PeopleSoft/WebLogic proxy with Shibboleth Native SP and Apache

Eric Goodman Eric.Goodman at ucop.edu
Wed Jan 23 13:50:26 EST 2013


That second sentence should say "In that scenario, after the initial authentication the user has a PeopleSoft session..."

--- Eric

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Eric Goodman
Sent: Wednesday, January 23, 2013 10:47 AM
To: Shib Users
Subject: RE: PeopleSoft/WebLogic proxy with Shibboleth Native SP and Apache

Just protecting the login page should be viable for authentication purposes. In that scenario the user has a PeopleSoft session, the SSO part doesn't really play in.

I think the issue with just protecting the login page is around login behavior and links to pages other than the "home page". If you just protect the home page, then any attempt to go directly to a PS page will, I believe redirect at the PeopleSoft level to the PS login page, which in turn is redirected at the SAML/Shib level to the IdP for the actual authentication. 

I'm not clear if the original target URL is going to be preserved in this case. E.g., the redirect to the IdP needs to somehow have the original desired page as the relayState, not the PS login page, and I don't know if it will.

We're currently setting up something like this (where only the login page itself is protected) and our links need to have a format of http://ps.login.initiator.page?relayState=http://desired.actual.webpage. We're not using the Shib SP however, and part of the issue is the non-Shib SP, so I'm not sure how the Shib SP would work in this case.

--- Eric 

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Scott Koranda
Sent: Tuesday, January 22, 2013 6:45 PM
To: Shib Users
Subject: Re: PeopleSoft/WebLogic proxy with Shibboleth Native SP and Apache

>>I do not have any PeopleSoft/WebLogic experience but would like to 
>>understand if the approach using the Shibboleth Native SP and Apache 
>>as a "proxy" requires proxying the entire PeopleSoft/WebLogic 
>>application (so that no HTTP GET or POST ever go directly to
>>PeopleSoft/WebLogic) or if the "proxy" is only active during the 
>>session initiation phase of a SSO flow.
>
> We do it for everything, but I don't know if that's required or not. I 
> just note it to illustrate that it apparently isn't as insane as it 
> might sound.
>

Thanks. It is helpful to know a large campus like OSU takes that approach.

I would still be interested to hear from campuses that have not taken that approach and do not proxy the entire PeopleSoft/WebLogic application, if indeed that is a viable approach.

Thanks,

Scott K
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


More information about the users mailing list