Third Party SSO to Peoplesoft
What are steps in setting up Third Party SSO to Peoplesoft? A user is to click a link on an external website and he will be automatically logged on to Peoplesoft (provided that some encryption/decryption method is performed, which I have already done on the SignOn Peoplecode)
I do have some documents to read but got mixed up with different approaches. I know I did one thing right, that is, to create a SignOn Peoplecode.
Are nodes needed to be setup? Do we need a redirect html? What are the other configurations needed?
Thank you,
Jeremy
SSO is a commonly requested 'issue' with multiple solutions, which mostly depends on the third party systems abilities.
I would say start by reading thid doc
E-SEC: PT 8.x How to Setup External Single Signon Solutions with PeopleSoft [ID 617999.1]
https://support.oracle.com/epmos/faces/DocContentDisplay?id=617999.1
Also pay attention the to links provided at the bottom of this doc with muliple solutions.
Hakan
Similar Messages
-
Jasig CAS + Beehive (third party SSO)
Hello,
We are currently evaluating Beehive and one of the requirements we have is to integrate it with a third party SSO provider (Jasig CAS). I have followed the steps defined in the Oracle Beehive Pluggable Authentication http://www.oracle.com/technetwork/middleware/beehive/plugauth-096705.html#compiling_and_packaging_plug-in and managed to get the sample sso identity plugin "working" (its working enough to redirect me to a login page).
Now the question that I have (i hope you can provide some guidance) is that in order for me to integrate it with the "CAS Client", i need to add some filters to web.xml but everytime I do that, and I restart beehive, the BEECLIENT doesnt start.
I don't know if its because I am missing a .jar (I copied the CAS .jar's to $ORACLE_HOME/j2ee/lib/ext) or if there is something I can enable (DEBUG MODE) on beehive which can help me troubleshoot the issue. Is adding additional filters in web.xml possible?
This is more or less what I wanted to add (note , i tried this in the following file: $ORACLE_HOME/j2ee/BEECLIENT/applications/teamcollaboration/teamcollaboration/WEB-INF/web.xml)
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://login.server.com/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://beehive.server.com</param-value>
</init-param>
<init-param>
<param-name>renew</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>gateway</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://login.server.com/cas/</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://beehive.server.com</param-value>
</init-param>
<init-param>
<param-name>proxyCallbackUrl</param-name>
<param-value>https://beehive.server.com/proxyCallback</param-value>
</init-param>
<init-param>
<param-name>proxyReceptorUrl</param-name>
<param-value>/proxyCallback</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<!-- ************************* -->
<!-- Sign out not yet implemented -->
<!--
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-->
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/protected/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/proxyCallback</url-pattern>
</filter-mapping>
Thanks in advance!Richard,
Thanks for the reply. Let me expand of what I am trying to accomplish:
1. User goes to https://beehive.server.com/teamcollab
2. The Beehive PAM plugin kicks in and the user gets redirected to https://cas.server.com/cas/login/?service=https://beehive.server.com/teamcollab
3. Once the cas.server.com authenticates the user, it redirects the browser back to https://beehive.server.com/teamcollab/?*ticket=RANDOM_NUMBERS*
At the very least, I need to be able to readthe "ticket" parameter and validate the RANDOM_NUMBERS against cas.server.com so that I can get the username (no cookie involved here) back from the CAS server.
This is the code I was trying:
public String getIdentity(HttpServletRequest req, Map<String, String> props) throws IdentityException {
String ticket = req.getParameter("ticket");
AttributePrincipal principal = null;
String casServerUrl = "https://cas.server.com/cas";
if(ticket == null || "".equals(ticket))
throw new IdentityException("Service Ticket is Null or empty", null);
Cas20ProxyTicketValidator sv = new Cas20ProxyTicketValidator(casServerUrl);
sv.setAcceptAnyProxy(true);
try {
String legacyServerServiceUrl = "https://beehive.server.com/teamcollab";
Assertion a = sv.validate(ticket, legacyServerServiceUrl);
principal = a.getPrincipal();
} catch (TicketValidationException e) {
e.printStackTrace(); // bad style, but only for demonstration purpose.
