather than solely focusing security efforts on the perimeter, we will discuss how your sensitive data can be protected from malicious intruders (and even insiders) who are able to access PeopleSoft with valid credentials:

  • Enabling SAML for centralized identity management and establishing a single sign-on to reduce the risk caused by users having multiple (potentially) weak passwords.
  • Expanding traditional multi-factor authentication from login-only to field, page and component levels to ensure data protection from insider threats.
  • Employing location-based security to enforce least privilege access when sensitive systems are being accessed from outside your corporate network.
  • Enhancing data masking to alleviate challenges posed by static role-based masking rules and reduce unwanted exposure of sensitive data fields.
  • Extending logging capabilities to be compliance-ready with 360-degree awareness of what going on inside your PeopleSoft systems and user activity.
  • Bringing real-time visibility to breaches, suspicious events, and potential vulnerabilities by incorporating security analytics to your PeopleSoft security infrastructure.

Download the whitepaper to learn more about the best practices for achieving an end-to-end security and compliance strategy.

Download Your Whitepaper!

On a time-crunch? Request a quick session with our PeopleSoft security experts.

Contact Us Today!

 

1. https://info.digitalshadows.com/ERPApplicationsUnderFire-Press.html
2. https://www.us-cert.gov/ncas/current-activity/2018/07/25/Malicious-Cyber-Activity-Targeting-ERP-Applications
3. https://www.cyberark.com/resource/cyberark-global-advanced-threat-landscape-report-2018/

Stay Updated