Wednesday, April 1, 2015

Conditional Redirect in SignOn PeopleCode

There are several scenarios where we might want to conditionally redirect users in SignOn PeopleCode. We cannot use the %Response.RedirectURL(location) method to achieve this because it does not work in SignOn PeopleCode.

There is a delivered function called SetAuthenticationResult which can be used for redirecting users in SignOn PeopleCode. Here is how we can use this feature (not very well documented in PeopleBooks):

E.g.: SetAuthenticationResult( False, &userid, &redirectURL, False);

Note: For this redirect to work, we need to change your Web Profile Configuration > Look and Feel (Tab):
Set Signon Result Doc Page to signonresultdocredirect.html


Information from Help:


Note: The web server(s) needs to be restarted for any changes in the web profile to take effect.

P.S.: This post is based on my response to a question in OTN.

111 comments:

  1. What's the format of &redirectURL, is it just a relative path to the page that we want to redirect to on the web server?

    ReplyDelete
  2. @Mike - the &redirectURL is the absolute URL to where we want to redirect. This does not necessarily have to be located on the web server (it could).

    I have always used the absolute path and it has worked for me in both cases. That is redirects to a page on the web server and redirects to external web pages.

    Let me know if you have any other questions. Thanks!

    ReplyDelete
  3. Hi, we configured our web profile look and feel to the signonresultdocredirect.html, but when we issue the etAuthenticationResult( False, &userid, &redirectURL, False); command in Signon peoplecode, it doesn't redirect to the URL, it just prints the text of the variable on the signon page. Is there something we missed? We can access our custom html page from outside of Peoplesoft, so we know the web server is seeing it.

    ReplyDelete
  4. @Mike - I have seen this behavior when the SignOn Result Doc Page is still pointing to signonresultdoctext.html. I think that is probably the issue.

    Few basic things (sorry if you already checked these):
    - Are you sure you are making the change to the correct web profile? You can check that by logging on to web server using SSH.
    Directory: /<%PS_HOME%>/webserv/<%DOMAIN_NAME%>/applications/peoplesoft/PORTAL.war/WEB-INF/psftdocs/<%DOMAIN_NAME%>
    File: configuration.properties
    Property: WebProfile

    - Did you restart your web server after you made the change to the web profile?

    - Check if signonresultdocredirect.html exists on your web server:
    Directory: /<%PS_HOME%>/webserv/<%DOMAIN_NAME%>/applications/peoplesoft/PORTAL.war/WEB-INF/psftdocs/<%DOMAIN_NAME%>

    Also, i don't think it is an issue with the access to the custom page (if you can get to it from outside of PeopleSoft).

    ReplyDelete
  5. Hello - I am ashamed to ask, but where did you apply this method? SetAuthenticationResult( False, &userid, &redirectURL, False);
    I am not sure where to find the Signon People code.

    Thanks

    Terry

    ReplyDelete
    Replies
    1. Hi Terry,

      Nothing to be ashamed about! It is a very valid question. I should have included the details in my post for more clarity. I am glad you ask it now! :)

      Basically, all signon peoplecode events that run in a particular environment during the login event are configured in the following page:
      Main Menu > PeopleTools > Security > Security Objects > Signon PeopleCode

      Any peoplecode code function (these are all record peoplecode functions) that is listed and enabled on this page would get fired.

      You might find some delivered functions are enabled (such as LDAP_Authentication) on this page as well as any custom functions your organization might have included.

      You can invoke SetAuthenticationResult in any of those functions.

      Hope this helps clarify! Let me know if you have any other questions.

      Refer the following PeopleBook for more information on SignOn PeopleCode:
      http://docs.oracle.com/cd/E26239_01/pt851h3/eng/psbooks/tsec/chapter.htm?File=tsec/htm/tsec09.htm

      Thanks,
      Sasank

      Delete
    2. Hi Sasank,
      Thanks for this informative post. It really gives us a direction for our signon problem. I had one question though, once we make this config change ( web profile pointing to signonresultdocredirect.html ), in the signon peoplecode, do we still have to specifiy a value for the &redirectURL variable or it would automatically redirect the user to signonresultdocredirect.html ?

      Delete
    3. @Nishant - Yes. You still need to specifiy the redirect URL. We need to note that the signonresultdocredirect.html is a very basic HTML page. All it does is a redirect using the following code.

      <meta HTTP-EQUIV='Refresh' CONTENT='1; URL=<%=resultDoc%>'>

      So, the goal should be to use the signonresultdocredirect to redirect the users to another page rather than simply redirecting the users to signonresultdocredirect.html. Because that page would not have any information for the end user.

      Hope this makes sense. Let us know if you have any other questions!

      Delete
  6. Hi Sasank - Below is what I have, but it is not re-directing. Any suggestions on what to do next?

    Thanks

    Terry


    &redirectURL = GenerateComponentContentURL(%Portal, %Node, MenuName."ADMINISTER_WORKFORCE_(GBL)", "GBL", Component.PERSONAL_DATA1, Page.PERSONAL_DATA1, "U", %SignonUserId);

    SetAuthenticationResult( False, %SignonUserId, &redirectURL, False);

    ReplyDelete
    Replies
    1. Hi Terry,

      I have not used the setauthenticationresult for redirection to internal PeopleSoft page. I usually use it for redirecting to an external link so in most cases I fail the authentication result (AuthResult parameter) with a false in the first parameter.

