[Customer Story] How Appsian Solved University of Nebraska’s Unique SAML Authentication & IdP Configuration

By Esha Panda • March 3, 2022

The University of Nebraska uses PeopleSoft Campus Solutions for its student information system and wanted to streamline authentication for students, faculty, and staff across eight separate campus locations. So, they turned to a single sign-on integration solution from Appsian that enhanced security practices but was flexible enough to allow the eight campuses to retain the Identity Provider (IdP) of their choice.

Centralized SAML Authentication & Scalability: The Missing Pieces

When the University approached Appsian for a SAML SSO, they were currently using a custom, home-grown solution. This solution was not scalable in the long term and created a significant amount of complexity.

Our team realized that the University of Nebraska was struggling with three key challenges –

  • The University uses two instances of PeopleSoft – One for the University System (five campuses) and one for the State College System (three campuses).
  • Each campus has its own PeopleSoft Internet Architecture (PIA) within its designated instance of PeopleSoft.
  • The University utilizes eight different Identity Providers (IdPs) across all locations.

To streamline the SAML authentication process and improve the user experience across multiple applications, the University had to reduce the overall number of authentications by centralizing authentication management from a common platform. The University’s IT security leadership was impressed with Appsian’s ability to provide continuous support and offer creative and sustainable alternatives to offer the best solution for SAML integration.

Solving the University’s Unique IdP Configuration

The University’s security team was looking for PeopleSoft SAML integration to deliver a single sign-on solution that met their unique configuration requirements. Appsian’s solution was attractive to them since it was native to PeopleSoft. It enabled all eight campuses to retain the IdP of their choice. In addition, they could map to any one of the eight PIA instances.

“Instead of viewing our unique configuration as “the client’s problem,” Appsian looks for creative and sustainable alternatives to provide the best solution,” said William Barrera Fuentes, Director of the Nebraska Student Information Systems.

We enabled some unusual configurations that ensured all eight campus locations (and PIAs) could keep using their IdPs without sacrificing security or flexibility. Their team was happy that the cost of ownership did not increase by deploying additional infrastructure to support SSO and SAML authentication.

Native SAML Compatibility for PeopleSoft & Secure SSO With Appsian

Appsian’s PeopleSoft customer base includes multiple organizations in the education sector like the University of Nebraska looking for a configurable SSO solution with no custom development. With Appsian’s PeopleSoft SSO Connector, organizations can:

  • Leverage existing investment in SSO solutions to authenticate PeopleSoft sessions via SAML-based Identity Providers
  • Access PeopleSoft via deep link navigation (sent by email or other communication channels)
  • Support multiple IdPs concurrently for consolidated systems with separate user groups
  • Deploy your multiple IdP’s SSO in PeopleSoft as quick as 7 days with no additional hardware or custom coding

Schedule a demo with our experts to learn how Appsian integrates native SAML functionality in PeopleSoft to deliver a seamless Single Sign-On.

Customer Profile:

The University of Nebraska is the state’s only public university system, consisting of five campuses, each with a distinct role and mission. Together the campuses enroll 51,000 students and employ 16,000 faculty and staff who serve the state and world through education, research, and outreach.

Related Reading: University of Nebraska Case Study 

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

December is Prime “ERP Data Breach” Season… Be Prepared!

By Scott Lavery • November 28, 2018

Establishing security best practices for your PeopleSoft applications is always a work in progress. As newer, more advanced threats come to light, staying current can feel like a daunting task. While PeopleSoft systems are inherently robust and secure, a constantly evolving threat landscape, PLUS new data regulations have paved the way for several necessary security enhancements. As the end of 2018 draws near, now more than ever, organizations must be aware of the myriad of threats that are well-aware that “year-end” bonus season is coming… and are preparing their tactics to redirect your employees hard-earned payroll/bonuses.

What is the weakest link in your ERP security chain?

