When a user goes to the PeopleSoft Sign-on page and attempts to login into PeopleSoft application, there is a sequence of events that happens within the PeopleSoft application that validates the user id and password entered by the user and grants the user session with the appropriate access. Before reviewing the authentication process, you should know about certain accounts that are used by the PeopleSoft system to access the database.
- OPRID: Unique user id for every user profile in the system. All OPRIDs and their passwords are stored in PSOPRDEFN table. This is the application level account created for each user that needs access to the PeopleSoft system and is the only authentication information provided to the end users. The rest of the accounts discussed below are system accounts and should only be known the system administrators and security administrators of the application.
- Connect ID: This is a database level account that has read only access to only three database tables: PSOPRDEFN. PSACCESSPRFL and PSSTATUS. The PeopleSoft application uses this account to initially login to the database and verify the OPRID and Password entered by the user against the values in PSOPRDEFN table.
- Access ID: Once the user id and password provided by the user are validated via the Connect ID, the application server connects to the database using the access id and password. Using the Access ID to login to the database removes the need to create individual database accounts for each user in PSOPRDEFN. All users accessing the system through application server connect to the database using the Access ID.
- Symbolic ID: PeopleSoft provides for having more than one Access ID with varying access levels on the database to further secure the system. Each user id in the PeopleSoft User profiles page must be associated with the specific access id that should be used for the permanent connection to the database after authentication. However, since PSOPRDEFN and PSACCESSPRFL tables are accessible via the Connect ID, prior to successful authentication, it presents a risk of exposing the high level system accounts to unintended users. For this reason, PeopleSoft uses a Symbolic ID, which is nothing but an intermediary between OPRID and Access ID. This allows the access ID to be encrypted in the system and only be available once the user id and password are validated.
PeopleSoft Authentication Process:
- User goes to the PeopleSoft sign-on page and enters his user id and password.
- User’s client browser sends a http request to the webserver with the OPRID and password entered by the user.
- Webserver connects to the Application server with authentication request.
- Application Server connects to the database with CONNECT ID and Password configured.
- Database grants a session to the application server with access only to PSOPRDEFN, PSACCESSPRFL and PSSTATUS tables.
- Application server verifies the OPRID and password entered by the user against the values in PSOPRDEFN table.
- If valid, application server retrieves the user id, password, symbolic ID and access id from the database.
- If not valid, authentication failure message is sent to web server and session is denied.
- Application server disconnects from the database and reconnects with the access id and password retrieved in the earlier step.
- Application server queries the database for user’s security access and home page information and creates a session for the user on application server.
- Webserver receives the application server session and user’s home page and creates a valid session on Webserver for the user.
- User’s client browser is presented with the valid PeopleSoft session token and navigates to the default homepage for the user.