Along with these notes I sent along our sanitized httpd file: httpd_sanitized We've been running it for years and I should be able to help you out. We were running it on 10.3.6 for years until we upgraded to PT8.54. We don't have step by step documentation since it was done so long ago but I'll try to outline the things you need to do. I'm sad to say that I'm sure I'll probably forget something but please feel free to ask me questions since I know how it works end to end but I'll probably forget to tell you this or that unless I'm reminded since I'm doing this mostly from memory but also cutting/pasting from our old doc. We did it back in 8.49 so you'll see parts that refer to Osso-User-DN. Starting with 8.50 you use OAM_REMOTE_USER. The basis for the SSO integration are these manuals that are for 8.50 but you can look at the specific version you're running for the same sections: http://docs.oracle.com/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/book.htm The important section is here: http://docs.oracle.com/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/chapter.htm?File=tsec/htm/tsec09.htm%23g037ee99c9453fb39_ef90c_10c791ddc07_62e This document is also useful: http://docs.oracle.com/cd/E12839_01/core.1111/e10043/osso.htm#JISEC2691 In regards to the shibboleth2.xml file on the web and shibd server we use the following configuration option to use a shared shibd server: And we set the REMOTE_USER variable: On the shibd server you also need to seed the OAM_REMOTE_USER variable in the attribute-map.xml file using the following and you'll see we use the uid field to map it: We also have the same change as above in the attribute-map.xml on the web server but I'm not sure if it's really needed any longer for us. We used to have shibd running on each server so we never ripped out the no longer needed settings on the web server. I think another important part is you need to put apache in front of weblogic. When we did this way back when it was impossible to do this without apache in front of weblogic. I'm not even sure it's possible today without apache in front of it. Looking at our old notes this should help with the apache config but of course you would use the correct path of things for your version of PT. These notes were for solaris but we're now running on linux. Add to httpd.conf for apache: LoadModule weblogic_module /opt/psoft/oracle/wls103/wlserver_10.3/server/plugin/solaris/sparc/largefile/mod_wl128_20.so LoadModule mod_shib /opt/shibboleth/lib/shibboleth/mod_shib_20.so ... # Basic config for mod_weblogic to point at my WLS instance uid=your_bind_id,ou=whatever,dc=yoursite,dc=yoursite WebLogicHost ps.server.buffalo.edu WebLogicPort 18030 # SSL - WebLogicPort 18031 #Debug ON WLLogFile /tmp/wlproxy.log WLTempDir /tmp #DebugConfigInfo On #SecureProxy ON #TrustedCAFile /etc/apache2/CertGenCA.crt #WLProxySSL ON Map the URLs to expose via Apache. Expose the console via Apache. SetHandler weblogic-handler AuthType shibboleth ShibRequireSession On ShibUseHeaders On require valid-user For shibboleth you need to add to attribute-map.xml remember this is a cut/paste from our doc so don't use Osso-User-DN per my statement above: Overall documentation for integrating Peoplesoft with (Oracle) SSO is here for PeopleTools 8.50 in the section labeled Implementing Oracle Access Manager as the PeopleSoft Single Signon Solution: http://download.oracle.com/docs/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/htm/tsec10.htm#g607654ffc718d57e_ef90c_1211696f0b0__787e The web profile for the portal must be set to logon as a specific profile by default. A profile with no permission lists and no roles called default_user is created and is assigned to the web profile "DEV". DEV is configured to "allow public access" with default_user as the default user. Web profile configuration is covered here for PeopleTools 8.50: http://download.oracle.com/docs/cd/E15645_01/pt850pbr0/eng/psbooks/tprt/book.htm?File=tprt/htm/tprt14.htm%23g037ee99c9453fb39_ef90c_10c791ddc07_441 The LDAP peoplecode will also need to be modified so that the function getWWWAuthConfig( ) returns the string default_user. By default it returns an empty string. The web profile default user must match this string for SSO to work. Login to the PS environment and goto PT -> Security -> Security Objects -> Signon PeopleCode: Enable the function OAMSSO_AUTHENTICATION but don't check exec auth failed box. Enable LDAP_AUTHENTICATION but do check the exec auth failed box. The code we changed in the FUNCLIB_LDAP record peoplecode to define default_user was: *** 70,76 **** to byPassSignon. Hardcode the default user ID here. //////////////////////////////////////////////////////////////////////////////////////////////////////////////*/^M Function getWWWAuthConfig() ! &defaultUserId = ""; End-Function; --- 70,76 ---- to byPassSignon. Hardcode the default user ID here. //////////////////////////////////////////////////////////////////////////////////////////////////////////////*/^M Function getWWWAuthConfig() ! &defaultUserId = "default_user"; End-Function; Login to the PS environment: Create a user profile named default_user password [whatever you want] id type = None symbolic id : sysadm1 Change appropriate web profile to autologon as default_user. (You'll need to know the password for default_user) In the people logon code menu, change SSO_AUTH to OAMSSO_AUTH and enable it. Switch the order of the LDAP and OAMSSO_AUTH plugins so that LDAP is executed after OAMSSO_AUTH. Exec auth failed should be enabled for LDAP, disabled for OAMSSO_AUTH. For weblogic in the PIA configuration: Enable the "WebLogic Plugin" Restart the application server for the logon code and web profile changes to take effect. I think the above should give you some things to check on your end. Please ask any questions you have since I just wrote this up on the fly and it could be much better.