Threats today have become increasingly user-centric. The targets for malicious hackers have shifted from entire networks to applications. By leveraging phishing and social engineering attacks, most ERP breaches are now originating from the unauthorized use of valid login credentials – stolen directly from the user themselves. Thus, making your users (and their passwords) by far, the weakest link in your security chain.

Recommendations for mitigating the “human error” element

Inspired by dozens of successful PeopleSoft security projects, security experts at Appsian have compiled a list of best practices that every organization must utilize, and details the steps that should be taken to implement a layered approach to securing PeopleSoft. Rather than solely focusing security efforts on the perimeter, we will discuss how your sensitive data can be protected from malicious intruders (and even insiders) who are able to access PeopleSoft with valid credentials:

  • Enabling SAML for centralized identity management and establishing a single sign-on to reduce the risk caused by users having multiple (potentially) weak passwords.
  • Expanding traditional multi-factor authentication from login-only to field, page and component levels to ensure data protection from insider threats.
  • Employing location-based security to enforce least privilege access when sensitive systems are being accessed from outside your corporate network.
  • Enhancing data masking to alleviate challenges posed by static role-based masking rules and reduce unwanted exposure of sensitive data fields.
  • Extending logging capabilities to be compliance-ready with 360-degree awareness of what going on inside your PeopleSoft systems and user activity.
  • Bringing real-time visibility to breaches, suspicious events, and potential vulnerabilities by incorporating security analytics to your PeopleSoft security infrastructure.

Download the whitepaper to learn more about the best practices for achieving an end-to-end security and compliance strategy.

Download Your Whitepaper!

On a time-crunch? Request a quick session with our PeopleSoft security experts.

Contact Us Today!

1. https://info.digitalshadows.com/ERPApplicationsUnderFire-Press.html
2. https://www.us-cert.gov/ncas/current-activity/2018/07/25/Malicious-Cyber-Activity-Targeting-ERP-Applications
3. https://www.cyberark.com/resource/cyberark-global-advanced-threat-landscape-report-2018/

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

University of Waterloo relaunches direct deposit self-service functionality for employees

By Chris Heller • August 11, 2017

Direct deposit is a given for most of us. Until it doesn’t work. I definitely remember the days of getting paper checks in the mail….or not.

Our customer – University of Waterloo – recently relaunched their direct deposit functionality that allows employees to add or update their direct deposit bank account information on-line through myHRinfo self-service.

Here’s a link to an article from their Daily Bulletin newsletter

The implementation of ERP Firewall, which provided UWaterloo with additional layers of security on top of their PeopleSoft HCM system, was foundational to the relaunch.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Why you should take a layered approach to securing PeopleSoft access

By Greg Wendt • September 22, 2015

A layered approach is critical to protect your PeopleSoft system against multiple threat vectors. Deploying a series of security barriers requires the bad guys to defeat all of them to breach the PeopleSoft system. A layered approached significantly reduces an organization’s daily risk, and their possible breach costs.

At minimum, a layered approach to protecting PeopleSoft should include:

  • Userid/Password
  • Multi-factor authentication
  • Data Masking
  • Location Based Security
  • Logging

Userid/Password

The first tier of any secure system is the userid and password. When a user successfully passes a challenge on his/her credentials, the system provides access to functionality based on his/her identity.

Although adopting best practices in password management is critical, it is not sufficient to prevent breaches.

  • Social engineering in the form of spear-phishing and phishing campaigns can be utilized to gain access to your credentials.
  • Encryption keys that protect credentials can be cracked, allowing access to password databases or generation of authentication tokens.
  • Key loggers and other techniques can be utilized to capture traffic from the browser to the server

In today’s environment, trusting a simple userid and password will not keep your systems safe by themselves. Other security layers must be implemented.

Multi-factor authentication

Multi-factor authentication (sometimes called Two-factor authentication) is a secondary challenge that users must pass to confirm their identity. In most circumstances, the additional factor is something that the end-user must have in his/her possession so that compromised data such as a password or security question is insufficient to gain access to sensitive data and functions.

