Scheduled for January 2023, PeopleSoft CS and PeopleSoft HR will migrate to a new method for single sign-on (SSO).
Who is impacted by this change?
Main entry points into PeopleSoft, such as the Portal, will continue to work as expected. Most users will not notice any change at all.
However, any existing link to PeopleSoft may need to be updated. Anyone who maintains links, such as bookmarks, websites, communication templates, or process guides, should review those materials for Peoplesoft links that need to be updated.
Some examples of links that will need to be reviewed:
- Websites that link to PeopleSoft (we are scanning www.csuchico.edu for links, but other websites will not be scanned)
- Email templates, communication templates, etc.
- Business process guides (BPGs)
- Web browser bookmarks
If you see any link, you can quickly determine if any update is necessary by checking what URL that link points at.
- If the URL begins with
cmsweb.csuchico.edu or hrweb.hr.csuchico.edu, you are good to go.
- If the URL begins with
shibboleth.csuchico.edu, that URL will stop working in a few months unless it gets updated.
How will URLs change?
In general, any legacy links using shibboleth.csuchico.edu will authenticate a user, and then redirect them to the target page within PeopleSoft. All you need to change is to replace the old URL with the URL of the page that you are ultimately redirected to.
As an example, the old Student Center login link on the Portal points at this URL: https://shibboleth.csuchico.edu/idp/profile/cas/login?method=POST&service=https://cmsweb.csuchico.edu/psp/CCHIPRD/EMPLOYEE/SA/s/WEBLIB_HCX_GN.H_DASHBOARD.FieldFormula.IScript_Main/?tab=DEFAULT%26userid=PS%26pwd=z
After logging in, you should arrive at this URL: https://cmsweb.csuchico.edu/psp/CCHIPRD/EMPLOYEE/SA/s/WEBLIB_HCX_GN.H_DASHBOARD.FieldFormula.IScript_Main
That second URL is the one that you should use in the future. If you need help, please open a ticket.
Why is this change needed?
For years now, PeopleSoft has relied on a legacy CAS plugin for authentication. That was fine for a while, but has led to more and more problems over time.
This change will have several key advantages:
- Easier to make deep links into PeopleSoft.
- Pays down substantial technical debt and mitigates operational risk.
- Resolves problem where users could get "stuck" as a guest user for 45 minutes after viewing the Class Schedule.
- Supports the launch of the upcoming Chico State mobile app.
When will this change occur?
We plan on completing the SSO migration and updating centralized links in January 2023.
Legacy PeopleSoft login links will continue to work for a limited time, but should be decommissioned eventually since they represent ongoing technical debt.
Technical details: On the Shibboleth side, the CAS registration for PeopleSoft will remain active for a limited time (several weeks/months). When a user hits a Shibboleth CAS endpoint to log into PeopleSoft, Shib will launch an Identity Provider initiated (IdP-initiated) workflow, which redirects the user to PeopleSoft with a CAS payload. PeopleSoft will disregard the CAS payload. If the user is not already logged into PeopleSoft, PS will automatically launch a Service Provider initiated (SP-initiated) workflow, which redirects the user back to a Shibboleth SAML endpoint. Since the user already has a Shibboleth session at this point, Shibboleth will redirect the user back to PeopleSoft with a SAML payload, which PeopleSoft will accept. All of this happens automatically in a matter of a few moments. It is technically complex but invisible to users.
Once EAPP and ISEC are confident that all centralized CAS links are updated, we will pause work and monitor for any ongoing use of those Shibboleth CAS endpoints. Eventually, those can be retired and the old links will stop working.