1
PeopleSoft Enterprise: Configuring and Troubleshooting
PeopleSoft Single Sign-on
Day, Date, 2004
Tuesday,
December
time5,p.m.
2006ET
9:00 am MST
Teleconference
Teleconference Access:
Access:
North America: xxxx
North America: 888-967-2253
International: xxxx
EMEA: +44 118 924 9000
Password: Advisor
Asia: +61 2 8817 6100
Meeting ID 558085
Password: 3345443
Advisor Webcast Feedback:
www.advisorfeedback_us@
oracle.com
Upcoming live webcasts and recent recordings:
November 20: Understanding the JD Edwards EnterpriseOne and JD Edwards
World Change Assistant – APAC
November 28: JD Edwards World 2006: 1099 Process Refresher
November 29: JD Edwards World Refresher-Introducing the Redesign of – 1099
General Ledger (GL) Method
November 29: Getting to know Change Assistant and Environment Management
Framework
November 30: JD Edwards World Refresher – 1099 A/: Method
November 30: Cycle and Tag Count Overview for JD Edwards World
December 5: PeopleSoft Enterprise: Configuring and Troubleshooting PeopleSoft
Single Sign-on
December 6: JD Edwards World: Preparing for W-2 Reporting Season and Year-
End Processes
December 7: JD Edwards EnterpriseOne: Preparing for Canadian Payroll Year-
End
December 11: JD Edwards World: Preparing for W-2 Reporting Season and Year-
End Processes
December 11: What’s New in PeopleSoft CRM 9.0
December 11: JD Edwards EnterpriseOne Change Assistant
December 12: JD Edwards World 2006: 1099 Process Refresher
2
 Agenda
• Presentation and Demo – approximately 45 minutes
• Q&A Session – approximately 15 minutes
• Please hold all questions to the end of the session.
• To ask a question, move your cursor to the top of the screen and select the
‘bubble’ icon next to the moderator’s name.

• A dialog box will open. Enter your question and select “Send.”

• During the Q&A session your question will be read and an answer will
follow.

3
ATTENTION – AUDIO INFORMATION

If you encounter any audio issues, please call

MeetingPlace (Audio Conferencing) and mute
your phone by selecting #5.
1-888-967-2253
Meeting ID 558085
Passcode 3345443
We would like to encourage attendees with sufficient
Internet bandwith to listen through VoiceStreaming to
continue to use this audio source.

Thank you.
4
 Safe Harbor Statement

The following is intended to outline our general

product direction. It is intended for information
purposes only, and may not be incorporated into
any contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decision. The
development, release, and timing of any features
or functionality described for Oracle’s products
remains at the sole discretion of Oracle.

5
 <Insert Picture Here>

Configuring & Troubleshooting Single Signon

Tom Hassler
Principal Support Engineer - PeopleTools
 Presentation Outline

• How PeopleSoft Implements Single Signon

• Example Transaction
• Building a Token and Setting a Cookie
• Configuring a typical SSO connection
• Node Configuration
• Trusting Nodes
• Looking at the Logical Layout
• Troubleshooting and Common Issues
• Where to look
• Typical Errors

7
 Single Signon Explained

Within the context of PeopleSoft systems, Single

Signon (SSO) means that after a user has been
authenticated by one PeopleSoft application server,
that user can access a second PeopleSoft application
server without entering user ID and password again.

Note: The PeopleSoft Single Signon solution applies

only to PeopleSoft applications. This presentation
doesn’t cover LDAP or External Authentication

8
 Example Transaction

1. User Signs on to Enterprise Portal (PA)

2. PA Application Server Authenticates User
3. PA Application Server Generates SSO Token
4. Web Server Creates Cookie in User's Browser
5. User Accesses Content Provider Application (CP)
6. CP Web Server Receives PS_TOKEN Cookie
7. CP Application Server Authenticates PS_TOKEN

9
 The Single Signon Token

The following pieces of information are delivered

• User ID
• Language Code
• Date and Time Issued (Timestamp)
• Issuing System (Default Local Node)
• Signature (SHA1_Hash or Cert)