      In your case, since you are redirecting to an internal PeopleSoft page, you would need to set the AuthResult parameter to true as follows:

      SetAuthenticationResult( True, %SignonUserId, &redirectURL, False);

      Also, all this will only work if the web profile settings Signon Result Doc Page is set to signonresultdocredirect.html as mentioned in this post.

      Let us know if you run into any further issues!
      Thanks,
      Sasank

      Delete
    2. I'm getting a redirect loop when I redirect to an internal page. For some reason, my signon peoplecode is executing twice!

      SetAuthenticationResult( True, TESTUSER, &absolute_url, False, 0);

      Delete
    3. SignOn PeopleCode executing twice is probably not an issue. It will execute for the second time since the SetAuthenticationResult is redirecting to a new URL.

      Anytime a redirect happens, SignOn PeopleCode should and would get fired again. Only that, in the second/subsequent instance, if we already have an established PS_TOKEN then the user would go through without issues. If you are having failures when the SignOn PeopleCode executes the second time, then you might want to write some code to check if a valid PS_TOKEN exists and let the user in based on that.

      As I said, I generally do not use this for redirecting to an internal page. I take it that by internal page, you mean a page inside the PeopleSoft application?

      FWIW, I tried redirecting to the PeopleSoft Process Monitor page and it seems to work. As you mentioned, the code is executing twice but that is expected.

      Let us know if you are still having issues. Thanks!

      Delete
  7. Hi Sasank,

    Hope you are doing good. My question is similar to this topic.Don't scold me, if this is already discussed here..

    We have been sending email to user in which we have provided internal peoplesoft link (say for example process monitor page, as you mentioned). When we clicks on the link or copy paste the URL, it is asking for credentials in the login page.. This is excellent.. But the problem is that URL automatically gets changed to default sign-on URL (instead of our expected peoplesoft internal URL). when we enter username and password and hit login, we are going to Peoplesoft Main Menu homepage. If it is the behavior, there is no point of sending destination URL in the email right?? This is quite frustrating...

    Do you have any thoughts how to overcome this?

    Thanks in advance!!!

    Cheers,
    Raghu

    ReplyDelete
    Replies
    1. @Raghu R - What tools version are you on? This functionality should work by default. Can you try the same (e.g.: accessing the process monitor URL) on your demo/vanilla environment?

      Also, have you made any customizations to the signin.html file on the web server?

      Like I said, this should work out of the box (at least since 8.50 on wards based on my experience). Just as a side note, this functionality described by you is not really related to (and not to be confused with) the conditional redirect.

      Delete
    2. Hi Sasank,

      Thanks for your response.
      We are using PT 8.54.xx. I was also trying to check this on web server level that any customization done.
      No URL's are working, it automatically redirects to sign-on page. It looks like some customization done signin.html file.

      Thanks,
      Raghu

      Delete
    3. Hi Raghu/Sasank,

      We have similar issue after we upgrade to PeopleTools 8.55. Did you find any solution this?

      Thanks,
      Manhoar

      Delete
    4. Hi Manohar - I have not experienced this issue myself. This functionality should work by default. You may want to created an Oracle Support service request.

      Delete
    5. Thanks Sasank. I have opened a ticket for Oralce Support.

      Delete
    6. It is issue in PeopleTools 8.55.14 but works in 8.55.11

      Delete
    7. we are phasing the same issue after we upgrade to tools 8.55.14. How did you resolved it?

      Delete
  8. Is it possible to send http_referrer information or use %Response.SetHeader(http_referrer, &myURL) with SetAuthenticationResult( True, %SignonUserId, &RedirectURL, False); in the Signon Peoplecode. I discovered that it uses meta HTTP-EQUIV='Refresh' CONTENT='1; URL=MyURL'> as the method to redirect. I would like to included a custom header to use for deeplinking with external authentication.

    ReplyDelete
    Replies
    1. Hi Isa - Great question. I understand what you are trying to do.

      I don't think you can add http headers using SetAuthenticationResult or use the response object in signon peoplecode.

      But one workaround that I can think of (might seem a little bit of an overkill):
      - Use SetAuthenticationResult to redirect to an IScript:
      E.g.:
      SetAuthenticationResult( True, "GUEST", "https://www.test.com/psc/ps/EMPLOYEE/HRMS/s/WEBLIB_SV_TST.ISCRIPT1.FieldFormula.IScript_SASANK", False);

      Depending on whether you want to authenticate to success or failure you can use the %signonuserid (success) or a GUEST style userid (failure).

      - In the IScript you will need to redirect to your external URL and add the header using the response object (SetHeader and RedirectURL methods).

      I tried this and it works. So the flow would be as follows user login > signon peoplecode > setauthenticationresult (signonresultdocredirect.html on web server) > IScript > external URL.

      Hope this gives you some ideas. Thanks!

      Delete
    2. Hi Sasank - I have a question on your response - " In the IScript you will need to redirect to your external URL and add the header using the response object (SetHeader and RedirectURL methods)." - I am not able to get this to work correctly. When IScript redirects its loses the header that was set in the previous line. It looks like you have successfully tested this - would you recall if the header was still set when the redirect took place?

      %Response.SetHeader("REMOTE_USER", %OperatorId);
      %Response.RedirectURL(EncodeURL(&callback_new));

      The redirect happens as expected but I am not seeing REMOTE_USER set anymore.. Thanks for looking into this...

      Delete
    3. Hi Karthik - This comment was from many years ago. Unfortunately, I don't have access to the code.

