Web profile is a set of configuration parameters that control the way a PeopleSoft Internet Architecture (PIA) website behaves. Though most of the configuration parameters are outside the scope of this book and relate more to the system administration function, there are some parameters that require collaboration between the Security team and System Administration team to ensure that the PeopleSoft application is properly secured. PeopleSoft provides several pre-configured Web Profiles which should be modified to meet the security needs for the individual PIA site like Production, External Applicant Site which have different security controls.
In this book, only the aspects of Web profile that are related to security of the PeopleSoft system will be reviewed. For complete details on configuring and using Web Profiles, refer to PeopleTools Portal Technologies PeopleBook.
Navigation: PeopleTools >> Web Profile >> Web Profile Configuration
Days to Auto Fill User ID: When a user successfully logs in to a PeopleSoft application through the PIA, the user id is stored in the browser cookies and is pre-populated when the sign-on page is opened the next time as a convenience to the user. Set the number of days this information is stored in the browser cookie.
** For web profiles used for self-service websites where a kiosk or a common computer could be used by multiple employees, it is recommended to set this to 0 so that the user id of the previous user is not exposed to the next user of the kiosk.
SSL/Secured Access Only: Forces the website to use SSL encryption for all contents and communications.
SSL/Secure Cookie with SSL: Always secures the Single Sign On cookie with SSL encryption. If the network contains a mix of SSL and Non-SSL PeopleSoft sites for Single Sign On, only the cookies secured with SSL can be used to automatically authenticate into the SSL sites. This secures the SSL site from potential risk of someone capturing the unencrypted cookie issued by non-SSL site and using it to authenticate into the more secure SSL site.
PIA Use HTTP Same Server: Use HTTP protocols for communications originating from the same server as the web server. Improves performance for connections within the same server that may otherwise need to be encrypted and decrypted. This is also required when terminating SSL connections in devices before reaching the web server (SSL accelerator or Reverse Proxy server).
Authenticated Users/Inactivity Warning: For users who are already authenticated into the system, it is a best practice to terminate the session if there has been no activity for a certain amount of time. Enter the time (in seconds) after which a user with an inactive session should be warned of the potential session expiration.
Authenticated Users/Inactivity Logout: Enter the time (in seconds) after which a user session with no activity should be terminated and the user is automatically logged out.
Authenticated Users/HTTP Session inactivity: Enter the time (in seconds) after which the http session for the user with no activity is terminated and all session information is lost. If the user attempts any activity in application after the HTTP Session inactivity and before the Inactivity Warning, a new web server session is created for the user and is re-directed to the search page of the component (losing any unsaved updates made in the previous session).
Public Users/Allow Public access: Select this option in situations where you need to allow users to be able access the PeopleSoft without needing to identify and authenticate them. When accessing the PeopleSoft system all users are granted access without having to enter a user id and password. This type of arrangement is essential when working with external entities like suppliers or job applicants.
Public Users/User ID-Password: This is the user id and password that the system uses to automatically grant session privileges to public (unauthenticated) users. Care should be taken that this user id only has access to pages and links that contain only public information.
Public Users/HTTP Session Inactivity: HTTP session inactivity time out (in seconds) for unauthenticated public users. This is typically set at much lower limit than for authenticated users.
Web Server Jolt Settings: In PeopleSoft architecture, the PeopleSoft web server communicates with the PeopleSoft application server through JOLT messages. These settings control the time outs for communication between Web and App servers. PeopleSoft system administrators should be responsible for these timings.
XML Link/User ID-Password: The user id and password for the account that the system uses to automatically authenticate XML request links.
In addition to the security tab, there are a few other web profile parameters that the system administrators should collaborate with the security administrators in choosing the best option for their environment.
Show connection and Sys info: This option is available in the ‘Debugging’ tab of Web Profile configuration page.
When a user navigates to any PeopleSoft page and presses the CTRL+J keys together, PeopleSoft displays information about the environment, system and the specific page. This includes the browser, client operating system, PeopleSoft application and tools version, page’s menu, component and pnlname, user id logged in as, Database name, database type and application server and port number. Though this information is very helpful in troubleshooting system issues, some of the information is also not appropriate for end-users, specifically when public access is enabled.
‘Show Connect and Sys Info’ check box in the web profile controls whether sensitive system information should be displayed when user presses CTRL+J hot key combination or not.
Look and Feel: The parameters on this page control which pages users are directed during their use of PeopleSoft system. You can use the delivered html pages available in the web server home location or create new ones to modify the messages or pages users are re-directed to.
Signon Page: The default signon page presented to the users for initial login.
Signon Result Doc Page: Signon error page when single sign-on is configured with additional validation and the authentication fails.
Signon Error Page: The default error page presented to the user when the authentication fails.
Logout Page: The default page that is presented to the users upon logging out.
Password Expired Page: The page that is presented to the users whose password has already expired and they need to reset the password before accessing the application.
Password Warning Page: The page presented to the users whose password has reached the warning threshold set in the password configuration but has not yet expired. Users can choose to reset their password immediately or postpone it for later. This is valid until the password age is equal to or exceeds the maximum allowed age.
Change Password on Expire: PeopleSoft component that the users are re-directed to when resetting the password AFTER it has already expired.
Change Password on Warning: PeopleSoft component that the users are re-directed to when resetting the password upon warning and BEFORE it has expired.