Using the Event Mapping Framework to Enforce Two-Factor Authentication

The Event Mapping Framework is a new functionality introduced in PeopleTools 8.55.  The framework provides a way to run custom code on delivered components without having to modify the delivered objects.  I am going to demonstrate how the Event Mapping Framework can be used to enforce two-factor authentication (2FA) by mapping application class PeopleCode to component events.  I have provided a proof-of-concept project that demonstrates this functionality.

This project will add the ability to do a conditional redirect before a component is loaded. Before the pre-build event of the component is fired, the custom code will check if the user has done 2FA for the session. The code will redirect the user to the 2FA page if they have not done 2FA for the session, otherwise the component will load like normal.  The flow will go from this:

Original Logic

To this:

Redirect Logic

CLICK HERE to download the project. Unzip the file and import the project into app designer.

Login to PeopleSoft and navigate to Main Menu – > PeopleTools -> Portal -> Related Content Service -> Manage Related Content Service.  Click on the Event Mapping tab.

Manage Related Content Service

Click Map the event of the Application pages link.

Map Event of App Package

For this demonstration, I would like to enforce 2FA on the Change My Password page.  So select the Change My Password content reference.

Change My Password CREF

Next, you need to assign the related content definition (the definition was imported from the provided project) to the Pre Build event on the component. Select Pre Process for the processing sequence.  This means the custom application class will fire before any code that would be defined in the Pre Build event of the component.  Click save.

Assign Related Content

Now navigate to the Change My Password page.

Change My Password Link

And you should be prompted for 2FA at this point.

2FA Page

Note: The SMS option in the project is merely a placeholder.  I did a post on how to send SMS text messages in PeopleSoft if you are interested in implementing this functionality.

After you perform 2FA and click OK, you should be redirected to the Change My Password page.

Change My Password

 

With the Event Mapping Framework, the code to check if a user needs to perform 2FA can easily be applied to Pre Build events on components across the entire application.  The great thing is that the code is being fired in a custom event.  This means that we are able to achieve this customization of enforcing 2FA at the component level without actually having to “customize” the delivered components.

I made a post here that demonstrates how Google Authenticator can be implemented with the event mapping framework to enforce two-step verification at the component level in PeopleSoft.

Comments

Danny Kile

Hi Colton, I really like this solution. How would the redirect after successful 2FA be able to bypass the search page on components that have search pages?

Colton Fischer

This is a really good question. I think you should be able to pass search record field values as GET parameters in the URL to bypass search pages. If this is the case, you might be able to do the following to bypass the search page after a successful 2FA challenge.

Do the following in the PreBuild event that the 2FA code is running on before you redirect the user to perform 2FA:

  1. Use the %Component variable to query the metadata tables to determine the names of the search record fields for the given component.
  2. Parse the %Request object and extract the POSTed search record field values using the search record field names obtained in the previous step.
  3. When generating the URL to redirect back to after a successful 2FA challenge, include the search record field name-value pairs as GET parameters in the URL.

If this does indeed work, you need to be weary of the values that you are passing in as GET parameters. Unlike POSTed values, GET parameter values tend to linger around for long periods in places such as server logs and browser history. This can be a potential security concern for search records that contain sensitive input values. If you pass these types of values as GET parameters, then there is a greater chance that these values can be stored in places that you do not want.

David Gaff

Typically you don’t want to encourage users to mess with the Search keys in the URL in case they see data they shouldn’t.

Components for use from the internet (or any insecure space) should have PSLOCK (or another record with no Search Keys) as the Search Record, and the component should determine what data to show them based on their User ID or a passed value. If this isn’t possible - and Row Security isn’t an option for your component - you can use a hash calculation and send that as a parameter on the URL.

So your page that gives the user a link or button calculates a hash of the wanted search keys (and some other secret), includes it on the URL or in a variable. The target component looks for that hash, calculates the same thing, and if they don’t match bounce the user out.

Naveena

Hi Colton, thats a really very informative Blog. Thanks for sharing your understanding with us. I have one question regarding this solution. Can this solution be used for Sign-On page as well?

Colton Fischer

Hi Naveena, performing redirections (like this solution does) is tricky in Sign On PeopleCode. Sign On PeopleCode offers the ResultDoc parameter of the SetAuthenticationResult function that allows us to redirect someone after signing in. However, I found this to not be very secure when your application serves Fluid pages. More details on this Here: http://www.peoplesoftmods.com/2fa/setting-up-two-factor-authentication-in-peoplesoft-part-2/#comment-21

I suppose if your application does not server any Fluid pages, then you could possibly apply the techniques used in this solution to the sign on process. However, I would personally advise you to think about the usability impacts of requiring users to perform 2FA at login time.

Naveena

Thanks Colton, my business has a requirement exactly similar to what is explained in this blog. I tried to follow the same steps mentioned. However the steps and peoplecode to send sms to mobile is missing in the project shared. Could you please help me with the details.

Naveena

Hi Colton, event mapping works like a champ in “Change Password” page and other pages which has no search record involved in the component. However the components with search record doesn’t invoke two factor Authentication app package. Basically the event mapping doesn’t work for such components. Any idea about this?

Colton Fischer

I have not experienced event mapping code not getting invoked on Components with search records. The only issue I ever experienced with event mapping code not firing was due to the bug described in My Oracle Support Doc ID 2171391.1, but this bug was fixed in PeopleTools 8.55.11. Sasank did a great write up of this bug on his blog here: https://pe0ples0ft.blogspot.com/2016/10/emf-hello-world-and-quirks.html.

You may be experience this bug if you are on a dot release before 8.55.11. If you are on 8.55.11+, then I would suggest opening a case with My Oracle Support and hopefully they can help you out.

Leave a comment

Your email address will not be published. Required fields are marked *

Loading...