Although Multi-factor solutions are not impervious to attack (such as the process for provisioning the end-user), requiring a match of the identity of the userid/password and the second factor dramatically reduces the risk that a users’ session is compromised.

Data Masking

PeopleSoft contains extremely sensitive data and processes: social security numbers, bank accounts, addresses as well as confidential corporate data. Masking sensitive data by default provides an additional layer of security, protecting organizations from data loss (or data leakage).

When cybercriminals gain access to an account, their top priority is accessing private sensitive data and bank account information. Data masking puts additional control over how this information is disclosed or maintained. When utilized in combination with multi-factor authentication, an organization can still provide access to that data when needed by an end-user in a secure manner.

Location Based Security / Least Privileged Access

External threats, by definition, originate from outside the organization’s network. Many attack vectors like spear phishing or PS_TOKEN leverage Internet access to gain access to compromised systems. However, as organizations provide remote access to their PeopleSoft systems for applicants, integration with cloud products, working at home, and supplier self service, Internet access is increasingly required.

Should high privileged users really have the same access in untrusted locations as sitting in their office chair? Of course not! Restricting certain functions based on location requires the access to occur from a known location in combination with all other protections.

Logging

All the security layers or measures mean very little without knowing what actions users perform within your system. Incident response requires knowing who did what, when they did it and from where, and what data did they access. Malicious insiders, accidental errors and outside hacktivists require detailed logging of system access. Logging must be designed into the security solution from the beginning; there are no recreating events without this valuable data trail.

Summary

Layering security approaches provides essential protection from the attacks of today and tomorrow. A Layered approach including all of the steps above greatly increases your chances of thwarting cybercriminals. For your most sensitive processes, a cybercriminal would have to defeat all layers. For example:

  • He/she would need to gain the end-user’s userid and password
  • He/she would need to gain physical possession of the end-user’s multi-factor token
  • He/she would need to unmask sensitive data
  • He/she would need to connect from a trusted location

Finally, the cybercriminal would not be able to prevent logging from occurring, which means that they would have a limited window in which to exploit the breach as an organization’s incident response processes kick in.

There is no magic “silver bullet” when it comes to cybersecurity, only well thought-out and implemented pro-active plans will set your organization up for success. Layered security measures are instrumental to your organizations future.

For additional information or to setup a private demo please visit www.greyheller.com or check out additional blog entries and past webinars on securing PeopleSoft access.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Tracking high-privileged users requires a strict security policy

By Greg Wendt • August 25, 2015

While some organizations believe hacks come from only external sources, these companies may be missing an even larger threat: internal, privileged users. According to the study, titled Ponemon Institute’s Survey on Data Security Breaches, sixty-nine percent of companies reporting serious data leaks responded that their data security breaches were the result of either malicious employee activities or non-malicious employee error. While some attacks can be unintentional, to protect your organization from internal aggravators, there are a couple of steps your business can take.

Start by defining the policy

High-privileged users by definition have access to the most sensitive information within the organization. Their access is coveted by both external hackers and malicious internal users. Safeguarding your company requires an in-depth look at current security policies and how they could be improved. There should be guidelines put in place detailing what access each member receives, as well as strict account management practices. This can include requiring privileged users to change their passwords biweekly or bimonthly to ensure important data is always secured or implementing a least privilege arrangement. This practice gives users the bare minimum for their positions’ needs when it comes to access.

In addition, your company could eradicate “all powerful” accounts that allow entitled users access to almost all information in a business’s system. Instead, delegate access to particular data to different people, using a specific identification password or username that can be tied to that person. Certain actions within the system would then be accessible by only people who have been granted that permission. Multifactor authentication would limit and verify which privileged users are able to complete specific behaviors within the system.

Multifactor authentication can prevent malicious insiders from hacking into secure data.