String authuser = principal.getName();
if(authuser == null)
throw new IdentityException("User is null", null);
return authuser;
But when I tried that, my browser (frefox) detected an invalid redirect and nothing worked. I don't know how to troubleshoot this piece of code (do you know how to increase debug level and or dump vairiables to a log file, and if so which log file its going?)
Since I got the "invalid redirect" from firefox, i tried adding the cas filters (to web.xml) which in essence should allow me to just do something like String username = request.getRemoteUser(); and that is when beehive crashed.
So based on your response, I should stay away from changing web.xml (good because I didn't want to modify it to begin with) but do you have any recommendation as to how to debug the code ? I would like to echo something like "Service Ticket Received is: blah blah blah" to $ORACLE_HOME/beehive/logs/oc4j/BEECLIENT/log.txt or a similar log
Thanks for your help. -
Third party SSO with a custom login module
Hello everyone,
I've found a few posts on the forum with questions similar to mine, but none have been answered. I'm using a 3rd party authentication product along with a custom implementation of the AbstractLoginModule interface.
The setup is standard: A 3rd party agent is installed on a reverse proxy web server to SAP. The agent is configured to protect SAP resources, and it handles the login screens and authentication. Once the user has been authenticated, the AbstractLoginModule implementation kicks in, decrypts and validates an SSO token, retrieves the username from it and creates an SAP Principal.
The login ticket template is configured as follows:
1. EvaluateTicketLoginModule SUFFICIENT
2. MyLoginModule REQUISITE
3. CreateTicketLoginModule OPTIONAL
One of the integration's key requirements is that direct interaction with standard SAP authentication must be avoided. More specifically, the user should never need to enter an SAP password. I'm only seeing two problems, both of which violate this requirement.
The first is in cases where there is no existing SAP user that matches the authenticated user. In this case, the third party token and SAP Principal are created, the abort method is called, and the user is redirected to the SAP login page. I need to either bring to user back to the third party login page or to a custom error page~.
The second problem occurs when an SAP password change is required. Again in this case, an SAP form is displayed after the module has created the Principal (although once the user changes the SAP password, all's well). If I were to disable mandatory password changes, would this apply to fat client access as well? If so, then it's not a viable option.
The general idea in both instances is that the SAP I'd appreciate any help or suggestions.
Thanks
~ Since the SSO token applies to applications outside of SAP, I may add a login module parameter to make this a configurable choice. (I.e. allow the administrator to decide whether to inform the user that SAP authentication failed while preserving the SSO token, or to destroy the token and force re-authentication). However, if there is a way to configure the "bad credentials" URL outside of the module's code/parameters, it may be better to place the choice there.Hi Julius,
Thank you for the quick response - and on a Sunday, no less!
I have considered verifying that the user existed in SAP before creating the Principal. One might argue that that would be the common sense thing to do. The reason I've held off is that the error should be so rare that it may not justify the overhead. There's a requirement to have a one-to-one username mapping between SAP and the authentication application. It would be more efficient to assume that this requirement has been met and to handle the Exception when it hasn't been. Of course, that doesn't mean that it's the right way to go.
+_Julius Bussche wrote:_+
For the first concern, if they can access the logon page directly (anyway) you could disable it as you do not want any password based logons (right?) and redirect it to your external page or an error page.
Yes, this is what I'm hoping to do, but I'm not sure how to do it. Here are some comments and questions about this:
1. What's involved in disabling the login page? I would think you'd need to replace it with something else rather than just switch it off. Could I limit this change to the login ticket template so that other templates (basic authentication, for example) are still available?
2. Keep in mind that users will never get past the "real" login page unless they have been authenticated. This complicates matters because we're dealing with a scenario in which the user has already been authenticated but doesn't exist in SAP. Therefore, it wouldn't make sense to go back to either login page.
