Datawiza
Back to blog
Updated July 19, 2026Blog

Shibboleth SSO and MFA for PeopleSoft: Campus Login Without OAM or IDCS

Abstract feature image for Shibboleth SSO and MFA for PeopleSoft
Table of contents

Many universities and public-sector organizations standardize on Shibboleth for SSO, federation, and campus identity. PeopleSoft is often the exception. Finance, HR, Student Administration, and Campus Solutions may still rely on local PeopleSoft sign-in and OPRID-based access even when the rest of the environment uses Shibboleth, InCommon, and campus MFA.

That creates a practical identity gap. Users expect campus login, security teams need MFA, and PeopleSoft teams do not want a large Oracle identity middleware project just to modernize web access.

Datawiza Access Proxy closes that gap by sitting in front of PeopleSoft. Shibboleth remains the identity provider. Datawiza handles the SAML exchange, validates the assertion, maps the authenticated identity to PeopleSoft, and passes the trusted PSSSOUID header that signon PeopleCode uses to create the PeopleSoft session. For the broader solution overview, see PeopleSoft SSO and MFA.

Why PeopleSoft Needs a Shibboleth SSO Bridge

PeopleSoft does not act as a native SAML or OIDC application in the same way modern SaaS apps do. A Shibboleth IdP cannot simply point at a PeopleSoft SAML endpoint and complete login. The SAML work needs to happen outside PeopleSoft, and PeopleSoft needs a trusted way to receive the authenticated user.

The standard PeopleSoft pattern uses signon PeopleCode. A trusted component authenticates the user, passes the PeopleSoft username in an HTTP header such as PSSSOUID, and PeopleSoft establishes the session for that OPRID. Datawiza performs the SAML service provider role and becomes that trusted access layer.

How Shibboleth SSO Works for PeopleSoft

  1. A user opens the Datawiza-protected PeopleSoft URL for HCM, FSCM, Campus Solutions, or another PeopleSoft web application.
  2. Datawiza redirects the browser to the institution's Shibboleth IdP for SAML authentication.
  3. Shibboleth authenticates the user and applies campus policy, including Duo or another MFA method when required.
  4. Shibboleth returns a signed SAML assertion to Datawiza.
  5. Datawiza validates the SAML assertion and maps a Shibboleth attribute such as eppn, uid, mail, or another agreed attribute to the matching PeopleSoft OPRID.
  6. Datawiza sends the trusted PSSSOUID header to PeopleSoft from the approved proxy path.
  7. PeopleSoft signon PeopleCode validates the trusted source and creates the user session with existing PeopleSoft roles, permission lists, and row-level security unchanged.

What This Avoids

  • No Oracle Access Manager deployment just to add campus SSO to PeopleSoft.
  • No Oracle IDCS or OCI IAM dependency if your standard IdP is Shibboleth.
  • No custom SAML code inside PeopleSoft.
  • No PeopleSoft application rewrite; only the supported signon PeopleCode configuration path.
  • No separate password-only PeopleSoft login path for users who should authenticate through campus identity.

Identity Mapping: Shibboleth Attributes to PeopleSoft OPRID

The most important design detail is identity mapping. PeopleSoft access still depends on the OPRID and the security model already configured in PeopleSoft. Shibboleth may release eduPersonPrincipalName, uid, mail, employeeNumber, or another attribute. Datawiza maps that attribute to the PeopleSoft OPRID expected by signon PeopleCode.

This lets the identity team keep campus federation policies in Shibboleth while the PeopleSoft team keeps PeopleSoft roles, permission lists, and row-level security in PeopleSoft.

MFA with Duo, InCommon, and Campus Policy

Many Shibboleth environments already enforce Duo or another MFA method through campus access policy. In that model, MFA happens before Datawiza passes the user to PeopleSoft. PeopleSoft does not need to implement MFA itself; it receives an authenticated user only after Shibboleth and campus policy succeed.

This is useful for institutions that need stronger access controls for finance, HR, procurement, or student-data workflows without changing the PeopleSoft application stack.

Where This Pattern Fits

  • PeopleSoft HCM for employee self-service, manager self-service, payroll, and benefits.
  • PeopleSoft FSCM for finance, procurement, expense, and supplier workflows.
  • PeopleSoft Campus Solutions for student administration and protected student records.
  • Public-sector or higher-education environments using Shibboleth, InCommon, or campus federation as the enterprise identity standard.

Frequently Asked Questions

Does PeopleSoft support Shibboleth natively?

No. PeopleSoft does not provide native Shibboleth, SAML, or OIDC login the way a modern SaaS application does. A bridge is needed to handle SAML with Shibboleth and pass the authenticated user to PeopleSoft through the trusted signon PeopleCode pattern.

Do we need OAM or IDCS for Shibboleth SSO with PeopleSoft?

No. Datawiza can connect Shibboleth to PeopleSoft without Oracle Access Manager, Oracle IDCS, or OCI IAM. Datawiza acts as the SAML service provider and forwards the authenticated identity to PeopleSoft using the configured trusted header flow.

Can Duo MFA protect PeopleSoft through Shibboleth?

Yes. If Duo or another MFA service is enforced by Shibboleth or campus policy, users complete MFA before Datawiza sends the trusted PeopleSoft header. Datawiza can also enforce additional access policies at the proxy layer when needed.

Does this change PeopleSoft permissions?

No. Datawiza changes how the user authenticates before reaching PeopleSoft. PeopleSoft authorization still comes from the user's existing OPRID, roles, permission lists, and row-level security.

Is this only for universities?

No. The pattern applies to any organization that uses Shibboleth or a SAML 2.0 identity provider and needs to modernize PeopleSoft login without rebuilding the PeopleSoft application.

Bottom Line

Shibboleth can be the front door for PeopleSoft without turning the project into a large Oracle identity deployment. Put Datawiza Access Proxy in front of PeopleSoft, keep Shibboleth as the IdP, enforce campus SSO and MFA, and let PeopleSoft continue to use the security model it already has.

Book a demo and we can walk through your Shibboleth attributes, PeopleSoft OPRID mapping, PSSSOUID configuration, MFA policy, and rollout plan.

Datawiza is Easy to Get Started

Sign up to secure your AI agents and critical enterprise apps

Try Datawiza