Add extra security measures

Users with great power, also comes great responsibility.  Our security survey results show greater than 80% of respondents expect high-privileged users to utilize  increased security measures such as multi-factor authentication.  Privileged users with particular leverage should still have to meet and pass certain security requirements for access to data and functions. To keep company information as secure as possible, it is important to increase protection by implementing specific protocols, including data masking.

Data masking is a smart backup for multifactor authentication. If a user is able to make it through one level of security but cannot view other data, the system hides secure information. Only the most basic, non-harmful data is visible. Continued failed login attempts at every level of authentication would result in increased masking of secure materials.

Log employee actions

The phone rings, the caller accuses someone of changing their data because their paycheck was not deposited into their account – now the response has to begin.  It’s vital to monitor users’ conduct within the system at every level. Specifics are necessary to audit people’s access as well as perform incident response. High-privileged users impact and influence on company data must be tracked within the overall data security solution. Although this security measure is difficult to complete, it can be done with the correct logging software. With a firewall that includes analysis of a user’s record and behaviors within the portal, companies can have a better idea of what secure information is misused.

High-privileged users can wreak just as much havoc on a system as external hackers. In fact, 25 percent of respondents said a malicious insider was the cause of a company breach in the past year, according to Forrester Research. To avoid system intrusions, whether vengeful or not, it’s vital for your company to have a security policy in place to monitor users. Multifactor authentication, data masking and logging analysis are all beneficial tools to protect your organization’s critical information.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

What you should know about PeopleSoft and Common Web Application Vulnerabilities

By Chris Heller • August 14, 2015

Background

In recent blog posts, we’ve mentioned that PeopleSoft provides a number of security protections out of the box. In this entry, we wanted to go into more detail on this, specifically focusing on what you should know about PeopleSoft and common web application vulnerabilities.

  • Data sniffing
  • SQL Injection
  • Cross-Site Scripting
  • Content Spoofing and Injection
  • Directory Indexing
  • Information Leakage

If you hire an organization to perform penetration testing (as any organization deploying PeopleSoft on the public internet should), these are the items that they will primarily focus on.

PeopleTools as a Security Platform

One of the most important aspects of security within PeopleSoft, is that the platform ensures that security protections are built in globally.  As such, PeopleTools differs from other development platforms in the following ways:

  • Secure by Default:  Developers do not have to write specific security code in the application, because protections are applied automatically — PeopleTools takes care of it for them — thus ensuring that security is enforced consistently.
  • Rapid evolution:  Keeping up with potential vulnerabilities is an arms race where new attack vectors are constantly being created by the bad guys.  Because the security logic is applied externally to the application logic, vulnerabilities can be addressed at the platform level, delivered by Oracle, and applied platform-wide immediately.
  • Centralized Security Expertise:  PeopleTools has a team of security developers who’s job it is to stay current on best practices and potential vulnerabilities, allowing the rest of the organization to focus on business functionality.  This ensures that customers staying current on their PeopleSoft updates will be have the latest protections available.

So, let’s look at each of the common web vulnerabilities and what PeopleSoft does to remediate them.

Data Sniffing

Although this should be second nature to anybody deploying a web application, SSL termination is a critical component of ensuring secure data transportation between the end-user and the PeopleSoft system. PeopleSoft has configuration settings specifically for SSL termination and virtual addressing so that all traffic can be sent securely.  It also gives organizations the ability to utilize other tiers for SSL termination, such as the load balancer.

SQL Injection

Because many web applications access and store data through a relational database, a common attack vector is to inject SQL into edit boxes, URLs, or other user enterable fields to bypass application logic and talk directly to the database.  This could allow an unauthorized user to:

  • Gather sensitive data
  • Make unauthorized updates to application data
  • Escalate privileges and/or bypass system controls
  • Cause service interruptions

The following comic — “Bobby Tables” — pokes fun at this technique:

PeopleTools mitigates this vector through its definitional development infrastructure. When a page is developed in PeopleTools, the developer is rarely writing SQL, but placing the fields on the page.  PeopleTools will generate the SQL with the appropriate size, type, and encoding.

