|
| 1 | +--- |
| 2 | +title: Configure Azure AD Multi-Factor Authentication and SSO for Oracle PeopleSoft applications using Datawiza Access Broker |
| 3 | +description: Enable Azure Active Directory Multi-Factor Authentication and SSO for Oracle PeopleSoft application using Datawiza Access Broker |
| 4 | +services: active-directory |
| 5 | +author: gargi-sinha |
| 6 | +manager: martinco |
| 7 | +ms.service: active-directory |
| 8 | +ms.subservice: app-mgmt |
| 9 | +ms.topic: how-to |
| 10 | +ms.workload: identity |
| 11 | +ms.date: 9/12/2022 |
| 12 | +ms.author: gasinh |
| 13 | +ms.collection: M365-identity-device-management |
| 14 | +--- |
| 15 | + |
| 16 | +# Tutorial: Configure Datawiza to enable Azure Active Directory Multi-Factor Authentication and single sign-on to Oracle PeopleSoft |
| 17 | + |
| 18 | +This tutorial shows how to enable Azure Active Directory (Azure AD) single sign-on (SSO) and Azure AD Multi-Factor Authentication for an |
| 19 | +Oracle PeopleSoft application using Datawiza Access Broker (DAB). |
| 20 | + |
| 21 | +Benefits of integrating applications with Azure AD using DAB include: |
| 22 | + |
| 23 | +- [Proactive security with Zero Trust](https://www.microsoft.com/security/business/zero-trust) through [Azure AD SSO](https://azure.microsoft.com/solutions/active-directory-sso/OCID=AIDcmm5edswduu_SEM_e13a1a1787ce1700761a78c235ae5906:G:s&ef_id=e13a1a1787ce1700761a78c235ae5906:G:s&msclkid=e13a1a1787ce1700761a78c235ae5906#features), [Azure AD Multi-Factor Authentication](../authentication/concept-mfa-howitworks.md) and |
| 24 | + [Conditional Access](../conditional-access/overview.md). |
| 25 | + |
| 26 | +- [Easy authentication and authorization in Azure AD with no-code Datawiza](https://www.microsoft.com/security/blog/2022/05/17/easy-authentication-and-authorization-in-azure-active-directory-with-no-code-datawiza/). Use of web applications such as: Oracle JDE, Oracle E-Business Suite, Oracle Sibel, and home-grown apps. |
| 27 | + |
| 28 | +- Use the [Datawiza Cloud Management Console](https://console.datawiza.com), to manage access to applications in public clouds and on-premises. |
| 29 | + |
| 30 | +## Scenario description |
| 31 | + |
| 32 | +This scenario focuses on Oracle PeopleSoft application integration using |
| 33 | +HTTP authorization headers to manage access to protected content. |
| 34 | + |
| 35 | +In legacy applications, due to the absence of modern protocol support, a |
| 36 | +direct integration with Azure AD SSO is difficult. Datawiza Access |
| 37 | +Broker (DAB) bridges the gap between the legacy application and the |
| 38 | +modern ID control plane, through protocol transitioning. DAB lowers |
| 39 | +integration overhead, saves engineering time, and improves application |
| 40 | +security. |
| 41 | + |
| 42 | +## Scenario architecture |
| 43 | + |
| 44 | +The scenario solution has the following components: |
| 45 | + |
| 46 | +- **Azure AD**: The Microsoft cloud-based identity and access management service, which helps users sign in and access external and internal resources. |
| 47 | + |
| 48 | +- **Datawiza Access Broker (DAB)**: A lightweight container-based reverse-proxy that implements OpenID Connect (OIDC), OAuth, or Security Assertion Markup Language (SAML) for user sign-in flow. It transparently passes identity to applications through HTTP headers. |
| 49 | + |
| 50 | +- **Datawiza Cloud Management Console (DCMC)**: A centralized console to manage DAB. DCMC has UI and RESTful APIs for administrators to configure Datawiza Access Broker and access control policies. |
| 51 | + |
| 52 | +- **Oracle PeopleSoft application**: Legacy application going to be protected by Azure AD and DAB. |
| 53 | + |
| 54 | +Understand the SP initiated flow by following the steps mentioned in [Datawiza and Azure AD authentication architecture](https://docs.microsoft.com/azure/active-directory/manage-apps/datawiza-with-azure-ad#datawiza-with-azure-ad-authentication-architecture). |
| 55 | + |
| 56 | +## Prerequisites |
| 57 | + |
| 58 | +Ensure the following prerequisites are met. |
| 59 | + |
| 60 | +- An Azure subscription. If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free) |
| 61 | + |
| 62 | +- An Azure AD tenant linked to the Azure subscription. |
| 63 | + |
| 64 | + - See, [Quickstart: Create a new tenant in Azure Active Directory.](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) |
