Setting Up SAML

This section discusses how to:

  • Create the SAML administrator.

  • Import digital certificates.

  • Configure the SAML inbound setup

  • Run the RedeployWSRP.cmd executable.

Note: You must perform all of the tasks in the order presented to correctly implement the use of the SAML token.

The SAML administrator must have access to the SAML pages. You grant access to the SAML pages through the PTPT1000 permission list.

To create the SAML administrator:

  1. Access the User Profile page (PeopleTools > Security > User Profiles > User Profiles).

  2. Add a new user or select an existing user who will be the SAML administrator.

  3. Access the Roles page and insert a role that contains the PTPT1000 permission list.

  4. Save the user profile.

To implement SAML, you must import the digital certificate of the sender and store it in the key store of participating PeopleSoft applications.

See Configuring Digital Certificates.

The SAML Inbound Setup page creates an inbound web service in the producer site that maps the one PeopleSoft user ID to one SAML assertion subject and links the subject with the sender's digital certificate (public key). The SAML administrator sets up a web service for each external user who accesses the PeopleSoft system and who is using the SAML security option. This information should be configured by the SAML administrator—someone who understands the external requirements and how these requirements map to the component permissions that are necessary for the user to accomplish the business task.

Access the Security Assertion Markup Language [SAML] Inbound Setup page (PeopleTools > Security > SAML Administration Setup > SAML Inbound Setup).

Image: Security Assertion Markup Language [SAML] Inbound Setup page

This example illustrates the fields and controls on the Security Assertion Markup Language [SAML] Inbound Setup page. You can find definitions for the fields and controls later on this page.

Security Assertion Markup Language [SAML] Inbound Setup page

Field or Control

Definition
Certificate Alias

Enter the sender's public key, which you imported in the previous step (Importing Digital Certificates).

Note: This key must be base-64 encoded.
Issuer

Enter the domain name of the issuing entity.
SubjectName

Enter a user ID or email address.
QualifierName

Enter the domain name of the issuing entity.
Mapping PeopleSoft UserID

Enter the user ID to map to the SubjectName. This field sets the PeopleSoft internal permissions for the external user and prevents cross-site vulnerability.

Note: This user ID does not have to be the user ID of the sender, but must be a valid PeopleSoft user in the PSOPRDEFN table.

Note: This field is internal to the PeopleSoft application and is hidden from all consumer sites and third-party systems.

To run the RedeployWSRP.cmd executable:

  1. Navigate to the producer web server folder, for example PSHOME/Webserver/bin.

  2. Double-click the file to launch the program.

  3. Select Option 5: Redeploy WSRPBaseService with the SAMLToken Security Option.