However, PeopleTools does not restrict developers from writing their own SQL, frequently using the infamous SQL-Exec PeopleCode function.  Therefore, it’s important that organizations incorporate strong change management techniques to review in detail any places where customizations are made with SQLExec functions.

Cross-Site Scripting

Cross-site scripting occurs when an unauthorized site or form controls a page or form in your application, making unauthorized updates.  This is commonly done with JavaScript, but can also be accomplished with other techniques.

PeopleTools protects against cross-site scripting by embedding a random token in each PeopleSoft page that is validated by servlets on the PeopleSoft web server.  If the form doesn’t have the token or the token is rejected, the traffic is also rejected.

This vulnerability existed in very early PeopleTools versions (circa 2000), but was remediated quickly platform-wide with a PeopleTools update once the threat vector was discovered and hasn’t been a risk for at least 10 years.

Content Spoofing and Injection

Content spoofing and injection is a whole category of techniques for making unexpected modifications to HTTP traffic between the browser and the application.  Examples include:

  • Modifying the URL in unexpected ways
  • Altering or removing HTTP Headers
  • Altering or removing cookies
  • Altering the HTML or XML content

A common technique followed by the bad guys is to install a proxy between the browser and the application, capture traffic, modify the different aspects of the traffic, and play back the results.

PeopleTools protects against spoofing and injection by acting as a single controller that issues and processes the HTTP traffic.  Whenever an unexpected event occurs (such as an unexpected URL), it will either issue a security error (such as You are not authorized to access this component) or will terminate your session.

That said, there are techniques that some implementation decisions that customers can make that would allow an organization to circumvent these protections.  These would include the following:

  • Adding an HTTP header to the HTML to maintain the identity of the user for single signon.  If the header is accessible to the end-user and Signon PeopleCode does not have anti-spoofing functionality, modifying the header could allow access without logging in.
  • Utilizing the %GetRequest parameter with a SQL-Exec function.  Because this function allows parameters to be embedded in the URL as a query string, improper use of it could open up a vulnerability
  • Improper implementation of location-based security rules.  Many organizations will implement location-based security by hiding URLs based on location (versus blocking them).  Because any PeopleSoft page can be accessed directly from a URL, merely hiding navigation does not block access to the content.

Directory Indexing

Directory indexing is a threat vector where a person gets a web server to disclose the list of files and folders on it.  In some cases, this can be used to determine how the application works behind the scenes, even to point of looking at the code that is running on the server.

PeopleSoft provides a few protections against this:

  • The first is that all of the security, business and database logic runs on a server separate from the PeopleSoft web server.  This means that gaining access to the web server does not provide access to the directories controlling how the application processes
  • The second is that PeopleSoft has a number of ways in which it can be deployed in conjunction with a DMZ.  One common option is to have a proxy server running in the DMZ where the web server itself is behind the corporate firewall.

Information Leakage

The last threat vector we will discuss.  From the context of this discussion, we will be covering information leakage as it relates to an external attacker trying to learn about how the system operates.  Information Leakage can also be discussed from the perspective of an authorized user’s use of sensitive application data, which will be discussed in a future post.

Anybody familiar with PeopleSoft’s Control-J function is familiar with type of data that can be leaked.  This page provides information about the version of PeopleTools, the PeopleSoft application, and the ports that are being used on the app servers.  At the weblogic level, the weblogic console provides information about the java version being run, etc.  Although it is great for troubleshooting issues in a development or test environment, an external person can utilize this to research known vulnerabilities for the versions being utilized to plan an attack.

Fortunately, PeopleSoft provides a configuration option in the web profile to turn off disclosure of this information, and the default PROD web profile has this setting made appropriately.