| 65 | + |
| 66 | +- Docker and Docker Compose |
| 67 | + |
| 68 | + - Go to docs.docker.com to [Get Docker](https://docs.docker.com/get-docker) and [Install Docker Compose](https://docs.docker.com/compose/install). |
| 69 | + |
| 70 | +- User identities synchronized from an on-premises directory to Azure AD, or created in Azure AD and flowed back to an on-premises directory. |
| 71 | + |
| 72 | + - See, [Azure AD Connect sync: Understand and customize synchronization](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-whatis). |
| 73 | + |
| 74 | +- An account with Azure AD and the Application administrator role |
| 75 | + |
| 76 | + - See, [Azure AD built-in roles, all roles](https://docs.microsoft.com/azure/active-directory/roles/permissions-reference#all-roles). |
| 77 | + |
| 78 | +- An Oracle PeopleSoft environment |
| 79 | + |
| 80 | +- (Optional) An SSL web certificate to publish services over HTTPS. You can also use default Datawiza self-signed certs for testing. |
| 81 | + |
| 82 | +## Getting started with DAB |
| 83 | + |
| 84 | +To integrate Oracle PeopleSoft with Azure AD: |
| 85 | + |
| 86 | +1. Sign in to [Datawiza Cloud Management Console.](https://console.datawiza.com/) |
| 87 | + |
| 88 | +2. The Welcome page appears. |
| 89 | + |
| 90 | +3. Select the orange **Getting started** button. |
| 91 | + |
| 92 | +  |
| 93 | + |
| 94 | +4. In the Name and Description fields, enter the relevant information. |
| 95 | + |
| 96 | + > |
| 97 | +
|
| 98 | +5. Select **Next**. |
| 99 | + |
| 100 | +6. On the Add Application dialog, use the following values: |
| 101 | + |
| 102 | + | Property | Value | |
| 103 | + |:-----------|:-------------| |
| 104 | + | Platform | Web | |
| 105 | + | App Name | Enter a unique application name| |
| 106 | + | Public Domain | For example: https://ps-external.example.com <br>For testing, you can use localhost DNS. If you aren't deploying DAB behind a load balancer, use the Public Domain port. | |
| 107 | + | Listen Port | The port that DAB listens on. | |
| 108 | + | Upstream Servers | The Oracle PeopleSoft implementation URL and port to be protected.| |
| 109 | + |
| 110 | +  |
| 111 | + |
| 112 | +7. Select **Next**. |
| 113 | + |
| 114 | +8. On the Configure IdP dialog, enter the relevant information. |
| 115 | + |
| 116 | + >[!Note] |
| 117 | + >DCMC has [one-click integration](https://docs.datawiza.com/tutorial/web-app-azure-one-click.html) to help complete Azure AD configuration. DCMC calls the Microsoft Graph API to create an application registration on your behalf in your Azure AD tenant. |
| 118 | +
|
| 119 | +9. Select **Create**. |
| 120 | + |
| 121 | +  |
| 122 | + |
| 123 | +10. The DAB deployment page appears. |
| 124 | + |
| 125 | +11. Make a note of the deployment Docker Compose file. The file includes the DAB image, also the Provisioning Key and Provision Secret, which pulls the latest configuration and policies from DCMC. |
| 126 | + |
| 127 | +  |
| 128 | + |
| 129 | +## SSO and HTTP headers |
| 130 | + |
| 131 | +DAB gets user attributes from the Identity provider (IdP) and passes them to the upstream application with a header or cookie. |
| 132 | + |
| 133 | +For the Oracle PeopleSoft application to recognize the user correctly, there's another configuration step. Using a certain name, it instructs DAB to pass the values from the IdP to the application through the HTTP header. |
| 134 | + |
| 135 | +1. In Oracle PeopleSoft, from the left navigation, select **Applications**. |
| 136 | + |
| 137 | +2. Select the **Attribute Pass** subtab. |
| 138 | + |
| 139 | +3. Use the following values. |
| 140 | + |
| 141 | + | Property | Value | |
| 142 | + |:--------------|:--------------| |
| 143 | + |Field | Email| |
| 144 | + |Expected | PS_SSO_UID | |
| 145 | + |Type | Header| |
| 146 | + |
| 147 | + [ ](./media/access-oracle-peoplesoft-using-datawiza/attribute-pass.png#lightbox) |
| 148 | + |
| 149 | + >[!Note] |
| 150 | + >This configuration uses the Azure AD user principal name as the sign in username used by Oracle PeopleSoft. To use another user identity, go to the Mappings tab. |
| 151 | +
|
| 152 | +  |
| 153 | + |
| 154 | +## SSL Configuration |
| 155 | + |
| 156 | +1. Select the **Advanced tab**. |
| 157 | + |
| 158 | + [ ](./media/access-oracle-peoplesoft-using-datawiza/advanced-configuration.png#lightbox) |
| 159 | + |
| 160 | +2. Select **Enable SSL**. |
| 161 | + |
