Creating Authentication Maps
Use the Authentication page only if you are implementing directory authentication as opposed to storing authentication information in the PeopleSoft database. You create authentication maps to define mappings to one or more directories that the PeopleSoft system relies on for authenticating users. You can activate multiple authentication maps. Your PeopleSoft LDAP system authenticates users against all active authentication maps.
Authentication maps are used to specify the following information for LDAP authentication:
The identity of all the LDAP servers to be searched and their credentials.
The locations where the search has to be performed inside the LDAP.
The attribute of the entries that must be matched with the signon user ID.
This section discusses how to:
Define an authentication map.
Use the Search Attribute field in authentication maps.
Access the Authentication page (select ).
Image: Authentication page
This example illustrates the fields and controls on the Authentication page.
|
Field or Control |
Definition |
|---|---|
| Status |
Activate the authentication map by selecting Active. To disable an authentication map, select Inactive. |
Directory Information
|
Field or Control |
Definition |
|---|---|
| Directory ID |
Select the directory ID of the directory that you intend to use for authentication. |
| Anonymous Bind |
If all directory data required for authentication and user profile maintenance is visible to an anonymous connection, select this check box. |
| Use Secure Socket Layer |
Select this option if you are implementing an SSL connection between PeopleSoft and the directory. If you did not specify a port number for the directory, the system uses the default LDAPS port. |
| Connect DN |
This value is the default connect DN that you specified on the Directory Setup page. To select one of the DNs specified on the Additional Connect DN's page, click the search button. Note: If Anonymous Bind is selected, the Connect DN is ignored. |
User Search Information
|
Field or Control |
Definition |
|---|---|
| Search Base |
Enter the root of the directory information tree under which the system should search for user information. |
| Search Scope |
Select the search scope for this search. Values are: Base: Not applicable. You should not use Base on the authentication map. One: The query searches only the entries one level down from the entry in the Search Base field. Sub: The query searches the entire sub tree beneath the search base entry. |
| Search Attribute |
When a user signs in using LDAP Authentication, the system searches the directory to find the user's user entry. The search attribute is used to construct the LDAP search filter used in finding the person’s user entry. The value in the Search Attribute field is entered by the user when the user signs in. Enter the attribute to be returned by the search, such as user ID (uid) or customer ID (cid). See Using the Search Attribute Field in Authentication Maps. Important! If you specify a different value here than the User ID Attribute value that you plan to specify on the Mandatory User Properties page, users will not be able to switch to another application from the Go menu in PeopleSoft Windows clients such as Application Designer. The second application expects to automatically authenticate a user with the value of %SignonUserId, the system variable that contains the value entered by the user in this field. However, the value of the User ID Attribute field is used to populate the OPRID field in PSOPRDEFN. Because the value of OPRID is different from the value of %SignonUserId, the authentication fails with an error message. Users can still access any PeopleSoft Windows client by launching it directly and signing in using the value of this field as the user ID. |
| Search Filter |
Displays the LDAP search filter that the system uses to search the directory for equal entries. |
List of Servers
|
Field or Control |
Definition |
|---|---|
| SeqNum (sequence number) |
Set the order in which the system should access the list of servers for authentication. |
| LDAP Server |
Select the name of the LDAP server. Use the plus button to enter additional servers. |
The purpose of the Search Attribute prompt on the authentication maps page is to map a value that is used for the User ID on the login page. For example, if you want users to log in with their mailID, then mail attribute should be given in the prompt.
Example
Consider an entry corresponding to the user sramdass in the LDAP directory.
dn: uid=sramdass, dc=peoplesoft, dc=com
cn: sramdass
uid: sramdass123
description: peoplesoft user
mail: sramdass@oracle.com
telephone: 12345678
objectclass: person
password: PASSWORD
If the user is to log in with sramdass/PASSWORD, then the Search Attribute prompt value should be cn. If the user wants to log in with sramdass@oracle.com/PASSWORD, then the Search Attribute prompt value should be mail.