10
 PS_TOKEN Cookie Example

• PS_TOKEN.
• Domain
• End of session
• Data Field (base
64 encoded
Token)

11
 Node Configuration

• Default Local
Node
• Password/Cert
• Node Type
• URIs
• Trusted Nodes

12
Node Details

13
 Logical Layout of SSO Communication
Enterprise Portal DB Content Provider DB
• Default Local
PSFT_PA PSFT_CP
Nodes Default Local Node Default Local Node
Password=PANODE Password=CANODE
• Matching URI=itself
Trusted Node
URI=itself
Trusted Node

Remote Node
name
• Password
Sync
PSFT_CP PSFT_PA
Remote Node Remote Node
Password=CANODE Password=PANODE
URI=CP Database URI=PA Database
Trusted Node Trusted Node

Portal Nodes – Password sync

Content Provider Nodes – Password sync

14
 Common Single Signon Issues:

• Content References use non-SSO nodes.

• AuthTokenDomain must match and be used on all
URI/URL values.
• If systems share a web server, defaultPort and
defaultScheme in configuration.properties or - In 8.44
- Default Addressing on the Virtual Addressing tab of
the Web Profile.

15
 Common Single Signon Issues (cont.)

• Nodes must be secured with password or cert.

• Must use the Default Local Node and the remote
node must be named the same.
• Nodes must be trusted by the Content Provider
database. Reverse SSO requires that both systems
trust both nodes (as in the example).

16
 Baseline Configuration

The Following Examples use Weblogic and PT 8.44

1. AuthTokenDomain set properly
2. Weblogic.xml has the domain name set as follows
<session-param>
<param-name>
CookieDomain
</param-name>
<param-value>
.corp.peoplesoft.com
</param-value>
</session-param>
3. Node definition set according to standards discussed above

17
Typical Display

18
 Common Errors

• Your User ID and/or Password are invalid

• Invalid portal name EMPLOYEE in request. Portal not
defined.
• Cannot open http://url…. Configuration.properties
• Authorization Error -- Contact your Security
Administrator
• You are not authorized to access this component

19
 Scenario 1

Scenario 1
No Password defined for the Default Local Node of Portal in the
Portal database. (Authentication option set to None)

Result 1
Control will be redirected to the signon page and the error “Your
User ID and/or Password are invalid.” will be displayed

Resolution 1
Password needs to be set on Default Local Node and the
password needs to match the remote node in Content provider.

20
 Scenario 2

Scenario 2
Password defined for portal Remote Node in content provider does
not have a password, or the password does not match the one in
portal

Result 2
Control will be redirected to the signon page and the error “Your
User ID and/or Password are invalid.” will be displayed

Resolution 2
Password need to match exactly between the two environments,
Portal and content provider nodes

22
 Scenario 3

Scenario 3
Default Local Node of portal is not defined as a trusted node in the
content provider

Result 3
Control will be redirected to the signon page and the error “Your
User ID and/or Password are invalid.” will be displayed

Resolution 3
• Default Local Node of portal should be defined as a trusted node in
content provider
• Navigate to Peopletools > Security > Security Objects > Single
Signon to add a trusted node (8.4 and above)
• Navigate to Peopletools > Maintain Security > Setup > Single Signon
(8.1x)

24
 Scenario 4

Scenario 4
Userid exists in Portal but not in the content provider

Result 4
Control will be redirected to the signon page and the error “Your User ID
and/or Password are invalid.” will be displayed

Resolution 4
Userid need to match in both the environment for single signon to work
successfully.

26
 Scenario 5
Scenario 5
Hosted by node of Portal not defined as a remote node in content
provider with the URL pointing back to portal

Result 5
The following error would be displayed in pagelets or target pages.
“STR_PCMINVPORTAL: Invalid portal name EMPLOYEE in
request. Portal not defined. Unable to process request with an
invalid portal.”