      Delete
  9. I have a requirement to open a XMLP/BI report from a REST Web service call from 3rd party. Created rest service and provided WADL. In the handler peoplecode added code to generate XMLP in PDF format and used dispalyoutput method of XMLP. But can see the response without any PDF is opened. PDF is generated, hence tried viewattachment. but didn't work. DO I need http post, appariciate any help

    ReplyDelete
    Replies
    1. Venu - I don't believe you can use the displayoutput method for streaming documents via Integration Broker. To my knowledge, that method would only work if the request is made via a PeopleSoft page (PIA).

      You could move your code to an IScript. In the IScript you can try the displayoutput and see if it works. I am not sure if it works but you will have several options once you are in the IScript framework.

      Note: From a third party point of view, an IScript could just be similar to a HTTP GET.

      Thanks!

      Delete
  10. Hi sasank

    I posted the question to wrong post(XMLP/BI report open). Sorry about that. Any direction is greately appriciated.

    ReplyDelete
  11. Hi - Am trying to add a prefix to URL - add additional prefix to the PS server. Can we add this to the signon.html?

    All the subsequent validation of the re-directions are taken care-off in signon peoplecode

    Thanks,
    Srini

    ReplyDelete
    Replies
    1. Hi Srinivas - Can you please explain this with an example? I am not sure I understand your requirement.

      Delete
    2. Hi Sasank - We are trying to authenticateusing thirdparty authentication system which issues a ticket. We need to by-pass the PS Authentication which we could do it through the web profile.

      However when we connect to PS - we need to get re-directed, authenticated by the third party system,validate the ticket in PS & set the authentication result.

      The problem is PS -> thirdpaty application -> PS. the re-direction back to PS is what we are struck on

      -Srini

      Delete
    3. Srini - Is this third party authentication CAS (Central Authentication Service?

      Anyway, I have worked with CAS which is very similar ticket based system. This is how I tackled the PS authentication.

      - On the sign.html file, I placed a redirect to CAS for authentication. So, basically, bypassing PS Authentication. The redirect URL would be something like this:
      https://cas.test.com/cas/login?service=https://pi017.hcm92.com/psp/ps/EMPLOYEE/HRMS/h/?tab=DEFAULT

      You can see that the service parameter is the PS Homepage URL.

      - Then once authenticated with CAS, CAS will redirect to the service URL, which is https://pi017.hcm92.com/psp/ps/EMPLOYEE/HRMS/h/?tab=DEFAULT. At this point, my signon peoplecode would kick in and verify the CAS ticket. Once the ticket is verified, I would authenticate the user. If the ticket is not verified, I would redirect back to CAS using SetAuthenticationResult.

      Hope this gives you some ideas.

      Delete
    4. Hi Sasank - Yes,we are using the CAS integration, what we are doing are in similar lines. we want PS to re-direct to authentication system & return with the ticket. Basically, when we do such a thing it works for default page without any issues. However, for the deep rooted links the signin.html is not taking the re-direction at all. If you can send me more details of changes in signin.html will be quite helpful

      Thanks,
      Srini

      Delete
    5. Srini - The signin.html should not come into play for the deep links or even the homepage URL. If an user accesses a deep link (e.g.: https://pi017.hcm92.com/psp/ps/EMPLOYEE/HRMS/c/MAINTAIN_SECURITY.USERMAINT.GBL) or the homepage URL (e.g.: https://pi017.hcm92.com/psp/ps/EMPLOYEE/HRMS/h/?tab=DEFAULT), the signon peoplecode for CAS ticket validation should kick in at this point. The user would not go to the signin page in this scenario.

      In the signon peoplecode, are you checking if the ticket exists and validating accordingly? I think that your problem may be with redirecting to CAS when the ticket does not exist. You should be using a setauthresult call (detailed in this post) and redirect to CAS with service URL.
      E.g.:
      ...
      &redirectURL = &cas_redirect_url | "service=" | &ServiceURL;
      SetAuthenticationResult( True, "CSK_GUEST", &redirectURL, False);
      ...
      where &redirectURL would be something like https://cas.test.com/cas/login?service=https://pi017.hcm92.com/psp/ps/EMPLOYEE/HRMS/c/MAINTAIN_SECURITY.USERMAINT.GBL

      You may want to consider using EncodeURLForQueryString on the &redirectURL.

      On the signin.html, it is just a simple redirect and it will only be invoked if someone directly access the login page. Here is a snippet:

      Delete
    6. Could not paste the html/script in the comments. You can find it here:
      https://pe0ples0ft.blogspot.com/p/signinhtml-code-snippet.html

      Delete
    7. Hi,

      I am busy implementing CAS with PeopleSoft. However, I could get the signon peopleCode to be triggered for validating the ticket. Please could you kindly help? What is the workflow? What are the PeopleSoft files to modified (signing.html or signon.html ...etc)?

      Your help would be really appreciated.

      Best Regards
      MDABO

      Delete
    8. It really depends on your implementation. There are several online resources available that should get you started on the entire architecture and objects involved:

      https://wiki.jasig.org/display/CAS/CASifying+PeopleSoft
      http://www.slideshare.net/JohnGasper1/casifying-peoplesoft-and
      https://www.scribd.com/document/281610104/University-of-Northern-Iowa-PeopleSoft-CAS-Configuration-Public

      Delete
    9. Hi Sasank,
      Thanks for your quick answer. I had look already those documentation. However for all the settings I have tried, the peopleCode signon is not triggered. Or if triggered, the ticket is missing from %Request object in the signon PeopleCode.

      If you have already implemented CAS/PS, could you kindly help?

