Creating Authentication Maps
Use the Authentication page only if you are implementing directory authentication as opposed to storing authentication information in the PeopleSoft database. You create authentication maps to define mappings to one or more directories that the PeopleSoft system relies on for authenticating users. You can activate multiple authentication maps. Your PeopleSoft LDAP system authenticates users against all active authentication maps.
Authentication maps are used to specify the following information for LDAP authentication:
The identity of all the LDAP servers to be searched and their credentials.
The locations where the search has to be performed inside the LDAP.
The attribute of the entries that must be matched with the signon user ID.
This section discusses how to:
Defining an authentication map.
Use the Search Attribute field in authentication maps.
Defining an Authentication Map
Access the Authentication page (select).
Image: Authentication page
This example illustrates the fields and controls on the Authentication page.
Activate the authentication map by selecting Active. To disable an authentication map, select Inactive.
- Directory ID
Select the directory ID of the directory that you intend to use for authentication.
- Anonymous Bind
If all directory data required for authentication and user profile maintenance is visible to an anonymous connection, select this check box.
- Use Secure Socket Layer
Select this option if you are implementing an SSL connection between PeopleSoft and the directory.
If you did not specify a port number for the directory, the system uses the default LDAPS port.
- Connect DN
This value is the default connect DN that you specified on the Directory Setup page. To select one of the DNs specified on the Additional Connect DN's page, click the search button.
Note: If Anonymous Bind is selected, the Connect DN is ignored.
User Search Information
- Search Base
Enter the root of the directory information tree under which the system should search for user information.
- Search Scope
Select the search scope for this search. Values are:
Base: Not applicable. You should not use Base on the authentication map.
One: The query searches only the entries one level down from the entry in the Search Base field.
Sub: The query searches the entire sub tree beneath the search base entry.
- Search Attribute
When a user signs in using LDAP Authentication, the system searches the directory to find the user's user entry. The search attribute is used to construct the LDAP search filter used in finding the person’s user entry. The value in the Search Attribute field is entered by the user when the user signs in.
Enter the attribute to be returned by the search, such as user ID (uid) or customer ID (cid).
Important! If you specify a different value here than the User ID Attribute value that you plan to specify on the Mandatory User Properties page, users will not be able to switch to another application from the Go menu in PeopleSoft Windows clients such as Application Designer.
The second application expects to automatically authenticate a user with the value of %SignonUserId, the system variable that contains the value entered by the user in this field. However, the value of the User ID Attribute field is used to populate the OPRID field in PSOPRDEFN. Because the value of OPRID is different from the value of %SignonUserId, the authentication fails with an error message.
Users can still access any PeopleSoft Windows client by launching it directly and signing in using the value of this field as the user ID.
- Search Filter
Displays the LDAP search filter that the system uses to search the directory for equal entries.
Using the Search Attribute Field in Authentication Maps
The purpose of the Search Attribute prompt on the authentication maps page is to map a value that is used for the User ID on the login page. For example, if you want users to log in with their mailID, then mail attribute should be given in the prompt.
Consider an entry corresponding to the user sramdass in the LDAP directory.
dn: uid=sramdass, dc=peoplesoft, dc=com cn: sramdass uid: sramdass123 description: peoplesoft user mail: email@example.com telephone: 12345678 objectclass: person password: PASSWORD
If the user is to log in with sramdass/PASSWORD, then the Search Attribute prompt value should be cn. If the user wants to log in with firstname.lastname@example.org/PASSWORD, then the Search Attribute prompt value should be mail.