Don’t Risk the Security of your Data by Customizing an SSO Integration for PeopleSoft
I was on a discovery call recently, and the Senior Software Engineer shared how they’re “ripping out” a custom-built (for PeopleSoft) single sign-on solution (SSO). After acquiring an enterprise SSO, they attempted to build a custom integration with PeopleSoft that presented far more challenges than benefits – especially when users attempted to access with a deep link. Now they’re looking to remove the solution along with the additional infrastructure that was required.
And here’s the sad part: they’re not the first organization I’ve encountered this month who are experiencing the same challenge. Across all verticals including healthcare, higher education, government, retail and more – PeopleSoft customers are rethinking their decision to enable their enterprise SSO solutions with custom coding, external gateway agents, and reverse proxies. Alternatively, implementing solutions that feature native SAML authentication handlers.
Your Custom Single Sign-On Integration Was Not Designed with ERP Data Security in Mind
These projects often start with the IT department recognizing that it can solve a business requirement by building the solution themselves or by using a generic gateway with copy-and-paste code off an internet forum. The main motivation? They possibly save the company some money, bypass the need for approvals or budget, and check a project off their list. Easy-peasy, right? As highlighted in the example above, it’s not always that straight forward.
Often, these projects lack a thoughtful mindset and instead leverage code that is many years old, unsupported and public to developers and hackers alike. Here lies one of the biggest problems with customizing PeopleSoft for SSO authentication. Getting the integration to work “well enough” is often the goal, and since developers are not information security professionals – they may not have considered the ramifications of using code that hackers can reverse engineer, potentially exploiting loopholes to gain unauthorized access. As a former PSAdmin who personally retrofitted a custom PeopleSoft SSO solution in my past life, I can tell you that security implications are not on the forefront. Between IT wanting to be a good partner to the business and drowning in long-haul projects, “good enough” was often the goal.
The “Typical” Custom Single Sign-On Approach
There are a few ways to approach building a custom SSO solution. You could try linking SAML open-source code libraries, using reverse proxies, or having an external agent handle it. These solutions seem relatively simple at the outset, but the introduced vulnerabilities are often not obvious or ignored. The end result is that the SSO “works” but is plagued by technical, functional, and security issues once in production.
Linking SAML Open Source Code Libraries
A custom coding project typically begins with a review of PeopleBooks and a Google search to find a relatively quick way to write the code. PeopleCode allows you to link external open source java libraries inside PeopleSoft. This is code that you’re literally pulling from an old blog and has not been reviewed since the author first published it. Imagine using code from 2007 to secure your custom single sign-on project. It would never pass a security review!
Secondly, developing a solution yourself is tricky. It isn’t easy to write software that deals with passwords, identity, and authentication. Reputable IdPs spend tens of thousands of man-hours designing, coding, and testing, then supporting their solutions. The lone developer who built your custom solution is now responsible for supporting, maintaining, and upgrading the code. That’s excellent job security for him but a security liability for you.
Reverse Proxies, Gateways, and External Authentication Agents
This one is probably a favorite with system administrators who want to support a multitude of non-SAML apps with a one-size-fits-all solution. I’ve also implemented SSO like this in the past, so I can speak from experience about how this works and its risks.
The short version of how this works is that the authentication is offloaded to a reverse-proxy, an agent, or a gateway, that sits outside PeopleSoft. Once the authentication process is successfully completed, only then is a connection made to PeopleSoft, and the authenticated user-ID passed to the HTTP header. Then that request has to be trusted by a custom Sign-on PeopleCode.
Aside from the risky firewall configuration, another issue here is that it needs to be scaled carefully for bandwidth because all of the requests will now go through a new server and several new applications to complete the process. Now you have additional hardware, software, and customizations to maintain and patch in addition to your regular PeopleSoft duties.
Why a Native SAML Handler is Best Practice
SSO is critical to help you increase your security posture within your organization while keeping your customers happy, so I don’t want to sound negative, and I’m not trying to put you off on installing an SSO solution in your environment. Instead, I want to make sure you do it correctly and aligned to security best practices.
My advice is to use a solution that natively supports a SAML authentication handler and seamlessly and securely passes the token to PeopleSoft built-in authentication without customizations. The term “native” is extremely important here! The lack of native support is a critical issue that plagues custom solutions, creating more hoops to jump through to complete the project.
Fortunately, Appsian delivers the SAML integration layer required to connect PeopleSoft, an IdP, and your enterprise Single Sign-On. This solution is natively installed right into the PeopleSoft Internet Architecture (PIA) and does not require the use of proxy servers, agents, or gateways. Furthermore, there are zero customizations, simple configuration with extensive support for SAML attributes, user-mapping, and the support and maintenance is offloaded from your team.
There is Beauty in Customization but Comfort in ERP Data Security
Part of PeopleSoft’s beauty and power is that you can customize the system to improve your business processes. However, one thing you shouldn’t take into your own hands is authentication, and indirectly, security. Your IT team, system admins, and developers should spend their time supporting and customizing your system to provide outstanding service to the business units and keeping the system running smoothly. Why add more hardware, software, applications, and customization than necessary?
