×

Why You Should Avoid Customizing PeopleSoft to Enable Single Sign-On (SAML/ADFS)

By Greg Sosna • July 29, 2021

Don’t Risk the Security of your Data with Customized SSO SAML/ADFS Integration for PeopleSoft

I was on a recent discovery call, and the Senior Software Engineer shared how they’re “ripping out” a custom-built PeopleSoft single sign-on solution (SSO). After acquiring an enterprise SSO, they attempted to build a custom integration with PeopleSoft that presented far more challenges than benefits – especially when users attempted to access with a deep link. Now they’re looking to remove the solution along with the additional infrastructure that was required.  

And here’s the sad part: they’re not the first organization I’ve encountered that are experiencing the same challenge. Across all verticals including healthcare, higher education, government, retail and more – PeopleSoft customers are rethinking their decision to enable their enterprise SSO solutions with custom coding, external gateway agents, and reverse proxies. Alternatively, implementing solutions that feature native SAML/ADFS authentication handlers.  

Your Custom Single Sign-On Integration Was Not Designed with ERP Data Security in Mind 

These projects often start with the IT department recognizing that it can solve a business requirement by building the solution themselves or by using a generic gateway with copy-and-paste code off an internet forum. The main motivation? They possibly save the company some money, bypass the need for approvals or budget, and check a project off their list. Easy-peasy, right? As highlighted in the example above, it’s not always that straightforward.   

Often, these projects lack a thoughtful mindset and instead leverage code that is many years old, unsupported, and public to developers and hackers alike. Here lies one of the biggest problems with customizing PeopleSoft for SSO authentication. Getting the integration to work “well enough” is often the goal, and since developers are not information security professionals – they may not have considered the ramifications of using code that hackers can reverse engineer, potentially exploiting loopholes to gain unauthorized access. As a former PSAdmin who personally retrofitted a custom PeopleSoft SSO solution in my past life, I can tell you that security implications are not at the forefront. Between IT wanting to be a good partner to the business and drowning in long-haul projects, “good enough” was often the goal. 

The “Typical” Custom PeopleSoft Single Sign-On Approach

There are a few ways to approach building a custom SSO solution. You could try linking SAML open-source code libraries, using reverse proxies, or having an external agent handle it. These solutions seem relatively simple at the outset, but the introduced vulnerabilities are often not obvious or ignored. The end result is that the SSO “works” but is plagued by technical, functional, and security issues once in production.   

Linking SAML Open Source Code Libraries 

A custom coding project typically begins with a review of PeopleBooks and a Google search to find a relatively quick way to write the code. PeopleCode allows you to link external open-source java libraries inside PeopleSoft. This is code that you’re literally pulling from an old blog and has not been reviewed since the author first published it. Imagine using code from 2007 to secure your custom PeopleSoft single sign-on project. It would never pass a security review!

Secondly, developing a solution yourself is tricky. It isn’t easy to write software that deals with passwords, identity, and authentication. Reputable IdPs spend tens of thousands of man-hours designing, coding, and testing, then supporting their solutions. The lone developer who built your custom solution is now responsible for supporting, maintaining, and upgrading the code. That’s excellent job security for him but a security liability for you.

Reverse Proxies, Gateways, and External Authentication Agents 

This one is probably a favorite with system administrators who want to support a multitude of non-SAML apps with a one-size-fits-all solution. I’ve also implemented SSO like this in the past, so I can speak from experience about how this works and its risks.

The short version of how this works is that the authentication is offloaded to a reverse-proxy, an agent, or a gateway, that sits outside PeopleSoft. Once the authentication process is successfully completed, only then is a connection made to PeopleSoft, and the authenticated user-ID passed to the HTTP header. Then that request has to be trusted by a custom Sign-on PeopleCode.

Aside from the risky firewall configuration, another issue here is that it needs to be scaled carefully for bandwidth because all of the requests will now go through a new server and several new applications to complete the process. Now you have additional hardware, software, and customizations to maintain and patch in addition to your regular PeopleSoft duties.

Why a Native SAML/ADFS Handler is Best Practice

SSO is critical to help you increase your security posture within your organization while keeping your customers happy, so I don’t want to sound negative, and I’m not trying to put you off on installing an SSO solution in your environment. Instead, I want to make sure you do it correctly and aligned to security best practices.   

My advice is to use a solution that natively supports a SAML/ADFS authentication handler and seamlessly and securely passes the token to PeopleSoft built-in authentication without customizations. The term “native” is extremely important here! The lack of native support is a critical issue that plagues custom solutions, creating more hoops to jump through to complete the project.  

Fortunately, Appsian delivers the SAML/ADFS integration layer required to connect PeopleSoft, an IdP (Okta, Azure AD, Ping Identity, etc.), and your enterprise Single Sign-On. This solution is natively installed right into the PeopleSoft Internet Architecture (PIA) and does not require the use of proxy servers, agents, or gateways. Furthermore, there are zero customizations, simple configuration with extensive support for SAML/ADFS attributes, user-mapping, and the support and maintenance is offloaded from your team.  

There is Beauty in Customization but Comfort in ERP Data Security 

Part of PeopleSoft’s beauty and power is that you can customize the system to improve your business processes. However, one thing you shouldn’t take into your own hands is authentication, and indirectly, security. Your IT team, system admins, and developers should spend their time supporting and customizing your system to provide outstanding service to the business units and keeping the system running smoothly. Why add more hardware, software, applications, and customization than necessary?  

Request a demo today to learn how Appsian solves the SAML/ADFS integration challenge by providing the only configurable SSO for PeopleSoft. 

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Start your free demo

"Learn how you can reduce risk with rapid threat protection, audit response and access control. All from a single, comprehensive platform"

Trusted by hundreds of leading brands