Tutorial: Configure Datawiza to enable Azure Active Directory Multi-Factor Authentication and single sign-on to Oracle PeopleSoft

Article
01/25/2023
5 minutes to read

In this tutorial, learn how to enable Azure Active Directory (Azure AD) single sign-on (SSO) and Azure AD Multi-Factor Authentication (MFA) for an Oracle PeopleSoft application using Datawiza Access Proxy (DAP).

Learn more: Datawiza Access Proxy

Benefits of integrating applications with Azure AD using DAP:

Embrace proactive security with Zero Trust - a security model that adapts to modern environments and embraces hybrid workplace, while it protects people, devices, apps, and data
Azure Active Directory single sign-on - secure and seamless access for users and apps, from any location, using a device
How it works: Azure AD Multi-Factor Authentication - users are prompted during sign-in for forms of identification, such as a code on their cellphone or a fingerprint scan
What is Conditional Access? - policies are if-then statements, if a user wants to access a resource, then they must complete an action
Easy authentication and authorization in Azure AD with no-code Datawiza - use web applications such as: Oracle JDE, Oracle E-Business Suite, Oracle Sibel, and home-grown apps
Use the Datawiza Cloud Management Console (DCMC) - manage access to applications in public clouds and on-premises

Scenario description

This scenario focuses on Oracle PeopleSoft application integration using HTTP authorization headers to manage access to protected content.

In legacy applications, due to the absence of modern protocol support, a direct integration with Azure AD SSO is difficult. Datawiza Access Proxy (DAP) bridges the gap between the legacy application and the modern ID control plane, through protocol transitioning. DAP lowers integration overhead, saves engineering time, and improves application security.

Scenario architecture

The scenario solution has the following components:

Azure AD - identity and access management service that helps users sign in and access external and internal resources
Datawiza Access Proxy (DAP) - container-based reverse-proxy that implements OpenID Connect (OIDC), OAuth, or Security Assertion Markup Language (SAML) for user sign-in flow. It passes identity transparently to applications through HTTP headers.
Datawiza Cloud Management Console (DCMC) - administrators manage DAP with UI and RESTful APIs to configure DAP and access control policies
Oracle PeopleSoft application - legacy application to be protected by Azure AD and DAP

Learn more: Datawiza and Azure AD authentication architecture

Prerequisites

Ensure the following prerequisites are met.

An Azure subscription
- If you don't have one, you can get an Azure free account
An Azure AD tenant linked to the Azure subscription
- See, Quickstart: Create a new tenant in Azure Active Directory
Docker and Docker Compose
- Go to docs.docker.com to Get Docker and Install Docker Compose
User identities synchronized from an on-premises directory to Azure AD, or created in Azure AD and flowed back to an on-premises directory
- See, Azure AD Connect sync: Understand and customize synchronization
An account with Azure AD and the Application Administrator role
- See, Azure AD built-in roles, all roles
An Oracle PeopleSoft environment
(Optional) An SSL web certificate to publish services over HTTPS. You can use default Datawiza self-signed certs for testing.

Getting started with DAP

To integrate Oracle PeopleSoft with Azure AD:

Sign in to Datawiza Cloud Management Console (DCMC).
The Welcome page appears.
Select the orange Getting started button.
In the Name and Description fields, enter information.
Select Next.
The Add Application dialog appears.
For Platform, select Web.
For App Name, enter a unique application name.
For Public Domain, for example use https://ps-external.example.com. For testing, you can use localhost DNS. If you aren't deploying DAP behind a load balancer, use the Public Domain port.
For Listen Port, select the port that DAP listens on.
For Upstream Servers, select the Oracle PeopleSoft implementation URL and port to be protected.

Screenshot of entries under Add Application.

Select Next.
On the Configure IdP dialog, enter information.

Note

DCMC has one-click integration to help complete Azure AD configuration. DCMC calls the Microsoft Graph API to create an application registration on your behalf in your Azure AD tenant. Learn more at docs.datawiza.com in One Click Integration with Azure AD
Select Create.
The DAP deployment page appears.
Make a note of the deployment Docker Compose file. The file includes the DAP image, the Provisioning Key and Provision Secret, which pulls the latest configuration and policies from DCMC.

Screenshot of three sets of Docker information.

SSO and HTTP headers

DAP gets user attributes from the identity provider (IdP) and passes them to the upstream application with a header or cookie.

The Oracle PeopleSoft application needs to recognize the user. Using a name, the application instructs DAP to pass the values from the IdP to the application through the HTTP header.

In Oracle PeopleSoft, from the left navigation, select Applications.
Select the Attribute Pass subtab.
For Field, select email.
For Expected, select PS_SSO_UID.
For Type, select Header.

Note

This configuration uses Azure AD user principal name as the sign-in username for Oracle PeopleSoft. To use another user identity, go to the Mappings tab.

SSL Configuration

Select the Advanced tab.
Select Enable SSL.
From the Cert Type dropdown, select a type.
For testing the configuration, there's a self-signed certificate.

Note

You can upload a certificate from a file.
Select Save.

Enable Azure AD Multi-Factor Authentication

To provide more security for sign-ins, you can enforce Azure AD Multi-Factor Authentication (MFA).

Learn more: Tutorial: Secure user sign-in events with Azure AD MFA

Sign in to the Azure portal as a Global Administrator.
Select Azure Active Directory > Manage > Properties.
Under Properties, select Manage security defaults.
Under Enable Security defaults, select Yes
Select Save.

Enable SSO in the Oracle PeopleSoft console

To enable SSO in the Oracle PeopleSoft environment:

Sign in to the PeopleSoft Consol http://{your-peoplesoft-fqdn}:8000/psp/ps/?cmd=start using Admin credentials, for example, PS/PS.
Add a default public access user to PeopleSoft.
From the main menu, navigate to PeopleTools > Security > User Profiles > User Profiles > Add a New Value.
Select Add a new value.
Create user PSPUBUSER.
Enter the password.
Select the ID tab.
For ID Type, select None.
Navigate to PeopleTools > Web Profile > Web Profile Configuration > Search > PROD > Security.
Under Public Users, select the Allow Public Access box.
For User ID, enter PSPUBUSER.
Enter the password.
Select Save.
To enable SSO, navigate to PeopleTools > Security > Security Objects > Signon PeopleCode.
Select the Sign on PeopleCode page.
Enable OAMSSO_AUTHENTICATION.
Select Save.
To configure PeopleCode using the PeopleTools application designer, navigate to File > Open > Definition: Record > Name: FUNCLIB_LDAP.
Open FUNCLIB_LDAP.
Select the record.
Select LDAPAUTH > View PeopleCode.
Search for the getWWWAuthConfig() function Change &defaultUserId = ""; to &defaultUserId = PSPUBUSER.
Confirm the user Header is PS_SSO_UID for OAMSSO_AUTHENTICATION function.
Save the record definition.

Test an Oracle PeopleSoft application

To test an Oracle PeopleSoft application, validate application headers, policy, and overall testing. If needed, use header and policy simulation to validate header fields and policy execution.

To confirm Oracle PeopleSoft application access occurs correctly, a prompt appears to use an Azure AD account for sign-in. Credentials are checked and the Oracle PeopleSoft appears.

Next steps

Video: Enable SSO and MFA for Oracle JD Edwards with Azure AD via Datawiza
Tutorial: Configure Secure Hybrid Access with Azure AD and Datawiza
Tutorial: Configure Azure AD B2C with Datawiza to provide secure hybrid access
Go to docs.datawiza.com for Datawiza User Guides