Skip to Main Content
Return to Navigation

Creating Authentication Maps

Use the Authentication page only if you are implementing directory authentication as opposed to storing authentication information in the PeopleSoft database. You create authentication maps to define mappings to one or more directories that the PeopleSoft system relies on for authenticating users. You can activate multiple authentication maps. Your PeopleSoft LDAP system authenticates users against all active authentication maps.

Authentication maps are used to specify the following information for LDAP authentication:

This section discusses how to:

Defining an Authentication Map

Access the Authentication page (select select PeopleTools, then select Security, then select Directory, then select Authentication Map).

Image: Authentication page

This example illustrates the fields and controls on the Authentication page.

Authentication page
Status

Activate the authentication map by selecting Active. To disable an authentication map, select Inactive.

Directory Information

Directory ID

Select the directory ID of the directory that you intend to use for authentication.

Anonymous Bind

If all directory data required for authentication and user profile maintenance is visible to an anonymous connection, select this check box.

Use Secure Socket Layer

Select this option if you are implementing an SSL connection between PeopleSoft and the directory.

If you did not specify a port number for the directory, the system uses the default LDAPS port.

Connect DN

This value is the default connect DN that you specified on the Directory Setup page. To select one of the DNs specified on the Additional Connect DN's page, click the search button.

Note: If Anonymous Bind is selected, the Connect DN is ignored.

User Search Information

Search Base

Enter the root of the directory information tree under which the system should search for user information.

Search Scope

Select the search scope for this search. Values are:

Base: Not applicable. You should not use Base on the authentication map.

One: The query searches only the entries one level down from the entry in the Search Base field.

Sub: The query searches the entire sub tree beneath the search base entry.

Search Attribute

When a user signs in using LDAP Authentication, the system searches the directory to find the user's user entry. The search attribute is used to construct the LDAP search filter used in finding the person’s user entry. The value in the Search Attribute field is entered by the user when the user signs in.

Enter the attribute to be returned by the search, such as user ID (uid) or customer ID (cid).

See Using the Search Attribute Field in Authentication Maps.

Important! If you specify a different value here than the User ID Attribute value that you plan to specify on the Mandatory User Properties page, users will not be able to switch to another application from the Go menu in PeopleSoft Windows clients such as Application Designer.

The second application expects to automatically authenticate a user with the value of %SignonUserId, the system variable that contains the value entered by the user in this field. However, the value of the User ID Attribute field is used to populate the OPRID field in PSOPRDEFN. Because the value of OPRID is different from the value of %SignonUserId, the authentication fails with an error message.

Users can still access any PeopleSoft Windows client by launching it directly and signing in using the value of this field as the user ID.

Search Filter

Displays the LDAP search filter that the system uses to search the directory for equal entries.

List of Servers

SeqNum (sequence number)

Set the order in which the system should access the list of servers for authentication.

LDAP Server

Select the name of the LDAP server. Use the plus button to enter additional servers.

Using the Search Attribute Field in Authentication Maps

The purpose of the Search Attribute prompt on the authentication maps page is to map a value that is used for the User ID on the login page. For example, if you want users to log in with their mailID, then mail attribute should be given in the prompt.

Example

Consider an entry corresponding to the user sramdass in the LDAP directory.

dn: uid=sramdass, dc=peoplesoft, dc=com
cn: sramdass
uid: sramdass123
description: peoplesoft user
mail: sramdass@oracle.com
telephone: 12345678
objectclass: person
password: PASSWORD

If the user is to log in with sramdass/PASSWORD, then the Search Attribute prompt value should be cn. If the user wants to log in with sramdass@oracle.com/PASSWORD, then the Search Attribute prompt value should be mail.