Tuesday, March 3, 2026

Implementing OAUTH - OpenID Connect (OIDC) SSO for PeopleSoft

PeopleSoft already supports OAuth for securing REST APIs.

So a natural question comes up:

Why not use modern authentication like OAUTH OpenID Connect for user login as well? 

Many organizations moving to modern identity platforms such as Microsoft Azure Active Directory, Okta, or Keycloak want to enable OpenID Connect (OIDC) authentication for PeopleSoft.

A common assumption is that integrating modern authentication with PeopleSoft requires heavy customization or third-party security products.

In practice, PeopleSoft already provides the necessary extension points. By combining a Java servlet filter at the web tier with Signon PeopleCode, it is possible to implement modern OIDC authentication while keeping the delivered PeopleSoft login framework intact.

Demo video for reference.

Github url to obtain the jar files.

aangusamy/Peoplesoft-OAUTH-OIDC-SSO: Peoplesoft OAUTH OIDC SSO

This article explains the architecture and implementation.

Architecture Overview

The design keeps authentication outside PeopleSoft while allowing PeopleSoft to manage authorization and sessions.

+---------+        +-------------+        +-----------+
| Browser | -----> | OIDC IdP    | -----> | WebLogic  |
|         |        | (Azure/Okta)|        | Filter    |
+---------+        +-------------+        +-----------+
                                            |
                                            v
                                      +-------------+
                                      | PeopleSoft  |
                                      | Signon PC   |
                                      +-------------+
                                            |
                                            v
                                        PS_TOKEN

Flow Explanation

  1. User accesses the PeopleSoft URL.

  2. A custom Java filter intercepts the request.

  3. If the user is not authenticated, the filter redirects to the Identity Provider.

  4. The Identity Provider authenticates the user and returns an ID Token.

  5. The filter validates the token and extracts the email claim.

  6. The filter injects the email into a trusted HTTP header.

  7. Signon PeopleCode reads the header and maps it to an OPRID.

  8. PeopleSoft issues a PS_TOKEN session and the application loads normally.

No delivered authentication logic is modified.

Step 1: Build the OIDC Java Filter

The filter performs the following tasks:

  • Redirects unauthenticated users to the Identity Provider

  • Validates the returned ID token

  • Extracts identity claims

  • Injects the user identity into the request header

Example logic:

Validate ID Token
Extract email claim
Inject header: X-PS-USER=email
Forward request to PeopleSoft

The filter acts as a security gatekeeper, ensuring all requests are authenticated before reaching the PeopleSoft application.

Step 2: Deploy the Filter

Copy the compiled filter JAR into the PeopleSoft portal web application.

Location:

/home/psadm2/psft/pt/8.61/webserv/peoplesoft/applications/peoplesoft/PORTAL.war/WEB-INF/lib

Example directory contents:


oidc-filter.jar

After placing the JAR, the web application can load the filter during server startup.

Step 3: Configure OIDC Properties

Create a configuration file:

/home/psadm2/psft/pt/8.61/webserv/peoplesoft/config/oidc.properties

Example configuration:

client.id=xxxxx
client.secret=xxxxx
issuer=https://login.microsoftonline.com/{tenant}/v2.0
redirect.uri=https://ps.company.com/oidc/callback
scope=openid email profile

This allows the filter to load OIDC parameters at runtime.

Step 4: Pass Configuration to WebLogic

Update the PeopleSoft WebLogic startup configuration to include the OIDC configuration path.

Add the following to JAVA_OPTIONS_LINUX:

JAVA_OPTIONS_LINUX="-server -Xms512m -Xmx512m \
-Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform \
-Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0 \
-DTM_ALLOW_NOTLS=Y \
-DTM_MIN_PUB_KEY_LENGTH=1024 \
-Doidc.config=/home/psadm2/psft/pt/8.61/webserv/peoplesoft/config/oidc.properties"

The system property allows the filter to dynamically load the OIDC configuration.

Step 5: Configure the Filter Mapping

The filter must intercept all requests.

/home/psadm2/psft/pt/8.61/webserv/peoplesoft/applications/peoplesoft/PORTAL.war/WEB-INF/web.xml

Mapping example:

  <filter>
    <filter-name>OIDCSecurityFilter</filter-name>
    <filter-class>OIDCSecurityFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>OIDCSecurityFilter</filter-name>
    <url-pattern>/psp/*</url-pattern>
</filter-mapping>

<filter-mapping>
    <filter-name>OIDCSecurityFilter</filter-name>
    <url-pattern>/psc/*</url-pattern>
</filter-mapping>

This ensures every request passes through the authentication filter before reaching PeopleSoft.

Step 6: Implement Signon PeopleCode

Signon PeopleCode reads the header injected by the filter and maps it to a PeopleSoft user.

Example:

Local string &email;
Local string &oprid;

&email = %Request.GetHeader("X-PS-USER");

SQLExec("SELECT OPRID FROM PSOPRDEFN WHERE EMAILID = :1", &email, &oprid);

If All(&oprid) Then
   SetAuthenticationResult(True, &oprid);
Else
   SetAuthenticationResult(False, "");
End-If;

Once authentication succeeds, PeopleSoft creates the normal session cookie:

PS_TOKEN

The user experience is identical to a standard login.

Why This Approach Works

No Delivered Code Changes

This design does not modify:

  • Portal servlet

  • Delivered login PeopleCode

  • Authentication engine

Therefore upgrades and PUM updates remain unaffected.

Separation of Responsibilities

Authentication is handled by the Identity Provider.

PeopleSoft continues to manage:

  • roles

  • permission lists

  • row level security

  • session management

Works With Modern Identity Providers

This approach works with any OIDC compatible provider such as:

  • Microsoft Azure Active Directory

  • Okta

  • Keycloak

Security Considerations

Because PeopleSoft trusts the header provided by the filter, the following controls are important:

  • All application requests must pass through the filter

  • Backend WebLogic ports should not be directly accessible

  • The header should only be injected by the filter

Mapping the filter to /* ensures every request is validated.

Final Thoughts

PeopleSoft is often perceived as difficult to integrate with modern authentication technologies. In reality, the platform already provides the hooks necessary to support modern identity flows.

By combining a Java OIDC filter with Signon PeopleCode, organizations can enable modern authentication while preserving the stability of the PeopleSoft login architecture.

This lightweight approach allows PeopleSoft to integrate cleanly with enterprise identity providers without modifying delivered application code.


Result:

at No comments:
Subscribe to: Comments (Atom)

Implementing OAUTH - OpenID Connect (OIDC) SSO for PeopleSoft

PeopleSoft already supports OAuth for securing REST APIs. So a natural question comes up: Why not use modern authentication like OAUTH OpenI...

  • Peoplesoft Encryption
    This Article explains about Peoplesoft Encryption technology. Before explaining , let me discuss about some terms related to Encryption. ...
  • User Profile Emulation in PeopleSoft
    We used to simulate the user issue in non prod by changing the password for respective username and login to replicate the issue.Its always...