Resolution 5
Make sure that the Hosted by node of portal is defined as a remote
node in the content provider with the URL pointing back to portal

29
 Scenario 6

Scenario 6
If both the portal and the content provider share the same
webserver or if the PIA sitename is mismatched (typo/case)

Result 6
The port would get flip flopped and would give error “cannot
open http://url….configuration.properties
java.lang.NullPointerException”

Resolution 6
1. Move one web server to a different machine.
2. Add a second DNS entry for the web server in the same domain.
3. Set the defaultPort and defaultScheme or In 8.44+, the Default
Addressing on the Virtual Addressing tab of the Web Profile on
both systems.
4. Fix the PIA sitename.

31
 Scenario 7

Scenario 7
Node name not properly used while creating the Content
Reference (CRef)

Result 7
“Authorization Error -- Contact your Security Administrator”

Resolution 7
Make sure to use the content provider node or a node with the
same URI value while creating a CRef. If any other local node is
used, it will result in the authorization error.

32
 Scenario 8

Scenario 8
Content provider node defined as a local node in portal instead
of Remote note

Result 8
“You are not authorized to access this component”
Since the node is local, the component is being looked up in
portal and it doesn’t exist there.

Resolution 8
Content Provider node should always be a remote node and not a
local node in portal.

34
 Senanario 9

Scenario 9
Node URI value is case sensitive

Result 9
“This is not a valid site. The site name is case sensitive.“ error message
is seen in PIA window.

Resolution 9
This error can be resolved by using the proper case for the PIA
SiteName in the URI value of your Node Definition.
For example, if a customer is using
http://server.company.com/psc/epprd/ in the URI value, but the
actual URL value when you navigate to the site is
http://server.company.com/psc/EPPRD/ it will cause this error.

36
 Frequently Asked Questions

1. Can we do single signon by using IP Address?

2. Can we do single signon if AuthTokenDomain are
different (or) there is no AuthTokenDomain
specified?
3. Will single signon work with different userids?
4. Do we support third party single signon?

37
 Notes:

• For 8.1x PeopleTools, it has been noted that there can only be a
7-character password on the nodes max (so corresponding
nodes must be the same as well).
• If the AuthTokenDomain wasn't setup when PIA was installed (on
either the content provider or the portal) then typically we see
expiration issues with the content provider. Thus you get the
signon screen. This is because customers add the
AuthTokenDomain to the webprofile, but fail to add the domain to
the webserver's configuration. When seeing single signon
related expiration issues, that you check the weblogic.xml for the
session cookie domain and if it's not there, re-run the PIA install.
Check this for the portal and all web server content providers.

41
 Notes: Continued

• HTTP/HTTPS: If the Portal is pulling in HTTPS content, it must

be on HTTPS itself. Anytime SSL is used on the content
providers, the Portal source must have SSL as well. This is a
requirement. Also, when reconfiguring/cloning databases, we
often see where the original was HTTPS, but the subsequent
clone doesn't have HTTPS setup yet. So, while it is using HTTP,
all of the URI values are still listed with the old protocol type.
• Strange behavior, such as missing images and the following
error message, especially on Windows 2000 machines using IE
can indicate that the Virtual Addressing tab of the webprofile
needs a protocol, server and port set.

42
 Opening A Case With GSC
If you are unable to resolve your issue, the following should be sent to
the GSC analyst handling the case:

• 1) weblogic.xml or server.xml (Websphere) from both systems

• 2) Application and PeopleTools releases from both systems
• 3) SELECT * from PSMSGNODEDEFN from both systems
• 4) SELECT * from PSNODEURITEXT from both systems
• 5) SELECT * from PSTRUSTNODES from both systems
• 6) SELECT * from PSWEBPRO* tables from both systems or the
configuration.properties file if 8.1x/8.2x PeopleTools
• 7) Screenshot of the Content Reference page used to connect to the
content provider.
• 8) AppServer log entry from the Content Provider time-stamped to
the failure with test UserID info.

43
Questions
thomas.hassler@oracle.com

44
Where to find additional information

• Customer Connection:
On the home page select
Advisor Webcasts
• Please submit your comments:
• Advisorfeedback_us@oracle.com

• Please suggest webcast topics:

• Advisorfeedback_us@oracle.com

45
Questions
• To ask a question, move your cursor to the top of the
screen and select the ‘bubble’ icon next to the moderator’s
name.

• A dialog box will open. Enter your question and select

“Send.”

46
THANK YOU

47