1. Integrating PeopleSoft and Oracle Collaboration Suite into uPortal June 13, 2005 Summer JA-SIG Baltimore, Maryland

2. San Luis Obispo, CA Information Technology Services Darren Kraker Ken Sperow

3.  CAS implementation  PeopleSoft HR  PeopleSoft Financials  Oracle Collaboration Suite  calendar  email  Integration as uPortal channels (IFrame)  PeopleSoft Self Service links  Oracle Portlets Overview

4.  History  PeopleSoft Impl / Integration  OCS Impl /Integration  Issues  Questions Agenda

5. Cal Poly Cal Poly – Who are we?  San Luis Obispo  100 Years Old  20,000 Students  Polytechnic University Engineering, Agriculture, Architecture, Science  “Learn by Doing”: technical and professional curricula with arts and humanities.

6.  Live with uPortal 1.6 Fall 2001  UNICON assisted LDAP implementation  Motivated to implement SSO  Campus introduction PeopleSoft HR  Politically / strategically required for Enterprise Portal History

7. System Overview

10.  CAS servers  Central Authentication Server 2.0  Servers: Sun Netra T1  500 mhz, 1 GB RAM  Solaris 9  Three servers high availability  Cisco switches provide failover Technical Specifications

11.  LDAP servers  Oracle Internet Directory: 9.2.0.6  Servers: Sun Netra T1  500 mhz, 1 GB RAM  Solaris 9  Three servers for high availability  Cisco hardware provides load balancing and failover Technical Specifications

12.  uPortal server  uPortal 2.1.4  One server: Sun E450  4 - 400 mhz, 4 GB RAM  Solaris 9  Planned upgrade to 2.5.X Fall Technical Specifications

13. Web Login Service User Web Application 1 User requests access 2 Browser redirected to Login Service 6 Application validates ticket 9 User gets access 4 Login Service provides ticket 5 Ticket provided to application 7 Username provided to application 8 Application decides if user is authorized User interaction No user interaction CAS Authentication Flow 3 Web Login Service recognizes user session

14.  Making PeopleSoft use a central authentication service  Evaluate known solutions  Integration with CAS PeopleSoft

15. Accept a ticket and then validate it  Make PeopleSoft accept a CAS ticket parameter as part of login  Implement PeopleCode calls Java client  CAS java client performs the CAS validation PeopleSoft - Implementation

16. Function VALIDATE_TICKET() /* rmatteso@calpoly.edu 20030122 Trusted Authentication Impl */ If %PSAuthResult = False Then &validator = GetJavaClass("PSCASClient"); /* retrieve fullUrl and ticket value from HTTP request */ &fullUrl = %Request.FullURI | "?" | %Request.QueryString; &ticket = %Request.GetParameter("ticket"); If &ticket <> "" Then /* have a ticket, load CAS client class and attempt to validate */ &cas_result = &validator.validate(&fullUrl, &ticket); If &cas_result <> "" Then /* ResultDocument (3rd parm) seems to be ignored by front end */ SetAuthenticationResult( True, &cas_result, "", False); &authMethod = "SLO"; Return; End-If; /* got username back from CAS */ End-If; /* got ticket */ End-If; /* user not yet authenticated */ End-Function; PeopleSoft - Implementation

17. URL u = new URL( validateURL + "?ticket=" + ticket + "&service=" + service); BufferedReader in = new BufferedReader( new InputStreamReader(u.openStream())); if (in == null){ return null; }else { String line1 = in.readLine(); String line2 = in.readLine(); if (line1.equals("no")){ return null; }else{ // make fully qualified username ("jdoe@calpoly.edu") // into PSFT username ("jdoe") // into PSFT username ("jdoe") return line2;.substring(0, line2.indexOf('@')).toUpperCase(); }} 17 PSCASClient.java

18.  Configure SLO_AUTH hook in PeopleSoft Sign-on Page (Exec Auth Fail) PeopleSoft - Implementation

19. Set Exec Auth Fail PeopleCode

20.  Customize HTML files now that original sign-on page is obsolete index.html Logout_page.html (new) Signin_alternate (new) Signon.html signonError.html (new) Cookiesrequired.html  Modify configuration.properties to point to new HTML files  Install CAS client jar, class files PeopleSoft - Implementation

21. It’s never that easy...  Service URL we use for CAS had to contain userid/pwd parameter  PeopleSoft cookies  After PTools upgrade (2003) HTTP GET no longer worked, POST required Issues

22. The next step... deep linking  More direct and intuitive method for accessing services  Add embedded PeopleSoft content within an IFrame using nested URL uPortal Integration

25. Oracle Collaboration Suite (OCS)  What is OCS?  “Oracle Collaboration Suite is an integrated database-based email, voicemail, calendaring, web-based meeting, files and search capability that is accessible via all of the interfaces that you currently know and use.”