      Best Regards
      MDBABO

      Delete
    10. Unfortunately, I don't have any other documents/steps to offer other than the links above. My experience with CAS is loosely based on the following document (which is part of the first link that I previously shared):
      https://wiki.jasig.org/download/attachments/5645/CalPolyWebLogin.pdf?version=1&modificationDate=1343241066721&api=v2

      If you are not seeing the ticket in the Request Class, then it means that CAS is unable to authenticate the user, the user is not logged in or the user's session expired.

      Delete
  12. Thanks Sasank. We are using the URL directly as https://cas.test.com/login?service=PS URL

    We are validating the ticket in the signon peoplecode & setting the authentication result. This is working for all links. However, we want PS to call CAS URL for validation. If I understand correctly, you have the PS URL which on signin calls the the function in signin.html to re-direct to CAS portal login. For the deep rooted links, you handle through the re-direct URL in signon peoplecode. When you re-direct the URL - on CAS authentication, does this not fire the signon peoplecode again? After this portal issues the CAS ticket & then you validate the ticket.Hope I got this right?



    Thanks,
    Srini

    ReplyDelete
    Replies
    1. When you re-direct the URL - on CAS authentication, does this not fire the signon peoplecode again?
      Yes. When I redirect to CAS with service=SOME_PS_URL, the control gets passed to CAS, CAS then sees if the session is valid and would redirect back to PS (SOME_PS_URL?&ticket=xyz123) with a ticket if it is valid. Then signon peoplecode fires again, but this time because there is a ticket in the query string, the signon peoplecode does the validation directly using the java class. Once the validation is successful, the user will be authenticated.

      Delete
    2. Thanks for the info. What do you pass at the portal login URL is this the full complete URL - cas.test.com/login?service=

      Delete
    3. Just the homepage URL. Basically, this is where the users even if they authenticate against PeopleSoft.

      E.g.: https://cas.test.com/cas/login?service=https://pi017.hcm92.com/psp/ps/EMPLOYEE/HRMS/h/?tab=DEFAULT

      Also, none of the users would purposely try to access the signin.html. Because they would usually go to CAS as their starting point. The above redirect is only for those users who end up on the login page accidentally. Hope this makes sense.

      Delete
    4. Many Thanks for the inputs, will try them out.

      Delete
  13. Hi Sasank,
    First of all thanks for this interesting post!

    I am trying to implement a scenario with conditional redirect: when an LDAP authentication fails, I would like to redirect the user to the internal PeopleSoft login page with a customer message depending of the LDAP response (like account is locked, disabled …etc).
    I have tried different times using the following method and parameters SetAuthenticationResult( False, %SignonUserId, &redirectURL, False). However I am facing issue using this function. What I have noticed is that, when the authentication fails, the value of the parameter %SignonUserId is different the value that user has entered into the login form. Thus the redirect is not working. Do you have any idea?

    P.S.: Note that the SetAuthenticationResult ( True, %SignonUserId, &ExternalredirectURL, False) works well for example when an authentication is success and the redirect url is an external site.

    Best Regards
    Nash

    ReplyDelete
    Replies
    1. Hi Nash - I have not tried using the redirect with a false authentication. In my experience, the redirect only seems to work if the authentication is true. A workaround though, is to set the authentication to true using a guest style userid (E.g.: GUEST) and then redirect.

      E.g.:
      SetAuthenticationResult( True, "XXX_GUEST", "https://www.google.com", False);

      Note: XXX_GUEST should be an unlocked userid with minimal access. In fact, it does not even need any roles assigned.

      I know this is not ideal but that is the approach I took when I ran into this issue. Let us know if you find an alternative way to get around the problem.

      Delete
  14. Sasank,

    I've got this close to being setup. I have placed the following code in LDAPAUTH FieldDefault, however, the code is being executed in an infinite loop and will not complete the redirect. The browser just constantly refreshes.

    Function LDAP_REDIRECT()
    If %PSAuthResult = True Then
    Local string &signonUserID;
    &signonUserID = %SignonUserId;
    SetAuthenticationResult( True, &signonUserID, "/psp/ps/EMPLOYEE/HRMS/h/?tab=DEFAULT", False, 0);
    End-If;
    End-Function;

    I have made sure to modify the web profile look and feel to point to signonresultdocredirect.html, and all that's in the HTML are the html and head tags as well as this::

    {meta HTTP-EQUIV='Refresh' CONTENT='1; URL=<%=resultDoc%>'}


    Any idea why my signin peoplecode is being executed in an infinite loop? Thanks!

    ReplyDelete
    Replies
    1. Hi Jes - Not sure why you are trying to redirect the user to the homepage? Can you try simply using the SetAuthenticationResult without a URL? Won't it go to the homepage anyway?

      Also, if %PSAuthResult = True then there may be a valid PS Token already. Correct? In that case, if you redirect again, the SetAuthenticationResult redirects back to the same URL, signon peoplecode fires again and it will keep redirecting infinitely.

      Delete
    2. What I am trying to do is redirect users to the Classic homepage, and not the Fluid home page. Thanks for the reply!

      Delete
    3. Hi Jes - Are you on 8.55? If so, you could consider using the following option:
      http://www.peoplesoftmods.com/emf/classic-ui-for-administrative-users/

      Even if you are not on 8.55, you could still add custom code to the Fluid Homepage component to perform the redirect as detailed in Colton's post.

      Delete
  15. Awesome, thanks Sasank!