| 162 | +3. From the Cert Type dropdown, select a type. |
| 163 | + |
| 164 | +  |
| 165 | + |
| 166 | +4. For testing purposes, we'll be providing a self-signed certificate. |
| 167 | + |
| 168 | +  |
| 169 | + |
| 170 | + >[!Note] |
| 171 | + >You have the option to upload a certificate from a file. |
| 172 | +
|
| 173 | +  |
| 174 | + |
| 175 | +5. Select **Save**. |
| 176 | + |
| 177 | +## Enable Azure AD Multi-Factor Authentication |
| 178 | + |
| 179 | +To provide an extra level of security for sign-ins, enforce multi-factor authentication (MFA) for user sign-in. One way to achieve this is to [enable MFA on the Azure |
| 180 | +portal](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa). |
| 181 | + |
| 182 | +1. Sign in to the Azure portal as a **Global Administrator**. |
| 183 | + |
| 184 | +2. Select **Azure Active Directory** > **Manage** > **Properties**. |
| 185 | + |
| 186 | +3. Under Properties, select **Manage security defaults**. |
| 187 | + |
| 188 | +4. Under Enable Security defaults, select **Yes** and then **Save**. |
| 189 | + |
| 190 | +## Enable SSO in the Oracle PeopleSoft console |
| 191 | + |
| 192 | +To enable SSO in the Oracle PeopleSoft environment: |
| 193 | + |
| 194 | +1. Sign in PeopleSoft Consol `http://{your-peoplesoft-fqdn}:8000/psp/ps/?cmd=start` using Admin credentials, for example, PS/PS. |
| 195 | + |
| 196 | + [ ](./media/access-oracle-peoplesoft-using-datawiza/peoplesoft-console.png#lightbox) |
| 197 | + |
| 198 | +2. Add a default public access user to PeopleSoft |
| 199 | + |
| 200 | + a. From the main menu, navigate to **PeopleTools > Security > User Profiles > User Profiles > Add a New Value**. |
| 201 | + |
| 202 | + b. Select **Add a new value**. |
| 203 | + |
| 204 | + c. Create user **PSPUBUSER** and enter the password. |
| 205 | + |
| 206 | +  |
| 207 | + |
| 208 | + d. Select the **ID** tab and choose the type as **none**. |
| 209 | + |
| 210 | +  |
| 211 | + |
| 212 | +3. Configure the web profile. |
| 213 | + |
| 214 | + a. Navigate to **PeopleTools > Web Profile > Web Profile Configuration > Search > PROD > Security** to configure the user profile. |
| 215 | + |
| 216 | + b. Select the **Allow Public Access** box and then enter the user ID **PSPUBUSER** and password. |
| 217 | + |
| 218 | +  |
| 219 | + |
| 220 | + c. Select **Save**. |
| 221 | + |
| 222 | +4. Enable SSO. |
| 223 | + |
| 224 | + a. Navigate to **PeopleTools > Security > Security Objects > Signon PeopleCode**. |
| 225 | + |
| 226 | + b. Select the **Signon PeopleCode** page. |
| 227 | + |
| 228 | + c. Enable the `OAMSSO_AUTHENTICATION` and then select **Save**. |
| 229 | + |
| 230 | +5. Configure PeopleCode using the PeopleTools application designer. |
| 231 | + |
| 232 | + a. Navigate to **File > Open > Definition: Record > Name: `FUNCLIB_LDAP`**. |
| 233 | + |
| 234 | + b. Open **FUNCLIB_LDAP**. |
| 235 | + |
| 236 | +  |
| 237 | + |
| 238 | + c. Select the record. |
| 239 | + |
| 240 | + d. Select **LDAPAUTH > View PeopleCode** |
| 241 | + |
| 242 | + e. Search for the `getWWWAuthConfig()` function `Change &defaultUserId = ""; to &defaultUserId = PSPUBUSER` |
| 243 | + |
| 244 | + f. Double check the user Header is `PS_SSO_UID` for `OAMSSO_AUTHENTICATION` function. Save the record definition. |
| 245 | + |
| 246 | +  |
| 247 | + |
| 248 | +## Test an Oracle PeopleSoft application |
| 249 | + |
| 250 | +Testing validates the application behaves as expected for URIs. To test an Oracle PeopleSoft application, you validate application headers, policy, and overall testing. If needed, use header and policy simulation to validate header fields and policy execution. |
| 251 | + |
| 252 | +To confirm Oracle PeopleSoft application access occurs correctly, a prompt appears to use an Azure AD account for sign-in. Credentials are checked and the Oracle PeopleSoft appears. |
| 253 | + |
| 254 | +## Next steps |
| 255 | + |
| 256 | +- [Watch the video - Enable SSO/MFA for Oracle PeopleSoft with Azure AD via Datawiza](https://www.youtube.com/watch?v=_gUGWHT5m90). |
| 257 | + |
| 258 | +- [Configure Datawiza and Azure AD for secure hybrid access](https://docs.microsoft.com/azure/active-directory/manage-apps/datawiza-with-azure-ad) |
| 259 | + |
| 260 | +- [Configure Datawiza with Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/partner-datawiza) |
| 261 | + |
| 262 | +- [Datawiza documentation](https://docs.datawiza.com/) |
0 commit comments