This section discusses:
PeopleSoft sign in process.
Directory server integration.
Authentication and SignonPeopleCode.
Single signon.
The most common directsign in to the PeopleSoft database is the application server signin.
These are the basicsteps that are taken when the application server signs in to the database:
Initial connection.
The application serverstarts and uses the connect ID and user ID specified in its configurationfile (PSAPPSRV.CFG) to perform the initial connection to the database.
The server performs a SQLSelect statement on the PeopleTools security tables.
After verifying the connectID, the application server performs a Select statement on PeopleToolssecurity tables, such as PSOPRDEFN, PSACCESSPROFILE, and PSSTATUS.Using these tables, the application server authenticates the userand gathers such items as the user ID and password, symbolic ID, accessID, and access password. After the application server has the requiredinformation, it disconnects.
The server reconnects usingthe access ID.
Whenthe system verifies that the access ID is valid, the application serverbegins the persistent connection to the database that all PeopleSoftPure Internet Architecture and Microsoft Windows three-tier clientsuse to access the database. Typically, the users signing in usinga Microsoft Windows workstation are developers using PeopleSoft ApplicationDesigner.
Note: A Microsoft Windowsworkstation attempting a two-tier connection uses the same processas the application server.
PeopleSoft recommendsthat all connectivity be made through either a three-tier MicrosoftWindows client or through the browser. A two-tier connection is notnecessary other than for the application server, PeopleSoft ProcessScheduler, or for a user who will be running upgrades or PeopleSoftData Mover scripts.
Signon PeopleCode doesnot run during a two-tier connection, so maintaining two-tier usersin a directory server is not supported.
PeopleSoft recognizesthat your site uses software produced by numerous vendors, and eachdifferent product requires security authorizations for users. Mostof these products adhere to the model that includes user profilesand roles (or groups) to which users belong. PeopleSoft enables youto integrate your authentication scheme for the PeopleSoft systemwith your existing infrastructure. You can reuse user profiles androles that are already defined within an LDAP directory server.
Organizations typicallystore user profiles in a central repository that serves user informationfor all of the programs that require it. The central repository istypically an LDAP directory server.
A directory server enablesyou to maintain a single, centralized user profile that you can useacross all of your PeopleSoft and non-PeopleSoft applications. Thisapproach reduces redundant maintenance of user information storedseparately throughout your enterprise, and it reduces the possibilityof user information getting out of synchronization.
You always maintainpermission lists and roles by using PeopleTools Security. However,you can maintain user profiles in PeopleTools Security or with anexternal directory server.
You can store PeopleSoftpasswords in the PSOPRDEFN PeopleTools table. You can also store andmaintain user passwords and the rest of the user profile data in anLDAP directory server. PeopleSoft applications retrieve the informationstored in an external directory server using a combination of theUser Profiles component interface and Signon PeopleCode.
If you decide to reuseexisting user profiles stored in a directory server, you don’t needto perform dual maintenance on the two copies of the user data—onecopy in the LDAP server and one copy in PSOPRDEFN. PeopleSoft applicationsensure that the user information stays synchronized. If you configureLDAP authentication, you maintain your user profiles in LDAP and notin PeopleTools Security.
Signon PeopleCode copiesthe most recent user profile data from a directory server to the localdatabase whenever a user signs in. PeopleSoft applications referencethe user information stored in the PeopleSoft database rather thanmaking a call to the directory server each time the system requiresuser profile information. Signon PeopleCode ensures the local databasehas a copy of the most current user profile based on the informationin the directory. Each time the user signs in, Signon PeopleCode checksto see to see if the row in the user profile cache needs to be updated.
The sign in processoccurs as follows:
The user enters a userID and password on the sign in page.
PeopleTools attempts toauthenticate the user against the PSOPRDEFN table.
Signon PeopleCode runs.
The default SignonPeopleCode program updates the user profile based on the current datastored in the directory server.
You can use SignonPeopleCode and business interlinks to synchronize the local copy ofthe user profile with any data source at sign in time; the programthat ships with PeopleTools is designed to synchronize the user profilewith an LDAP directory server only. Because the sign in program isPeopleCode, you can modify it, incorporating any of the PeopleSoftintegration technologies that PeopleCode supports.
To edit the Signon PeopleCodeprogram, you open the LDAP function library record and use the PeopleCodeeditor to customize the PeopleCode programs. Developers who modifythe Signon PeopleCode program need to have a good understanding ofPeopleCode and the integration features it offers.
Note: Only users who signin through PeopleSoft Pure Internet Architecture or three-tier MicrosoftWindows clients take advantage of Signon PeopleCode.
PeopleSoft Pure InternetArchitecture uses browser cookies for seamless single signon acrossall PeopleSoft nodes. A node refers to a database and the applicationservers connected to it. For example, a user can complete a PeopleSoftHuman Resources transaction, and then click a link for a PeopleSoftFinancials transaction without reentering a password. Single signonis especially important to the PeopleSoft Interaction Hub, which aggregatescontent from several different applications and data sources intoa single, integrated display.