    ReplyDelete
  16. Hi Sasank,

    Thank you for your article. I have successfully developed a functionality to redirect users to a financial agreement page in CS 9.0/PT8.54.12 release based on your article. User will be redirected to the home page upon accept button click or sign out upon decline button click. This worked wonderful until we upgraded PeopleTools to 8.55.14 release recently. The component becomes unresponsive after the redirect (Clicking on Accept/Decline buttons won't work). Even the sign out link in the upper right corner link never works. Have you come across this issue with PT8.55.14? We are planning to go live with classic mode first and implement Fluid later on. I have opened a SR for this issue on MOS site.

    - Khaliq

    ReplyDelete
    Replies
    1. Khaliq - Sorry to hear that it is not working in 8.55.14. I have not seen this behavior. Hopefully, MOS will be able to assist. If you find a solution then let us know!

      I will try to test this if I can and let you know my results. What is the navigation to this financial agreement page? Is it delivered or custom?

      Delete
  17. Very Interesting use of the Redirect parameter.
    I'm wondering if we can use this to overcome my biggest issue with Default User Sign In.

    We have a Interaction Hub <--> HCM <--> <--> ELM setup in PeopleSoft. Ideally, i would like to users to start in Interaction hub with Guest Access.

    Users will by default goto the (EMPLOYEE/EMPL/c/NUI_FRAMEWORK.PT_LANDINGPAGE.GBL) and will be automatically logged in with the Guest User and see the 'Guest Fluid Home Page'. This will have the 'Sign In' Tile, plus other tiles (Company News, Organization Directory) etc.

    Users will Sign in (using the Sign In til) to gain access to Self Service applications.

    But the problem comes in when they access a deep-linked (Say Manager gets a notification to approve Staff's leave request and it has a direct URL to the transaction)

    Default Behavior:
    a. Manager Clicks 'deep' link
    b. Views Sign On page & signs in with credentials
    c. Views the Approval Transaction

    Consider if the Manager has already opened the 'Guest' homepage in his browser.
    He just gets an email notification and clicks the Link. Now PS tries to navigate in the context of already logged in user 'Guest' which does not have access to the Approval page.

    Wonder if we can catch this scenario using the Sign-On.

    Something like

    If %SignOnUserID = 'Guest' and %PSAuthResult = True Then
    If 'Guest' authorized for Menu/Component/Page Then
    Proceed
    Else
    SetAuthorization(False,%SignOnUserID, , False)
    End
    End


    ReplyDelete
    Replies
    1. Yes. You should be able to write some conditional logic on the HCM side to redirect to the login page, in case someone (say a Manager) accesses a deep-link in an email that would automatically take them in as a guest.

      Delete
    2. It seems that the SignOnPeopleCode doesnt get triggered when there is a valid PSTOKEN or am I wrong?

      Delete
    3. In other words, if the user is already logged in, does accessing a deep link trigger the SignOnPeoplecode? It doesn't seem to.
      In this case, the issue with default user still persists and defeats the very purpose of using Default User.

      Delete
  18. It seems that the SignOnPeopleCode doesnt get triggered when there is a valid PSTOKEN or am I wrong?

    ReplyDelete
    Replies
    1. Manoj - If there is a valid PSTOKEN, then it will not trigger signon peoplecode. This assumes that the current PSTOKEN is a valid userid.

      You may want to review this Doc ID on My Oracle Support:
      E-PORTAL: Workflow E-mail Links Cause Error: "You are not authorized to access this component. (40,20)" Error If Public User Is Enabled (Doc ID 778902.1)

      Delete
    2. I've already taken a look at the DOC, and the solutions are EXTREMELY useless. I mean how can the top two solutions be
      1. Train the user ( if they get the unauthorized error, they have to close the browser window and click the email link. I mean, Come on!)

      2. Disable Public User access: I was laughing my guts out on this.

      3. Not a Solution at all due to the SignonPeople code not being triggered if the PS_TOKEN is already valid.

      In my opinion, 'Public Profile' is one of the worst feature of PeopleTools. One with a lot of promise, but poorly implemented.

      Delete
    3. From what I know, this is how it works within the confines the delivered signon peoplecode.

      I recognize that it is not ideal as-is. You may have to come up with a custom solution to workaround this issue. If I have any ideas I will post back here.

      Delete
  19. Hi Sasank,
    I doing my testing of CAS Signon PeopleCode in PeopleSoft 9.2, People Tools 8.55.19 and the Fuild Homepage URL authenticate's the user successfully for the ticket obtained and SetAuthenticationResult( True, Upper(&cas_result), "", False); gets triggered as well. But after this Signon PeopleCode triggers once again trying to validate the same ticket once again, that eventually fails and as a consequence of which authentication fails as well(which is true because by then the same ticket is not valid) .

    Any idea as to why signon triggers twice here? though the user was successfully authenticated.

    The above code works absolutely fine in PeopleSoft 9.1, where the signon triggers just once.

    Please advise!!

    ReplyDelete
    Replies
    1. Couple of suggestions:

      - Check if your CAS java jar files are on the app server classpath directory. Since you must have built out new app servers potentially, the jars might be missing?
      - Also, if the app servers were on a new host, you might have to check if you server is able to communicate with the CAS server. Usually, a telnet to your CAS server host should confirm if that is an issue.

      Hope this helps.

      Delete
    2. My App server trace shows the CAS validation url returns the username, but after the code for SetAuthenticationResult is executed return stack of signon function is shown and the signon code triggers once again(validation of the same ticket once again and that fails). I have tested this function standalone through an application engine and it works fine.

