Tutorial: Configure Datawiza to enable Microsoft Entra multifactor authentication and single sign-on to Oracle PeopleSoft

In this tutorial, learn how to enable Microsoft Entra single sign-on (SSO) and Microsoft Entra multifactor authentication for an Oracle PeopleSoft application using Datawiza Access Proxy (DAP).

Learn more: Datawiza Access Proxy

Benefits of integrating applications with Microsoft Entra ID using DAP:

Scenario description

This scenario focuses on Oracle PeopleSoft application integration using HTTP authorization headers to manage access to protected content.

In legacy applications, due to the absence of modern protocol support, a direct integration with Microsoft Entra SSO is difficult. Datawiza Access Proxy (DAP) bridges the gap between the legacy application and the modern ID control plane, through protocol transitioning. DAP lowers integration overhead, saves engineering time, and improves application security.

Scenario architecture

The scenario solution has the following components:

  • Microsoft Entra ID - identity and access management service that helps users sign in and access external and internal resources
  • Datawiza Access Proxy (DAP) - container-based reverse-proxy that implements OpenID Connect (OIDC), OAuth, or Security Assertion Markup Language (SAML) for user sign-in flow. It passes identity transparently to applications through HTTP headers.
  • Datawiza Cloud Management Console (DCMC) - administrators manage DAP with UI and RESTful APIs to configure DAP and access control policies
  • Oracle PeopleSoft application - legacy application to be protected by Microsoft Entra ID and DAP

Learn more: Datawiza and Microsoft Entra authentication architecture

Prerequisites

Ensure the following prerequisites are met.

Getting started with DAP

To integrate Oracle PeopleSoft with Microsoft Entra ID:

  1. Sign in to Datawiza Cloud Management Console (DCMC).

  2. The Welcome page appears.

  3. Select the orange Getting started button.

    Screenshot of the Getting Started button.

  4. In the Name and Description fields, enter information.

    Screenshot of the Name field under Deployment Name.

  5. Select Next.

  6. The Add Application dialog appears.

  7. For Platform, select Web.

  8. For App Name, enter a unique application name.

  9. For Public Domain, for example use https://ps-external.example.com. For testing, you can use localhost DNS. If you aren't deploying DAP behind a load balancer, use the Public Domain port.

  10. For Listen Port, select the port that DAP listens on.

  11. For Upstream Servers, select the Oracle PeopleSoft implementation URL and port to be protected.

Screenshot of entries under Add Application.

  1. Select Next.
  2. On the Configure IdP dialog, enter information.

Note

DCMC has one-click integration to help complete Microsoft Entra configuration. DCMC calls the Microsoft Graph API to create an application registration on your behalf in your Microsoft Entra tenant. Learn more at docs.datawiza.com in One Click Integration with Microsoft Entra ID

  1. Select Create.

Screenshot of entries under Configure IDP.

  1. The DAP deployment page appears.
  2. Make a note of the deployment Docker Compose file. The file includes the DAP image, the Provisioning Key and Provision Secret, which pulls the latest configuration and policies from DCMC.

Screenshot of three sets of Docker information.

SSO and HTTP headers

DAP gets user attributes from the identity provider (IdP) and passes them to the upstream application with a header or cookie.

The Oracle PeopleSoft application needs to recognize the user. Using a name, the application instructs DAP to pass the values from the IdP to the application through the HTTP header.

  1. In Oracle PeopleSoft, from the left navigation, select Applications.

  2. Select the Attribute Pass subtab.

  3. For Field, select email.

  4. For Expected, select PS_SSO_UID.

  5. For Type, select Header.

    Screenshot of the Attribute Pass feature with Field, Expected and Type entries.

    Note

    This configuration uses Microsoft Entra user principal name as the sign-in username for Oracle PeopleSoft. To use another user identity, go to the Mappings tab.

    Screenshot of user principal name.

SSL Configuration

  1. Select the Advanced tab.

    Screenshot of the Advanced tab under Application Detail.

  2. Select Enable SSL.

  3. From the Cert Type dropdown, select a type.

    Screenshot of the Cert Type dropdown with available options, Self-signed and Upload.

  4. For testing the configuration, there's a self-signed certificate.

    Screenshot of the Cert Type option with Self Signed selected.

    Note

    You can upload a certificate from a file.

    Screenshot of the File Based entry for Select Option under Advanced Settings.

  5. Select Save.

Enable Microsoft Entra multifactor authentication

Tip

Steps in this article might vary slightly based on the portal you start from.

To provide more security for sign-ins, you can enforce Microsoft Entra multifactor authentication.

Learn more: Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication

  1. Sign in to the Microsoft Entra admin center as an Application Administrator.
  2. Browse to Identity > Overview > Properties tab.
  3. Under Security defaults, select Manage security defaults.
  4. On the Security defaults pane, toggle the dropdown menu to select Enabled.
  5. Select Save.

Enable SSO in the Oracle PeopleSoft console

To enable SSO in the Oracle PeopleSoft environment:

  1. Sign in to the PeopleSoft Console http://{your-peoplesoft-fqdn}:8000/psp/ps/?cmd=start using Admin credentials, for example, PS/PS.

    Screenshot that shows Oracle PeopleSoft console.

  2. Add a default public access user to PeopleSoft.

  3. From the main menu, navigate to PeopleTools > Security > User Profiles > User Profiles > Add a New Value.

  4. Select Add a new value.

  5. Create user PSPUBUSER.

  6. Enter the password.

    Screenshot of the PS PUBUSER User ID and change-password option.

  7. Select the ID tab.

  8. For ID Type, select None.

    Screenshot of the None option for ID Type on the ID tab.

  9. Navigate to PeopleTools > Web Profile > Web Profile Configuration > Search > PROD > Security.

  10. Under Public Users, select the Allow Public Access box.

  11. For User ID, enter PSPUBUSER.

  12. Enter the password.

    Screenshot of Allow Public Access, User ID, and Password options.

  13. Select Save.

  14. To enable SSO, navigate to PeopleTools > Security > Security Objects > Signon PeopleCode.

  15. Select the Sign on PeopleCode page.

  16. Enable OAMSSO_AUTHENTICATION.

  17. Select Save.

  18. To configure PeopleCode using the PeopleTools application designer, navigate to File > Open > Definition: Record > Name: FUNCLIB_LDAP.

  19. Open FUNCLIB_LDAP.

    Screenshot of the Open Definition dialog.

  20. Select the record.

  21. Select LDAPAUTH > View PeopleCode.

  22. Search for the getWWWAuthConfig() function Change &defaultUserId = ""; to &defaultUserId = PSPUBUSER.

  23. Confirm the user Header is PS_SSO_UID for OAMSSO_AUTHENTICATION function.

  24. Save the record definition.

    Screenshot of the record definition.

Test an Oracle PeopleSoft application

To test an Oracle PeopleSoft application, validate application headers, policy, and overall testing. If needed, use header and policy simulation to validate header fields and policy execution.

To confirm Oracle PeopleSoft application access occurs correctly, a prompt appears to use a Microsoft Entra account for sign-in. Credentials are checked and the Oracle PeopleSoft appears.

Next steps