Contact us today to learn how Appsian solves the SAML integration challenge by providing the only configurable SSO for PeopleSoft.
It’s not uncommon for higher education institutions to approach us (with great haste) about our Single Sign-On (SSO) solution for PeopleSoft Campus Solutions. Lately, I’ve noticed an uptick in the urgency. Nobody’s hair is literally on fire, but after speaking with a handful of universities, it sure feels that urgent. Here’s what’s happening.
The COVID-19 Pivot Strikes Again
When COVID-19 first caused colleges and universities to shut down their campuses and rapidly switch to online learning, that was their primary focus. Pretty much all non-essential IT (and PeopleSoft) projects were immediately put on hold. After an intense focus on student, staff, and faculty safety and performing herculean feats to enable remote learning and remote access for thousands, IT departments are back to focusing on data security and access.
This summer, many institutions around the country were cautiously optimistic they could reopen in the fall and were making plans to welcome back faculty and students into something they hope will resemble normal campus life. IT and security teams were also busy, reviewing priorities, projects, and budgets. They know that thousands of students, faculty, and staff depend on the institution’s applications to keep operations running smoothly.
Unfortunately, all this planning and optimism might be for naught. Almost daily, universities that had released detailed plans for in-person classes in the Fall have reversed themselves and said they will go almost entirely online. Because of these sudden changes, some IT departments are quickly pivoting to adapt their systems to better handle remote access and excessive self-service demands.
And that’s the urgency we’re experiencing: To improve productivity, enhance security, and improve the overall user experience, universities are (urgently) turning to a SAML SSO solution for PeopleSoft Campus Solutions. Why? Because the first step in addressing usability is ensuring authentication is secure, without causing user friction.
Enable PeopleSoft SSO with SAML-Based IdPs
The good news is that Appsian can help universities meet this urgent request in two weeks or less. We provide the only turnkey SAML integration solution for PeopleSoft without any custom development or additional hardware. You can allow thousands of users (students and faculty) to access multiple applications, not just PeopleSoft, using a single login on any device.
Customers can also use multiple IdPs concurrently, including Okta, Ping, ADFS, Shibboleth, Azure, and more, ensuring that any patchwork of systems used across groups, buildings, and departments are accessible and secure.
The More Things Change, the More Changes You Have to Make
COVID-19 has utterly wrecked the college experience for students, but requirements for accessing and securing applications for the upcoming school year haven’t changed for IT departments.
What’s changed is the urgency to make sure that applications, data, transactions, and lectures are accessible and secure.
At the end of the day, institutions must pivot their operations to ensure that applications can be seamlessly accessed. For no other reason than friction causes abandon – and when students are 100% virtual, abandon is far more likely.
The quickest way to improve usability and security for PeopleSoft Campus Solutions is with a SAML Single Sign-On SSO.
Contact us today to learn how you can make this happen in 2 weeks!
Establishing security best practices for your PeopleSoft applications is always a work in progress. As newer, more advanced threats come to light, staying current can feel like a daunting task. While PeopleSoft systems are inherently robust and secure, a constantly evolving threat landscape, PLUS new data regulations have paved the way for several necessary security enhancements. As the end of 2018 draws near, now more than ever, organizations must be aware of the myriad of threats that are well-aware that “year-end” bonus season is coming… and are preparing their tactics to redirect your employees hard-earned payroll/bonuses.
What is the weakest link in your ERP security chain?
Threats today have become increasingly user-centric. The targets for malicious hackers have shifted from entire networks to applications. By leveraging phishing and social engineering attacks, most ERP breaches are now originating from the unauthorized use of valid login credentials – stolen directly from the user themselves. Thus, making your users (and their passwords) by far, the weakest link in your security chain.
Recommendations for mitigating the “human error” element
Inspired by dozens of successful PeopleSoft security projects, security experts at Appsian have compiled a list of best practices that every organization must utilize, and details the steps that should be taken to implement a layered approach to securing PeopleSoft. Rather than solely focusing security efforts on the perimeter, we will discuss how your sensitive data can be protected from malicious intruders (and even insiders) who are able to access PeopleSoft with valid credentials:
- Enabling SAML for centralized identity management and establishing a single sign-on to reduce the risk caused by users having multiple (potentially) weak passwords.
- Expanding traditional multi-factor authentication from login-only to field, page and component levels to ensure data protection from insider threats.
- Employing location-based security to enforce least privilege access when sensitive systems are being accessed from outside your corporate network.
- Enhancing data masking to alleviate challenges posed by static role-based masking rules and reduce unwanted exposure of sensitive data fields.
- Extending logging capabilities to be compliance-ready with 360-degree awareness of what going on inside your PeopleSoft systems and user activity.
- Bringing real-time visibility to breaches, suspicious events, and potential vulnerabilities by incorporating security analytics to your PeopleSoft security infrastructure.
Download the whitepaper to learn more about the best practices for achieving an end-to-end security and compliance strategy.
On a time-crunch? Request a quick session with our PeopleSoft security experts.