      My concern is why should it trigger signon code the second time after SetAuthenticationResult has been set to True for that Username obtained? Any thoughts..

      Delete
  20. Hi Sasank,
    We are on PT8.55.12 and using outside redirect URL as &rURL = GetURL(URL.SR_REDIRECT) it works fine with SetAuthenticationResult( True, %SignonUserId, &rURL, False) but not with SetAuthenticationResult( False, %SignonUserId, &rURL, False);
    Any thoughts?
    Thank you

    ReplyDelete
    Replies
    1. Do you have a guest user on web profile as the public user? If so, you can set the authentication to false with that userid for redirecting in failure scenarios.

      Delete
  21. Hello Sasank - We are on PT 8.56.01 /Fluid UI
    After the user is authenticated , I am redirecting the user to custom "2 factor authentication" page (using Coolton Fisher solutiion)
    This is done from part of sign-on peoplecode func-lib (added custom one )
    We see some body can interject/hack and bypass 2 factor page by manipulating the url.
    Is it possible to add the specific role for self service user using Peoplecode only after complete the 2 factor page successfully
    (until that time user has only access to 2 factor page only)

    Appreciate your input

    ReplyDelete
    Replies
    1. AB Krishna,

      I am not entirely sure how Colton's 2 factor authentication works so this is just my opinion based on what you have described.

      I think you are addressing the wrong area in this scenario. That is, if the user is able to manipulate the URL and bypass the 2 factor page, then you need to find a way to redirect them back to the 2 factor page.

      It should be possible to add/remove role dynamically in signon peoplecode but I don't know if doing that once you have authenticated the users (in the 2 factor page) will have the same effect or if it would cause any inconsistencies.

      Delete
  22. Hi Sasank,

    we are trying to implement MFA for out client, we followed all the steps and we are having issues in redirecting from custom page to peoplesoft home page.

    after clicking on OK page in custom page instead of transferring to peoplesoft home page it is staying in custom page.

    we are using %response.redirecturl(generateScriptContentUrl(%portal,%node, Record.WEBLIB_PTBR,Field.ISCRIPT1, "fieldformula", "Iscript_StrartPage");

    Please advise.

    ReplyDelete
  23. Hi, Forgive me for not being familiar with most topics in this post. I would like to outline what I would like to do and am looking for some rough outline of how I might accomplish it. We are implementing a 3'rd party external auth mechanism. Ideally any user attempting to get directly into PS by watever means (link to main logon page, server default index page, deeplink, or bookmarked url would be redirected to the external auth logon page. After auth they would continue to wherever they were going. It seems that PS does this by default with its default logon page. How would I accomplish this? Another requirement would be a bypass to login as a local PS user for some special cases. Can anyone point me in the right direction?

    ReplyDelete
  24. HI Sasank, We are trying to implement PeopleSoft SSO with SiteMinder. These are the steps we followed.
    1) Created public user, created web profile for public access
    2) Enabled Peoplesoft with public access.

    3) SiteMinder would authenticate the user credentials and pass emplid attribute to Peoplesoft

    4) Wrote custom sign-on peoplecode to read the emplid from header and authenticate the user again. However, we are unable to read EMPLID attribute from the header. I tried to print all available header variable, I don't see emplid. However SiteMinder says, they are sending EMPLID.


    Do you know if we are missing something?

    ReplyDelete
    Replies
    1. Hi Harika - It sounds like you are on the right track from an implementation point of view.

      I have noticed on occasions that some headers are not properly passed to PeopleSoft. Mostly like causes can be load balancers (F5, etc.) or PeopleSoft web server configuration (weblogic). You can work with your admins to enable additional http logging on the F5/weblogic layers and see where the header is getting blocked.

      Delete
  25. Great,Thank you so much Sasank!!

    ReplyDelete
  26. Hi Sasank, We are trying to implement PeopleSoft SSO with SiteMinder. I have got custom sign-on peoplecode triggered, captured emplid from header and authenticated the user.However, user does not get signed into Peoplesoft. Per Appserver logs, it shows user is switched from Public user to emplid and shows an error "Failed to execute HomepageTemplate request". We tried to grant Admin role to public user, we get signed into peoplesoft as public user and does not switch to the emplid. Any thoughts on this behavior?

    ReplyDelete
    Replies
    1. Sorry for the delay in responding. I somehow missed this comment.

      You might want to try giving the 'PeopleSoft/Portal Admin' roles to the EMPLID and see if it is an access issue that is causing the failure to switch.

      Also, you could add some debug messages (write to file/table) on your signon peoplecode to check the flow of your code.

      Delete
  27. This comment has been removed by the author.

    ReplyDelete
  28. Hi Sasank,

    We are using LDAP authentication, and want to redirect the user to certain (internal) page based on some condition, so i was trying to redirect it using below code, but it is giving an error on Sign On page - "Unauthorized token has been detected by the system. please sign on with your user id and password". Could you please assist.

    This code is written in LDAP_AUTHENTICATION function.

    SetAuthenticationResult( True, Upper(&psUserId), &redirectURL, False, 0);
    where &redirectURL is internal (PeopleSoft) url.

    Please note that this code works fine for external URL.

    ReplyDelete
    Replies
    1. Hi Sanjay - I have not encountered this error. But I find a Doc Id on My Orace Support related to this error message. Please review and see if the solution applies to your problem.

      E-PIA : PT 8.56 "UnAuthorized Token Has Been Detected By The System." Error On PIA Signon (Doc ID 2309383.1)

      Delete
    2. Hi Sanjay,

      I was wondering if you have successfully implemented this? We are trying to do the same in our application and we are encountering issues. I am hoping you can share your knowledge to us. Thank you.

