Multi-domains Active Directory Authentication on PeopleSoft

UPDATE: A complete documentation on how to “Aggregate Multiple Proxies” is now available including sample configuration.

The Good

Starting from version 8.1, PeopleSoft user’s credentials be validated against the directory; hence leveraging pre-existing authentication data in an LDAP directory service and achieve Single-Sign-On across multiple PeopleSoft applications. Furthermore, user data that is typically used in a LDAP directory (such as name, phone number, and email address) can be updated instantaneously or on batch interval when information changes in PeopleSoft database.

The Bad

However, PeopleSoft delivered LDAP Authentication interface can only authenticate against one Directory tree. PeopleSoft do support multiple LDAP authentication but only for fail-over and redundancy purpose. Each replica server must contains identical tree as the master LDAP server.

The Ugly

Under typical enterprise environment, where there are more than one directory trees (multiple AD implementations) exist, integration of PeopleSoft and multiple LDAP is only possible with customization to application sign-on process in PeopleCode. However, such customization is beyond normal support provided by PeopleSoft Global Support Center.

The Solution

Use Penrose to tie all the AD servers into one directory tree by Merging, Proxying and PTA-ing the AD servers.

Devils in the Detail

There are various ways for an application to authenticate against an LDAP server. Here is
a common method:

1. User enters username and password into the application.
2. The application will perform a search operation against the LDAP server to find the full DN of the LDAP entry representing the user. The application will supply a search filter, for instance: (sAMAccountName=)
3. For each DN returned, the application will attempt a bind operation against the LDAP server using the DN and the supplied password.
4. Upon a successful bind, the application will perform another search operation based on the DN to retrieve certain attributes (e.g. cn, mail, memberOf) that are needed by the application.

The problem is that many applications assume that all of the users will be located in a single LDAP server. In many cases, the users are spread out in different domains and different Active Directory servers. Penrose solves the problem by mapping the users into a single “virtual” tree. From the application’s point of view, all user are now located in a single LDAP server. When the application performs an LDAP operation on Penrose, Penrose will forward the request to the appropriate LDAP/AD server, and then forward the results back to the client.