Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

1
 Safe Harbor Statement

The following is intended to outline our general

product direction. It is intended for information
purposes only, and may not be incorporated into
any contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decision. The
development, release, and timing of any features
or functionality described for Oracle’s products
remains at the sole discretion of Oracle.

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 2

 <Insert Picture Here>

Configuring & Troubleshooting Single Signon

Tom Hassler
Principal Support Engineer - PeopleTools
 Presentation Outline

• How PeopleSoft Implements Single Signon

• Example Transaction
• Building a Token and Setting a Cookie
• Configuring a typical SSO connection
• Node Configuration
• Trusting Nodes
• Looking at the Logical Layout
• Troubleshooting and Common Issues
• Where to look
• Typical Errors

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 4

 Single Signon Explained

Within the context of PeopleSoft systems, Single

Signon (SSO) means that after a user has been
authenticated by one PeopleSoft application server,
that user can access a second PeopleSoft application
server without entering user ID and password again.

Note: The PeopleSoft Single Signon solution applies

only to PeopleSoft applications. This presentation
doesn’t cover LDAP or External Authentication

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 5

 Example Transaction

1. User Signs on to Enterprise Portal (PA)

2. PA Application Server Authenticates User
3. PA Application Server Generates SSO Token
4. Web Server Creates Cookie in User's Browser
5. User Accesses Content Provider Application (CP)
6. CP Web Server Receives PS_TOKEN Cookie
7. CP Application Server Authenticates PS_TOKEN

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 6

 The Single Signon Token

The following pieces of information are delivered

• User ID
• Language Code
• Date and Time Issued (Timestamp)
• Issuing System (Default Local Node)
• Signature (SHA1_Hash or Cert)

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 7

 PS_TOKEN Cookie Example

• PS_TOKEN.
• Domain
• End of session
• Data Field (base
64 encoded
Token)

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 8

 Node Configuration

• Default Local
Node
• Password/Cert
• Node Type
• URIs
• Trusted Nodes

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 9

 Node Details

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 10

 Logical Layout of SSO Communication
Enterprise Portal DB Content Provider DB
• Default Local
PSFT_PA PSFT_CP
Nodes Default Local Node Default Local Node
Password=PANODE Password=CANODE
• Matching URI=itself
Trusted Node
URI=itself
Trusted Node

Remote Node
name
• Password
Sync
PSFT_CP PSFT_PA
Remote Node Remote Node
Password=CANODE Password=PANODE
URI=CP Database URI=PA Database
Trusted Node Trusted Node

Portal Nodes – Password sync

Content Provider Nodes – Password sync

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 11

 Common Single Signon Issues:

• Content References use non-SSO nodes.

• AuthTokenDomain must match and be used on all
URI/URL values.
• If systems share a web server, defaultPort and
defaultScheme in configuration.properties or - In 8.44
- Default Addressing on the Virtual Addressing tab of
the Web Profile.

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 12

 Common Single Signon Issues (cont.)

• Nodes must be secured with password or cert.

• Must use the Default Local Node and the remote
node must be named the same.
• Nodes must be trusted by the Content Provider
database. Reverse SSO requires that both systems
trust both nodes (as in the example).

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 13

 Baseline Configuration

The Following Examples use Weblogic and PT 8.44

1. AuthTokenDomain set properly
2. Weblogic.xml has the domain name set as follows
<session-param>
<param-name>
CookieDomain
</param-name>
<param-value>
.corp.peoplesoft.com
</param-value>
</session-param>
3. Node definition set according to standards discussed above

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 14

 Typical Display

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 15

 Common Errors

• Your User ID and/or Password are invalid

• Invalid portal name EMPLOYEE in request. Portal not
defined.
• Cannot open http://url…. Configuration.properties
• Authorization Error -- Contact your Security
Administrator
• You are not authorized to access this component

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 16

 Scenario 1

Scenario 1
No Password defined for the Default Local Node of Portal in the
Portal database. (Authentication option set to None)

Result 1
Control will be redirected to the signon page and the error “Your
User ID and/or Password are invalid.” will be displayed

Resolution 1
Password needs to be set on Default Local Node and the
password needs to match the remote node in Content provider.

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 17

 Scenario 2

Scenario 2
Password defined for portal Remote Node in content provider does
not have a password, or the password does not match the one in
portal

Result 2
Control will be redirected to the signon page and the error “Your
User ID and/or Password are invalid.” will be displayed

Resolution 2
Password need to match exactly between the two environments,
Portal and content provider nodes

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 19

 Scenario 3

Scenario 3
Default Local Node of portal is not defined as a trusted node in the
content provider

Result 3
Control will be redirected to the signon page and the error “Your
User ID and/or Password are invalid.” will be displayed

Resolution 3
• Default Local Node of portal should be defined as a trusted node in
content provider
• Navigate to Peopletools > Security > Security Objects > Single
Signon to add a trusted node (8.4 and above)
• Navigate to Peopletools > Maintain Security > Setup > Single Signon
(8.1x)

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 21

 Scenario 4

Scenario 4
Userid exists in Portal but not in the content provider

Result 4
Control will be redirected to the signon page and the error “Your User ID
and/or Password are invalid.” will be displayed

Resolution 4
Userid need to match in both the environment for single signon to work
successfully.