3. What's involved in redirecting to an external page? Is this an explicit redirect in the module code, or can it be decoupled from the module? It's not a big deal, but it would be nice to avoid mandatory module parameters for relative paths to error pages.
I think the question I'm after is: "Can I simply change an SAP login URL parameter to point to a custom error page, and allow everything to work as it does now (where SAP handles the redirect)". If so, could I limit the scope of the change to the login ticket template? What would be even better is if I could configure SAP's response to this error. Somewhere, it's currently configured to display the login page. Ideally, I'd be able to configure it to display myErrorPage, and then set myErrorPage to the appropriate URL.
+_Julius Bussche wrote:_+
For the second concern, I assume that there are no valid passwords involved here which might have expired, so as long as the user does not have the option to activate a password again and anyway cannot logon via password as the option is not presented... then you should be fine here as well with a forward proxy. Not sure which Java APIs are offered here, but you could check this together with the existence check and react to both prior to accessing SAP "from the outside".
The problem here is that the SAP passwords are needed outside of the integration. It's true that whether an SAP password has expired is irrelevant to the integration. However, this is a Web-based integration; SAP passwords must still be available to users who have access to other clients. With this in mind, could I create a user password policy that disables password expiration and automatic password change, but only apply it to Web client access? If not, do you know how I might override SAPu2019s behavior?
Once again, thank you for taking your time to help me out. I am very grateful.
- John -
How to Integrate with third party tool from peoplesoft
Hi
I have one page and in that a Loan Request button is there.
My requiremt is - once employee clicks the loan request button the third party window has to open with deatails of that particular employee eg: some particular informations like ssn,dob etc.
Please help me achieve this by detailed explanation including setups and coding.
Thanks
PSHi
I am able to open third part link and enter the datas as required in that page.
Please help me on second phase of the requirement:
Now once the employe enter the details like ssn and dob and click submit.Based on that ssn and dob,peoplesoft system has to send datas like pay details etc to third party system.
Please help me to solve this.It will great if i get step by step details including code and setup if required
Thanks
PS -
Third party integrating with PeopleSoft
I know this is a rather generic question but I'm hoping someone can point me in the right direction.
I work for a company that has many customers who utilize PeopleSoft. Over the years we've built integrations with each of our customers individually. We're now looking at trying to bring some standardization to those integrations.
In looking into this, it seems that the communication protocols offered are pretty standard (FTP, AS2, etc.). My question revolves more around the message format and content. We typically exchange vendor, invoice and payment information with our customers.
Is there a base message schema/definition of these entities in PeopleSoft that we could utilize?
I understand that every customer has customization done to meet their needs. Right now we're sending XML/positional/CSV/etc. formatted messages with various sets of attributes. If there is some base format of these messages, we're hoping that we could reduce some custom integration work for both ourselves and our customers.Depending on the PS version you use, you can have a look at the following link.
https://psft-updates.oracle.com/psc/UGPRD/CUSTOMER/ISR/c/PTIS_INTEGRATION.PTIS_QUERY_INTG.GBL?&
Its a good place to start with. This will give you a list of all the EIPs that PS delivers OOB.
Thanks! -
SSO with third party solution C.A.S
Hi,
Is there any feedback regarding implementation of third party SSO solution with SAP BW, R/3.
We are imptemting to use C.A.S Solution based on LDAP Sun One, users are different in both systems.
RegardsUP
-
Handling Rowset based message in third party systems
Dear All,
Could you please help me to understand, how can we handle a row set based message at third party system?
PeopleSoft will be sending a row set based messages to third party system and in turn it will be expecting a row set based message as a response. How do we need to handle this?
Thanks,
Hari.ASo you are creating an inbound sync service operation routing.
This can be very well a rowset based message for the request as the response, since every message is an XML.
3e party system will be sending an XML which in the rowset format (which is still XML).
You can just take the message and read it in a rowset, process it and create a response message based on a rowset.
3e party system will be receiving an XML which in the rowset format (which is still XML).
