SSO for PeopleSoft

Overview

Why PeopleSoft Needs Modern SSO

PeopleSoft remains one of the most widely deployed HR, finance, and student administration platforms, with thousands of organizations relying on PeopleSoft HCM, Financials, Supply Chain, and Campus Solutions for mission-critical operations. Despite Oracle's continued support, PeopleSoft's web tier (PeopleSoft Internet Architecture / PIA) uses WebLogic-based authentication that is difficult to federate with modern cloud identity providers. Native SAML support in PeopleSoft requires WebLogic SAML Identity Asserter configuration, Oracle Access Manager integration, or custom PeopleCode — all complex, expensive, and fragile approaches. OnePAM simplifies this by acting as an identity-aware reverse proxy in front of PeopleSoft PIA. Users authenticate through your corporate IdP, and OnePAM injects trusted PeopleSoft sessions via PS_TOKEN cookie injection or header-based authentication. All PeopleSoft applications — Classic, Fluid UI, PeopleSoft Mobile, and web services — gain SSO without modifying the PeopleSoft application, PeopleTools, or WebLogic configuration.

The Problem

Authentication Challenges with PeopleSoft

These are the security and operational challenges organizations face when PeopleSoft relies on its native authentication model.

PeopleSoft Credentials Silo

PeopleSoft maintains its own user profiles and password policies (PSOPRDEFN) separate from corporate identity infrastructure.

WebLogic SAML Complexity

Configuring SAML in WebLogic (PeopleSoft's web server) requires deep WebLogic expertise, certificate management, and fragile XML configuration.

Oracle Access Manager Cost

Oracle recommends OAM for PeopleSoft SSO, but OAM adds significant licensing cost, infrastructure complexity, and operational burden.

Multiple PeopleSoft Environments

Most organizations run multiple PeopleSoft environments (HCM, FIN, CS, plus DEV/QA/PROD per each), each needing SSO configuration.

Fluid UI Authentication

PeopleSoft's modern Fluid UI uses different authentication flows than Classic, complicating SSO implementations.

PeopleTools Version Differences

Different PeopleTools versions (8.54, 8.55, 8.56, 8.57, 8.58, 8.59, 8.60) have varying authentication capabilities.

The OnePAM Solution

How OnePAM Adds SSO to PeopleSoft

A step-by-step guide to deploying modern SSO for PeopleSoft using OnePAM's identity-aware reverse proxy.

1

Deploy OnePAM Gateway

Place OnePAM in front of your PeopleSoft PIA (WebLogic) server to intercept all web traffic.

OnePAM acts as the TLS termination point and identity verification layer. It handles all authentication before requests reach the PeopleSoft PIA server.

2

Connect Your IdP

Configure SAML 2.0 or OIDC federation with your corporate identity provider.

OnePAM connects to Okta, Azure AD, Google Workspace, or any SAML/OIDC provider. All IdP configuration happens in OnePAM — no WebLogic SAML asserter needed.

3

Map User Identities

Define how IdP attributes map to PeopleSoft Operator IDs (PSOPRDEFN.OPRID).

OnePAM maps IdP user attributes (email, employee ID, UPN) to PeopleSoft Operator IDs using configurable rules, regex transformations, or LDAP lookups.

4

Enable PS_TOKEN Injection

OnePAM creates trusted PeopleSoft sessions by injecting PS_TOKEN cookies after IdP authentication.

Upon successful IdP authentication, OnePAM generates a valid PS_TOKEN cookie using PeopleSoft's native token format. The user's browser presents this cookie to PIA, which accepts it as a valid authentication — no second login.

5

Apply Governance

Enforce access policies, MFA requirements, session recording, and generate audit reports.

OnePAM provides per-environment, per-component, and per-user-group access policies. All access is logged with full IdP context for compliance reporting.

Business Impact

Benefits of SSO for PeopleSoft

Measurable business outcomes from deploying OnePAM SSO in front of PeopleSoft.

Eliminate PeopleSoft Passwords

Users authenticate with corporate credentials — no separate PeopleSoft password to manage, expire, or reset.

90% fewer password tickets

MFA for PeopleSoft

Enforce your IdP's MFA policies for PeopleSoft access — no PeopleCode customization or WebLogic MFA plugins.

100% MFA coverage

Replace Oracle Access Manager

OnePAM provides SSO, MFA, and access control for PeopleSoft without OAM licensing, WebGate agents, or OAM infrastructure.

Significant license savings

All Environments Covered

Apply SSO to HCM, FIN, CS, and all DEV/QA/PROD environments from a single OnePAM configuration.

Single config, all environments

Instant Revocation

Disable a user in your IdP and PeopleSoft access stops immediately — no PSOPRDEFN locks needed.

Real-time deprovisioning

Classic + Fluid SSO

Both PeopleSoft Classic and Fluid UI receive SSO treatment — consistent user experience across all interfaces.

All UI modes covered

SSO Features

PeopleSoft SSO Capabilities

Every feature needed to provide enterprise-grade SSO for PeopleSoft.

SAML 2.0 & OIDC SSO for PeopleSoft PIA

PS_TOKEN cookie injection for transparent SSO

Classic UI and Fluid UI SSO support

PeopleSoft Mobile SSO pass-through

Multi-environment SSO (HCM, FIN, CS, SCM)

Per-environment access policies

IdP group to PeopleSoft role mapping

PeopleTools 8.54 through 8.60 support

Session recording and keystroke audit

Just-in-time user provisioning

Security

Security Features

Enterprise-grade security controls protecting the SSO integration layer.

End-to-end TLS with PeopleSoft PIA

PS_TOKEN encryption and integrity verification

Per-component access policies (HCM vs FIN)

IP and geo-based access restrictions

Device compliance verification

Automatic session invalidation on IdP sign-out

Real-World Scenarios

PeopleSoft SSO Use Cases

Common scenarios where organizations deploy OnePAM SSO for PeopleSoft.

1

HR teams accessing PeopleSoft HCM with corporate SSO and MFA

2

Finance staff using PeopleSoft Financials with role-based access controls

3

University registrars accessing Campus Solutions with federated authentication

4

External auditors given time-limited, recorded access to PeopleSoft FIN

5

Employees accessing PeopleSoft Employee Self-Service via Fluid UI with SSO

6

Organizations migrating from OAM to OnePAM for PeopleSoft authentication

Frequently Asked Questions

PeopleSoft SSO FAQ

Common questions about deploying OnePAM SSO for PeopleSoft.

Does OnePAM require PeopleTools or PeopleCode changes?

No. OnePAM operates as a reverse proxy in front of PeopleSoft PIA. It handles authentication at the HTTP layer and injects PS_TOKEN cookies. No PeopleCode, PeopleTools, or WebLogic changes are needed.

Which PeopleSoft applications are supported?

All PeopleSoft applications running on PIA are supported: HCM, Financials, Supply Chain, Campus Solutions, and any custom PeopleSoft components.

How does OnePAM handle PeopleSoft's multiple web profile configurations?

OnePAM applies SSO regardless of PeopleSoft web profile configuration. Each PeopleSoft environment can have its own access policy, MFA requirements, and session rules in OnePAM.

Can OnePAM replace Oracle Access Manager for PeopleSoft?

Yes. OnePAM provides SSO, MFA, session management, and audit logging for PeopleSoft without OAM. Most customers find OnePAM simpler to deploy, operate, and significantly less expensive to license.

Does SSO work with PeopleSoft Integration Broker and web services?

OnePAM supports SSO for PeopleSoft web interfaces (Classic, Fluid, Mobile). For Integration Broker and web service authentication, OnePAM can provide OAuth2 token-based authentication.