PeopleTools mitigates this vector through its definitional development infrastructure. When a page is developed in PeopleTools, the developer is rarely writing SQL, but placing the fields on the page.  PeopleTools will generate the SQL with the appropriate size, type, and encoding.

However, PeopleTools does not restrict developers from writing their own SQL, frequently using the infamous SQL-Exec PeopleCode function.  Therefore, it’s important that organizations incorporate strong change management techniques to review in detail any places where customizations are made with SQLExec functions.

Cross-Site Scripting

Cross-site scripting occurs when an unauthorized site or form controls a page or form in your application, making unauthorized updates.  This is commonly done with JavaScript, but can also be accomplished with other techniques.

PeopleTools protects against cross-site scripting by embedding a random token in each PeopleSoft page that is validated by servlets on the PeopleSoft web server.  If the form doesn’t have the token or the token is rejected, the traffic is also rejected.

This vulnerability existed in very early PeopleTools versions (circa 2000), but was remediated quickly platform-wide with a PeopleTools update once the threat vector was discovered and hasn’t been a risk for at least 10 years.

Content Spoofing and Injection

Content spoofing and injection is a whole category of techniques for making unexpected modifications to HTTP traffic between the browser and the application.  Examples include:

  • Modifying the URL in unexpected ways
  • Altering or removing HTTP Headers
  • Altering or removing cookies
  • Altering the HTML or XML content

A common technique followed by the bad guys is to install a proxy between the browser and the application, capture traffic, modify the different aspects of the traffic, and play back the results.

PeopleTools protects against spoofing and injection by acting as a single controller that issues and processes the HTTP traffic.  Whenever an unexpected event occurs (such as an unexpected URL), it will either issue a security error (such as You are not authorized to access this component) or will terminate your session.

That said, there are techniques that some implementation decisions that customers can make that would allow an organization to circumvent these protections.  These would include the following:

  • Adding an HTTP header to the HTML to maintain the identity of the user for single signon.  If the header is accessible to the end-user and Signon PeopleCode does not have anti-spoofing functionality, modifying the header could allow access without logging in.
  • Utilizing the %GetRequest parameter with a SQL-Exec function.  Because this function allows parameters to be embedded in the URL as a query string, improper use of it could open up a vulnerability
  • Improper implementation of location-based security rules.  Many organizations will implement location-based security by hiding URLs based on location (versus blocking them).  Because any PeopleSoft page can be accessed directly from a URL, merely hiding navigation does not block access to the content.

Directory Indexing

Directory indexing is a threat vector where a person gets a web server to disclose the list of files and folders on it.  In some cases, this can be used to determine how the application works behind the scenes, even to point of looking at the code that is running on the server.

PeopleSoft provides a few protections against this:

  • The first is that all of the security, business and database logic runs on a server separate from the PeopleSoft web server.  This means that gaining access to the web server does not provide access to the directories controlling how the application processes
  • The second is that PeopleSoft has a number of ways in which it can be deployed in conjunction with a DMZ.  One common option is to have a proxy server running in the DMZ where the web server itself is behind the corporate firewall.

Information Leakage

The last threat vector we will discuss.  From the context of this discussion, we will be covering information leakage as it relates to an external attacker trying to learn about how the system operates.  Information Leakage can also be discussed from the perspective of an authorized user’s use of sensitive application data, which will be discussed in a future post.

Anybody familiar with PeopleSoft’s Control-J function is familiar with type of data that can be leaked.  This page provides information about the version of PeopleTools, the PeopleSoft application, and the ports that are being used on the app servers.  At the weblogic level, the weblogic console provides information about the java version being run, etc.  Although it is great for troubleshooting issues in a development or test environment, an external person can utilize this to research known vulnerabilities for the versions being utilized to plan an attack.

Fortunately, PeopleSoft provides a configuration option in the web profile to turn off disclosure of this information, and the default PROD web profile has this setting made appropriately.