The reason wy I mention XSLT is that the rowset based message has a lot of overhead noded which is not relevent for 3e party systems, but needed for PeopleSoft.
See example:
method OnRequest
/+ &MSG as Message +/
/+ Returns Message +/
Local Message &response;
&response = CreateMessage(Operation.SYNC_REMOTE,
%IntBroker_Response);
&response.GetRowset().GetRow(1).GetRecord(Record.QE_FLIGHTDATA).
GetField (Field.DESCRLONG).Value = &MSG.GenXMLString();
Return &response;
end-method; -
Third Party Integration and OID Accounts
I'm planning on using OID with a sync with another LDAP such as AD or Novell. I am also going to integrate SSO with a third party SSO engine.
How do I log into Oracle SSO with a user neither defined in AD or my third party SSO engine? I am basically worried about accounts like PORTAL and ORCLADMIN. Is it possible to bypass the third party integration for these accounts or am I forced to create these accounts in AD and my third party SSO engine?Jon,
you can either authenticate locally e.g. cn=orcladmin or externally.
You have various option s (depending on the OID version) and how you organize the user base in OID. On a high level the authentication is based on objectclasses for an entry.
E.g. user being synchronized from AD to OID (using the Directory Integration Plaform) contain an objectclass "aduser" to distinguish them as external AD users within OID. So the external authentication plugin will "know" who is an AD user and try to authenticate this user externally with AD not OID. You can also configure the external authentication plugin to filter user who should not be externally authenticated.
If you store all external users in a dedictated subtree e.g. cn=AD_USERS or cn=EDIR_USER you can configure the external authentication plugin to authenticate those user to the respective external directories.
with OID 10.1.4.0.1 you could also make use of the server chaining authentication.
So there are a couple of options you have. See the documentation
Oracle Identity Management Integration Guide
http://download-west.oracle.com/docs/cd/B28196_01/idmanage.1014/b15995/toc.htm
Oracle Internet Directory Administrator's Guide
http://download-west.oracle.com/docs/cd/B28196_01/idmanage.1014/b15991/toc.htm
regards,
--Olaf -
SSO to third party in EP 7.0 (SP-21)
Folks,
Could you please advise if we can do SSO to third party vendor using SAML/SAP logon Ticket in EP 7.0 (SP-21).
Let me explain a bit: We have EP 7.0 (SP-21), after initial logon to portal we can access backend SAP ECC6/BI applications (WebDynpro/ITS..). We would like to bring few third party vendor applications into Portal (content area) as single sign on using SAML/SAP logon Ticket
I had a chance to look into this presentation:
2009 SIM201 Next Generation SSO for SAP Applications with SAML 2.0
http://www.sdn.sap.com/irj/scn/shop?rid=/media/uuid/106df189-4d83-2c10-82a4-c0643a8bf57b
It talks about EP 7.2. Can you advsie if we can do SSO to third party vendor using SAML/SAP logon Ticket in EP 7.0 (SP-21).
Thanks in advance.
Moin.Hi Oliver,
You have the following options:
1. The user exists in NW 7.3 but has different user id than the one in the SAML2 assertion provided by the 3rd party system
For this check the following documentation link: [documentation about out-of-band account linking|http://help.sap.com/saphelp_nw73/helpdata/en/a9/e287475d544cdaa63e884180d6c23f/frameset.htm]
- if the email is available on both systems - the one that issues the assertion and NW 7.3 then try to use Email NameID format
- you may also maintain user mapping in NW 7.3 in additional user attribute
2. Same as #1 but you want that the user links both accounts when first logged in with SAML2
For this check the following documentation link: [documentation about interactive account linking|http://help.sap.com/saphelp_nw73/helpdata/en/97/4e80f86ccb43419a545c672a6bb2e3/frameset.htm]
3. The user has not account on NW 7.3 and such has to be created on the fly based on the information (assertion attributes) in the assertion (automatic account creation)
For this check the following documentation link: [documentation about automatic account creation|http://help.sap.com/saphelp_nw73/helpdata/en/97/4e80f86ccb43419a545c672a6bb2e3/frameset.htm]
4. Use temporary in-memory users
For this check the following documentation link: [documentation about identity federation with transient users|http://help.sap.com/saphelp_nw73/helpdata/en/fd/ecb2b33922414e8ad01763c84b3349/frameset.htm]
Could you provide more details about your scenario and which option seems to be relevant to it? Once we can identify which one is relevant we can discuss further details.