      -Bee
      betrishaanonical0213@gmail.com

      Delete
  29. Hi Sasank,

    Need you help please, I am trying to redirect users to “My System Profile” page to enter their work email upon signing on to PeopleSoft. But for some reason the code below doesn’t fire. We are on HR 9.2 Tools 8.55.11

    Here is my settings:

    1. Changed the look and feel on the default Web Profile by setting Signon Result Doc Page to signonresultdocredirect.html - restart and cleared web server cache.

    2. Created new work record/field HI_FUNCLIB.EMAILID and placed the following code on the FieldDefault event

    Function signonRedirectTest()

    &redirectURL = GenerateComponentContentURL(%Portal, %Node, MenuName.MAINTAIN_SECURITY, "GBL", Component.USERMAINT_SELF, Page.USER_SELF_SERVICE, "", "");

    SetAuthenticationResult( True, %SignonUserId, &redirectURL, False);

    End-Function;

    3. Navigate to Main Menu > PeopleTools > Security > Security Objects > Signon PeopleCode and added new line with the following values:

    Sequence: 1
    Enabled: Checked
    Record: HI_FUNCLIB
    Field: EMALID
    Event: FieldDefault
    Function: signonRedirectTest
    Exec Auth Fail: Unchecked

    Not sure what else I am missing. I really appreciate your help.

    Thank you,

    Mohamed

    ReplyDelete
    Replies
    1. Just to confirm, have you bounced your app server after you added the new row on the SignOn PeopleCode Configuration page?

      Delete
  30. Thank you very much for your quick reply. I asked the system admin to do so. I will keep you posted.

    ReplyDelete
  31. Hi Sasank,

    bounced app and web servers and confirmed that the file signonresultdocredirect.html does exists .. still no luck

    ReplyDelete
  32. Hi Sasank,

    We bounced the web and app server also confirmed that the signonresultdocredirect.html file exists on the web server. still no luck!

    ReplyDelete
    Replies
    1. I am not really sure what the issue is here. You might have to create a support request with Oracle and get assistance.

      I saw some comments above where others have complained about similar issues in certain 8.55.XX environments. So, it could be something similar.

      Delete
    2. Hi Sasank, Is there any solution for Mohamed's issue? I am facing the same problem.
      Can you please share your knowledge if you find any solution. Thank you!!

      Delete
  33. Also, I validated the content of the signonresultdocredirect.html file and changed my code to pass same variable name and in the file but still doesn't redirect. Your help is greatly appreciated.


    * ******************************************************************
    *
    -->
    "meta HTTP-EQUIV='Refresh' CONTENT='1; URL=<%=resultDoc%>'"


    ReplyDelete
    Replies
    1. Thank you .. Just created support request with Oracle, I will update the post for others .. Thanks again for your help

      Delete
    2. Hi Mohamed, I am facing the same issue as you discussed above and i am also using the same approach.
      Can you please let me know the solution if you get?
      Your help is greatly appreciated.

      Thank You!!

      Delete
  34. Sasank,

    At UT Arlington, we have two urls that go to the same database - one for students and one for faculty/staff. We'd like to keep students out of the faculty/staff side (url is arcs-). They have the same portal, same node, but have different web profiles and urls. In the test environment, we are able to put a method on an app class that executes on the landing page. This method successfully detects which url they are signing in from and if they are student-only, it redirects them to the mymav url. However, I am only able to get them to the sign-in page. Ideally, we'd love to redirect them and have them signed-in, without having to sign them in twice.

    So, it goes like this

    1) Student goes to arcs- url
    2. Student signs in
    3) App Package/Class/Method detects they're a student-only & redirects them to the mymav url

    I've tried to send them directly to the landing page of the mymav url but get an authentication error. When I try the SetAuthenticationResult( False, &USERID, &mymavtest1, False, 999) OR SetAuthenticationResult( True, &USERID, &mymavtest1, False, 999) - it reroutes them to the arcs- landing page.

    Thoughts?

    Francine Simpson
    University of Texas at Arlington

    ReplyDelete
    Replies
    1. Hi Francine,

      As far as I know, you can only redirect to the other URL without having to login again if both the URLs (VIP - virtual IPs) are using the same cookie domain. That is , the weblogic.xml cookie domain and web profile auth token should match for both the URL configurations.

      Let's say, your student URL hostname is:
      https://mymav.prd.arlington.edu
      And your staff/faculty URL hostname is:
      https://arcs-mymav.prd.arlington.edu

      So, your weblogic cookie domain and web profile auth token should use a shared cookie domain, for instance:
      .prd.arlington.edu

      You might want to check with your PS/middleware/system admins if this is the case.

      Otherwise, you will be forced to sign in because the other web profile does not share the PS_TOKEN because they use different cookie domains.

      Delete
  35. Hi Sasank,

    I have followed your guide, but I try to redirect to one of my component. I create a new "funclib" record and enabled it. Unfortunately, when I use the component url, it always failed. The URL in the browser already redirect to the page, but I pushed back to signon page with error "Your User ID and/or Password are invalid." Hopefully you can help me.

    Thank you.