26.  uPortal entry point for Email and Calendar  Making OCS use a central authentication service  Integration with CAS Oracle Collaboration Suite (OCS) Objectives

27. Logical Architecture

28. Hardware - Illustration Tier 1 : Infrastructure 2 Node (Red Hat Cluster Server) Dell Power Edge 2650 2 * 2.8 GHz 4 GB RAM 2 * 36GB HD 3* GIG-E NIC HBA ’ s (to EMC) Tier 2 : Application MT 4 Nodes + BI 1 Node Tier 3 : Database 4 Node Oracle RAC 9.2.0.4 Dell Power Edge 6650 4 * 2.8 GHz 16 GB RAM 2 * 36GB HD 4* GIG-E NIC 9iRAC HBA ’ s (to EMC) Dell Power Edge 2650 2 * 2.8 GHz 2 GB RAM 2 * 36GB HD 2* 73 GB HD 2* GIG-E NIC HBA ’ s (to EMC) Tier 2 : Calendar 2 Node Dell Power 6650 4 * 2.8 GHz 16 GB RAM 2 * 36GB HD 2* GIG-E NIC Storage: EMC DMX1000

29. OCS, Central Authentication & uPortal OCS DB 9.2.0.5 OCS Middle Tier BI DB Oracle BI Middle Tier OCS Infrastructure (Shared between OCS and BI) Central Authentication Services Corporate Portal (uPortal) Oracle Portal Web Calendar Outlook Other Campus Applications (SCT, PeopleSoft Etc..)

30. Oracle Collaboration Suite (OCS) Integration  Objectives  uPortal entry point for Email and Calendar  SSO  uPortal channels - simplified view of Email and Calendar  Ability to render Oracle Portlets within uPortal

31. OCS Integration - Solutions  uPortal entry point ---> CAS-enable OCS  uPortal channels ---> Custom channels - Oracle’s APIs? -Query DB ---> Pre-existing Oracle Portlets  Oracle Portlets  “External JSP”  Direct URL

32. CAS Enabling OCS  Oracle SSO  Web based applications  Integrates with external login source  Solution required the use of cookies  All code written in PL/SQL  Requires Oracle Internet Directory (OID)  Users must be populated in OID  FERPA

35. Web Login Service User Oracle Web Application 1 User requests access 2 Browser redirected to Oracle SSO 12 Application validates ticket 15 User gets access 6 Login Service provides ticket for OSSO 11 OSSO Ticket provided to application 13 Username provided to application 14 Application decides if user is authorized 5 Web Login Service authentication required Oracle SSO 8 OSSO validates ticket 9 Username provided to OSSO 4 Browser redirected to Web Login Service 3 Oracle SSO authentication required 7 Ticket provided to OSSO 10 Oracle SSO ticket provided for application

36. OCS - Rendering Oracle Portlets  External JSP  Makes a portlet available through a JSP  Not well documented  Is not supported in a “Partial SSL configuration”  uPortal Inline Frame points to external JSP

37. OCS - Rendering Oracle Portlets  Direct Access URL  Access to Oracle Portal page through user-friendly URL  Create Oracle Portal Page  No header/border/template  Put portlet on page  Attach stylesheet to page  Point uPortal Inline frame to URL

39. OCS - Rendering Oracle Portlets (cont.)  Authorization  Control access to uPortal channels through Groups??  Needed way to restrict access to Oracle page  Solution: Pull groups tables into OID nightly

40. OCS Integration Issues  ISSUE: When users subscribe to more than one channel containing Oracle Portlet content, the channel may respond with browser error messages resulting in no content displayed.  ROOT CAUSE: This problem is a result of multiple uPortal channels attempting to establish an Oracle Portal session at the same time.

41. OCS Integration Issues (cont.)  Possible Solutions  Introduce a Delay with Consecutive Page Requests.  Introduce an Intermediate Page at CAS Login.  Send all requests through a single threaded servlet.

42. CAS Enabling OCS Resources  Oracle9iAS Single Sign-On Administrator's Guide  Release 2 (9.0.2)  Part Number A96115-01  Chapter 5 - Third-Party Single Sign-On  Chapter 8 - Customizing the Single Sign-On Interface  Metalink Documents:  Note:191299.1  Note:244557.1  Note:191345.1

43.  PeopleSoft Applications:  HR total accounts: 2,500 (admin accounts: 700)  Concurrent users average: 22 (high 75)  Finance total admin accounts: 700  Concurrent users average: 23 (high 95)  Single Sign-on Unique Users per month:  Approx: 12,000 - 28,000  Average: 20,000 (including summer quarters)  Single Sign-on Unique users per DAY  Maximum: 14,000  Average: 5,700  Single Sign-on Concurrent users of the Portal: High: 2,800 Statistics on Usage

44.  Single clicks to HR PRD and FS PRD per month  2,200 – 6,100  Average: 4,200 (including summer quarters)  Single Sign-on Outages  Unplanned: Less than 1/2 hour per month  Planned:  4 hours/month  Updates, new application rollouts  Users CAN authenticate to PS and other applications Statistics on Usage

45.  CAS http://www.yale.edu/tp/cas/  This Presentation, Cal Poly’s documents and code on CAS Enabling OCS, and PeopleSoft Single Sign-on Guides http://myportal.calpoly.edu/downloads  PeopleBooks References

46. Questions?  Darren Kraker Software Engineer dkraker@calpoly.edu  Ryan Matteson Web Architect and Info Security Manager rmatteso@calpoly.edu  Melinda Rojo Oracle Portal Integration mrojo@calpoly.edu  Ken Sperow Software Engineer ksperow@calpoly.edu  Dan Malone Oracle SSO dmalone@calpoly.edu