Regards,
Dimitar -
Third party application forcing java stack to restart when logged in through SSO
Hi
We have APW Third party application installed on Enterprise portal 7.4.
When we tried to login APW portal through SSO it forces Java stack services to restart.If we use APW directly without SSO it works fine.
Can you help me tto resolve the issue.Hi Manish,
Please check the configuration once agian about the third party connection and the portal.
Also provide the "dev_server0" which under in directory /usr/sap/SID/J00/work and default trace which under in “/usr/sap/SID/J00/j2ee/cluster/server0/log" to analyze the issue. There is some other tool as well to check the issue using "httpwatch" log tool. But, mostly issue can be identified in dev_server0 or defalut trace".
Thanks,
Brindavan -
SOAP--PI--ABAP Proxy-how to call this scenarion from third-party PeopleSoft
My scenario is:
Third-party Peoplesoft sending an Asynchronous XML message to PI through SOAP Adapter which will then be processed by ABAP proxy server.
I have everything in place (SDL,IR,ID & ABAP Proxy). I have created a SOAP tool that uses URL (http://host:port/XISOAPAdapter/MessageServlet?channel=party:service:channel) and XML message to test the process - it works.
Now the problem is the Peoplefoft system guys need help to figure out how do they reach our system and this process.
per my understanding, I created a WSDL using ID>Tools>Define Web Service option and sent it to them hoping they will be able to use this WSDL to program their call to our system.
I also additionally sent them the SOAP client tool that i use to test the process that has default XML payload in it.
The only change i made in WSDL before sending to third-party is - replaced location tag from the actual URL that reaches sender SOAP adapter to the external URL that will be used by PeopleSOft system reach our network. I think our network guys are going to map this external url to internal URL.
Is there anything else i can do as a PI consultant to help Peoplesoft reach our network and hit the SOAP Adapter (SOAP sender adapter channel for my process).
I will Appreciate any ideas.
Thanks,
SaurabhAs a PI developer, ur only task is to provide the correct wsdl to the Peoplesoft guys. As u have changed the URL, there is nothing else to be done at ur end.
The SOAP Client user just have to use the wsdl and fill in the data. Before the communication, please make sure that there are no firewall restrictions.
Regards,
Prateek -
Integration of SSO with Third Party Application
Hello Colleagues,
I have requirement where I have to integrate SSO with a third party application.
After some R & D I found out that there is some one class "SSO2Ticket.java" which can do that or help in verify the ticket.
Since I am new to this area, I am not sure how do I go ahead with the execution of this java file.
Can somebody help me with this.
Also, is there any documents which talks about SSO integration or about the above mentioned JAVA file.
Best regards,
ArvindWhich type of 3rd party application is this, and which SSO authentication methods does it support?
If you can find a common one, then that will be good for you.
Specifically for non-SAP systems re-using the SAP LogonTickets, I know that you can extract the user name from the ticket. I think SAP even provides some verification tools here for external applications to verify the ticket?
Currently there is much excitement about SAML 2.0 which is also worth taking a look into as well.
Cheers,
Julius -
11g Forms and SSO Third-party / custom identity provider
For 11g Forms, we currently use database accounts to authenticate users.
With a custom written identity provider, I was wondering if anyone knew the high-level of how a user could be SSO authenticated with a Forms session.
Here are some questions:
Do you need other Oracle products (OAM or OID) to use Weblogic / Forms SSO authentication with a third-party identity provider?