    ReplyDelete
  36. Hi Sasank,

    we are looking for some help and guidance around PeopleSoft SSO with reverse proxy using headers. We have completed the SSO setup and during our unit testing, we found a looping issue, which is intermittent. Looking at the header trace, we see ps_token cookie being set after successful authentication but for some reason PeoplSoft seems not accepting the token. Could you please let us know if there anything obvious we should be looking at? Any pointers would be really appreciated..Thanks
    Here are our reverse proxy and peoplesoft setup details:

    - Azure AD app proxy service
    - Azure AD app proxy connector
    - Ping Access (reverse proxy)
    - PeopleSoft application


    ReplyDelete
  37. Hi Sasank,

    Apologies as things are still not clear for me. We wanted to redirect the user to a custom page upon successful log in. We change the Signon Result Doc Page to signonresultdocredirect.html (bounced the web server after). we created a record and put the code in fielddefault

    Function PrivacyNotice();


    &URL = GenerateComponentContentURL(Portal.EMPLOYEE, %Node, MenuName.Z_ALL_PRVNTC, "GBL", Component.Z_ALL_PRVNTC_PG, Page.Z_ALL_PRVNTC_PG, "");

    SetAuthenticationResult( True, %SignonUserId, &URL, False, 0);

    End-Function;

    we added the record in the signon peoplecode. but everytime we tried to sign in, we are not redirected to the custome page that we created.

    Do i miss anything? An advice from you is highly appreciated.

    ReplyDelete
  38. Hi Sasank,

    Just to add to my inquiry. we are using 8.53.26. Hope to have your response right away. such a big help from my teammates.

    ReplyDelete
    Replies
    1. Please take a look at these documents on MOS and see if they help:

      E-PIA: How to redirect a user to a specific page in a PIA session (Doc ID 610905.1)
      E-Portal: How do we redirect a user to a specific component page at login? (Doc ID 649958.1)
      Enterprise PeopleTools 8.49 PeopleBook: Internet Technology > Configuring the Portal Environment > Redirecting Pages with Sensitive Data
      E-PORTAL: What Methods Are Available To Redirect Users To A Specific Page At Login? (Doc ID 757458.1)

      Delete
  39. Hi Sasank,

    We are currently using LDAP. As we change to signonresultdocredirect.html, we encountered an error (error occured) upon logging in. Do you have any idea about it? Redirecting to another page is the only issue problem left to us. :(

    ReplyDelete
  40. Hi Sasank,

    I have an issue regarding phishing through url redirection:
    when we add a query string to the actual url of our PIA login , its getting redirected to the phishing site, can you please help me how to fix this, where do i need to make changes to stop this redirection.

    Thanks in advance

    ReplyDelete
    Replies
    1. Are you passing the phishing site in the query string?

      I am not sure how to stop the redirection. You could check your Web Profile > Look and Feel (Tab) > Signon/Logout Pages > Signon Result Doc Page.
      If this is set to 'signonresultdocredirect.html', then you could try setting it to 'signonresultdoctext.html' or 'signonresultdocpage.html'.

      I am not sure if this will stop the signon redirect but it is worth trying out.

      Delete
  41. Hi Sasank,

    I have tried the above thing, but no luck:(

    ReplyDelete
  42. Hi Sasank,
    we are planning to upgrade from 8.55 peopletools version to 8.57, and the application version we are using is 9.1
    will the 8.57 be compatible with the 9.1 or we may run into any issues? please suggest the compatible tools version for 9.1

    ReplyDelete
  43. Dear Sasank,

    We want to implement azure sign-on in peoplesoft, do you have any details or documentation?

    Thanks,
    Krishna

    ReplyDelete
  44. This comment has been removed by the author.

    ReplyDelete
  45. For people looking to implement Azure SSO (or any other SAML identity provider such as CAS, Shibboleth, ADFS, etc), please look at the documentation here: https://github.com/peoplesoft-info/peoplesoft-azure-sso

    ReplyDelete
  46. Hello Sasank,
    We are trying to implement PeopleSoft SSO with Okta. These are the steps we followed.
    1) Created public user, created web profile for public access
    2) Enabled Peoplesoft with public access.

    3) Okta would authenticate the user credentials and pass emplid attribute to Peoplesoft

    4) Wrote custom sign-on peoplecode to read the emplid from header and authenticate the user again.
    5) I was able to read the value from the header as well.

    But the Issue is that I do not see the %SignonUserID is populated with Public user id configured in Web Profile, instead I see my network ID is populated in "%SignonUserID", hence %PSAuthResult is also set to False.

    Do you know if we are missing something?

    ReplyDelete
    Replies
    1. Is %SignonUserID populated with your network ID before the setauthenticationresult?

      If the web profile enabled public access with a userid/password, then $SignOnUserid should be the guest user until you validate the header and execute the setauthenticationresult.

      Delete
    2. Thanks for the response! Yes.. %SignonUserID is populated with my Network ID before calling setauthenticationresult. I was expecting the public user id in %SignonUserID. Now I am puzzled from where it fetches my network ID.

      Delete
    3. Strange. Do you have any other signon event configured? Or LDAP setup?

      Delete
    4. I just checked. We have not configured any signon event. Yes we also have LDAP Setup. But I'm trying to print the %SignonUserID value right before any peoplecode gets executed in LDAP_Autentication function. Is there way I can share a screenshot?

      Delete
    5. Not sure. I would disable LDAP, create a new custom function for your code and test. Just to rule out LDAP code interference.

      Also, on the SignOn PeopleCode you need to set the "Invoke as user signing in" for the web profile public user to be the one executing the SignOn PeopleCode.

      Delete
    6. Thank You! I checked 'Signon PeopleCode' as well as 'Web Profile'. Later I have requested Okta Admin to re-configure the host URL on their side. After which it started working.

      Delete