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 23

 Scenario 5
Scenario 5
Hosted by node of Portal not defined as a remote node in content
provider with the URL pointing back to portal

Result 5
The following error would be displayed in pagelets or target pages.
“STR_PCMINVPORTAL: Invalid portal name EMPLOYEE in
request. Portal not defined. Unable to process request with an
invalid portal.”

Resolution 5
Make sure that the Hosted by node of portal is defined as a remote
node in the content provider with the URL pointing back to portal

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 26

 Scenario 6

Scenario 6
If both the portal and the content provider share the same
webserver or if the PIA sitename is mismatched (typo/case)

Result 6
The port would get flip flopped and would give error “cannot
open http://url….configuration.properties
java.lang.NullPointerException”

Resolution 6
1. Move one web server to a different machine.
2. Add a second DNS entry for the web server in the same domain.
3. Set the defaultPort and defaultScheme or In 8.44+, the Default
Addressing on the Virtual Addressing tab of the Web Profile on
both systems.
4. Fix the PIA sitename.

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 28

 Scenario 7

Scenario 7
Node name not properly used while creating the Content
Reference (CRef)

Result 7
“Authorization Error -- Contact your Security Administrator”

Resolution 7
Make sure to use the content provider node or a node with the
same URI value while creating a CRef. If any other local node is
used, it will result in the authorization error.

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 29

 Scenario 8

Scenario 8
Content provider node defined as a local node in portal instead
of Remote note

Result 8
“You are not authorized to access this component”
Since the node is local, the component is being looked up in
portal and it doesn’t exist there.

Resolution 8
Content Provider node should always be a remote node and not a
local node in portal.

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 31

 Senanario 9

Scenario 9
Node URI value is case sensitive

Result 9
“This is not a valid site. The site name is case sensitive.“ error message
is seen in PIA window.

Resolution 9
This error can be resolved by using the proper case for the PIA
SiteName in the URI value of your Node Definition.
For example, if a customer is using
http://server.company.com/psc/epprd/ in the URI value, but the
actual URL value when you navigate to the site is
http://server.company.com/psc/EPPRD/ it will cause this error.

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 33

 Frequently Asked Questions

1. Can we do single signon by using IP Address?

2. Can we do single signon if AuthTokenDomain are
different (or) there is no AuthTokenDomain
specified?
3. Will single signon work with different userids?
4. Do we support third party single signon?

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 34

 Notes:

• For 8.1x PeopleTools, it has been noted that there can only be a
7-character password on the nodes max (so corresponding
nodes must be the same as well).
• If the AuthTokenDomain wasn't setup when PIA was installed
(on either the content provider or the portal) then typically we see
expiration issues with the content provider. Thus you get the
signon screen. This is because customers add the
AuthTokenDomain to the webprofile, but fail to add the domain to
the webserver's configuration. When seeing single signon
related expiration issues, that you check the weblogic.xml for the
session cookie domain and if it's not there, re-run the PIA install.
Check this for the portal and all web server content providers.

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 38

 Notes: Continued

• HTTP/HTTPS: If the Portal is pulling in HTTPS content, it must

be on HTTPS itself. Anytime SSL is used on the content
providers, the Portal source must have SSL as well. This is a
requirement. Also, when reconfiguring/cloning databases, we
often see where the original was HTTPS, but the subsequent
clone doesn't have HTTPS setup yet. So, while it is using HTTP,
all of the URI values are still listed with the old protocol type.
• Strange behavior, such as missing images and the following
error message, especially on Windows 2000 machines using IE
can indicate that the Virtual Addressing tab of the webprofile
needs a protocol, server and port set.

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 39

 Opening A Case With GSC
If you are unable to resolve your issue, the following should be sent to
the GSC analyst handling the case:

• 1) weblogic.xml or server.xml (Websphere) from both systems

• 2) Application and PeopleTools releases from both systems
• 3) SELECT * from PSMSGNODEDEFN from both systems
• 4) SELECT * from PSNODEURITEXT from both systems
• 5) SELECT * from PSTRUSTNODES from both systems
• 6) SELECT * from PSWEBPRO* tables from both systems or the
configuration.properties file if 8.1x/8.2x PeopleTools
• 7) Screenshot of the Content Reference page used to connect to the
content provider.
• 8) AppServer log entry from the Content Provider time-stamped to
the failure with test UserID info.

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. 40