If you continue to use unique database accounts, don’t you need OID to bridge the link between an SSO account and an oracle database user account?
If you don’t use unique database accounts (i.e. only use schema name for all users), what products are need to allow Webgate / Forms to use a third-party identity provider to launch a forms database session? i.e would the SSO name be passed to the database layer for user auditing.
I would appreciate if anyone had concepts of what products/techniques are needed.For 11g Forms, we currently use database accounts to authenticate users.
With a custom written identity provider, I was wondering if anyone knew the high-level of how a user could be SSO authenticated with a Forms session.
Here are some questions:
Do you need other Oracle products (OAM or OID) to use Weblogic / Forms SSO authentication with a third-party identity provider?
If you continue to use unique database accounts, don’t you need OID to bridge the link between an SSO account and an oracle database user account?
If you don’t use unique database accounts (i.e. only use schema name for all users), what products are need to allow Webgate / Forms to use a third-party identity provider to launch a forms database session? i.e would the SSO name be passed to the database layer for user auditing.
I would appreciate if anyone had concepts of what products/techniques are needed. -
Consume a third party REST Based Webservice from PeopleSoft
We are in tools 8.49.33
Using 'Consume Web Service' component we can only consume a WSDL based webservice I guess. But we have a requirement to consume to a third party webservice, for which we just have to invoke a URL with query string via HTTP GET and receive an XML response. Has anyone done this before?Three things to check:
#1: Check your errorLog.html file in the PSIGW web app of your PeopleSoft server
#2: Does your app server have to go through a proxy to connect to the internet? If so, did you configure integrationGateway.properties to use a proxy server? You can test this by trying to use ConnectorRequestURL for a plain old HTTP web site. If you get the same error, then it is likely a proxy issue.
#3: If #2 passed, then it might have to do with certificates and you will need to review PeopleBooks for importing certificates for integration broker. I haven't had to do this before, but am pointing it out in case. -
Problem: Deploy a SSO Third Party Integration Adapter in Portal
A user want to deploy a SSO third party integration adapter (Novell Access Gateway) in Portal (AS v10.1.2.0.2). And used method in Note 430877.1. They can login through Novell Access Gateway and login Portal, but when click search user button, there always show a blank IE. And no error log. How to resolve? Thanks.
Hello,
I have found out that in SAP Portal it must be possible to create a new system from a par-file which is uploaded to portal before.
I have such a par-file. It is deployed and uploaded to the portal server. And the application which is contained by this PAR is running in SAP Portal. But when I go to
System Administration --> System Configuration --> Portal Content --> right mouse click to folder --> new System from par
then this PAR can not find there.
I have also tried to upload this PAR manually to portal. But the result is the same. This PAR does not exist in the radiobutton-options to create a new System.
Please can anybody tell me how to create a system (or a system-template) from an uploaded PAR-file?
Regards,
Iris
Maybe you are looking for
-
How do I access router setup page if the router DHCP service is disabled?
When I had DSL, my WRT54G was my DHCP master for my home network. When I got AT&T U-Verse, their "gateway" became the DHCP master and also the wireless access point. But the signal was not strong enough where I wanted to use it, so I hooked up the
-
Home Sharing on iPad gone wrong...please help!
Hi there, I recently found out about home sharing by a friend. So to save space on my iPad I simply download all my music and videos on my computer and then when I want to watch/listen I have the computer switched on and iTunes running and then it al
-
No Form Fields Detected - Adobe Pro X
Hi all, Having a very frustrating time today and probably missing something simple. I have created a new PDF Form and also edited a previous Form that I have used. However, when uploading them into our software (proprietary), we get the error "No F
-
How to create agent for scheduling an scenario???
i want to scheudle a scenario... but it requires agent.. so, please tell me the steps i have to follow inorder to create agent....
-
hello, before two weeks ago we installed radius server in our network. the other switches in the network are work fine with the radius, the nexus 5k can reach the server with ping, but cant authenticate the users, only local users can access. test aa