Contents
Contents

Authenticating to PeopleSoft Enrollment Web Services (EWS)

Struggling to bridge the legacy gap? Cedar Hills Group provides specialized PeopleSoft integration consulting to help teams design, build, and optimize their connection strategies.

Before you can call secured EWS operations like retrieving a student’s study list or processing enrollments, you need to authenticate the user of your application. This article covers how authentication works with the REST-based Enrollment Web Services.

Understanding the Authentication Model

In the default PeopleSoft security model, the PeopleTools user table handles user IDs and passwords itself. Many schools instead use custom SSO solutions, and there isn’t a single standard for SSO.

These articles will cover standard PeopleSoft authentication where there is a user id (OPRID) and password managed by PeopleTools (PSOPRDEFN). If your institution uses sign-on PeopleCode to integrate with LDAP or another method, this approach may still apply.

PeopleSoft can authenticate a user with a native PeopleSoft password. After authentication, PeopleSoft always controls authorization for which web services the user can access.

Security Model Of EWS

When designing web service in PeopleSoft or any server there are two basic security models that can be designed.

  • Super-User Access - In this model, certain operations may be performed by a privileged user (like an administrator) on behalf of other users. This requires additional security considerations to ensure proper authorization. In this case, the external application would authenticate as the super-user and specify the target user in the request payload.
    • EWS does NOT support this model.
  • Anonymous Access - In this model, certain EWS operations (like course catalog browsing and class search) can be accessed without user credentials.
    • I would not recommend using anonymous access for anything. Since the Catalog, Schedule of Classes and any other configuration data is not student specific, I would recommend creating an Peoplesoft user account that represents the external application and granting it access to the web services needed. This way, you have an audit trail of which application accessed what data.
    • for the external application to use.
  • Authenticated Access - In this model, operations involving student-specific data (study lists, shopping carts, enrollment transactions) require valid user credentials. The system must verify the user before returning or modifying their data.
    • EWS supports this model and it is the recommended approach.

Since most of the EWS operations involve student-specific data, authenticated access is the primary security model used. The external application must provide valid user credentials (typically via Basic Authentication) with each request to access these secured operations.

The first step is to ensure the users who will be accessing the EWS have access to the necessary web services in PeopleSoft.

User Authentication

First we will assume that the user has a valid PeopleSoft user ID and password. The external application will need to collect these credentials from the user (e.g., via a login form) and include them in the HTTP Authorization header of each request.

  • Here we assume that the user knows their PeopleSoft user (OPRID).
    • Many times users are using an SSO system and this PeopleSoft account name is not known to them. In this case, you will need to have some way to map the external identity to the internal PeopleSoft user ID.
  • This would be a password that is either directly managed in PeopleSoft or integrated via an external identity provider (LDAP, SSO, etc.) and authorized by “Signon PeopleCode”.
    • Many schools do NOT have this setup and your mileage may vary.

For these examples, we will assume the OPRID is JDOE and the password is CLAPPING5mullet6hackers*miracle.

The EWS servicee have a few different operations that can be used for authentication.

Looking at the SCC_USERREG_R service, you have three authentication-related operations:

Operation HTTP Method Purpose
SCC_CHECK_AUTH_R_POST POST Validates credentials only - returns a simple yes/no on whether the username/password combination is valid
SCC_USERREG_AUTHORIZE_POST POST Authenticates AND authorizes - validates credentials and returns user details like EMPLID, along with authorization information
SCC_USERREG_AUTH_GET GET Retrieves authentication/session status for an already authenticated user

Authentication a User - SCC_USERREG_AUTH

This is the most simple authentication operation. It simply validates the provided credentials and returns a session token (PS_TOKEN) that can be used in subsequent requests to act on behalf of the authenticated user.

This service operation is delivered as In-Active, so you have to activate it in PeopleSoft Integration Broker configuration before using it and ensure your target user group has access to it.

  • Inputs:
    • PeopleSoft OPRID and Password
  • Outputs:
    • PS_TOKEN - A token that represents the authenticated session. This is opaque and should be treated as a session identifier.
      • Do NOT log this value or expose it to end users.
      • Having this token means that you can impersonate the user for subsequent requests.
      • Sending this along in subsequent requests means your server is acting on behalf of the user.
      • Never send this in error messages or stack traces.
GET http://34.125.87.32:8000/PSIGW/RESTListeningConnector/PSFT_CS/SCC_USERREG_AUTH.v1/authenticate HTTP/1.1
accept: */*
authorization: Basic JDOE:CLAPPING5mullet6hackers*miracle

A successful response will resemble this the following.

HTTP/1.1 200 OK
connection: close
content-encoding: gzip
content-length: 20
content-type: application/xml; encoding=UTF-8
date: Sat, 06 Dec 2025 20:48:06 GMT
set-cookie: PS_TOKEN=oQAAAAQDAgEBAAAAvAIAAAAAAAAsAAAABABTaGRyAk4AaQg4AC4AMQAwABSmtkQfBXsxJRqRCWpV58Fub+8HEGEAAAAFAFNkYXRhVXicLYnNDkAwGASnJeLkTSpV/2dK4oCEu7N39HA+jT3szGZvII60UsJHE5IujGx4Es/KTLZzMHFyMYhVDoujxlAIjazm95yKTtrK+3lJSx/ICzZ6CsY=
x-oracle-dms-ecid: b518fc96-a79f-43d0-b527-6312383b1ace-0000003e
x-oracle-dms-rid: 0

If the authentication fails, you will get a 401 Unauthorized response like this:

HTTP/1.1 401 Unauthorized
cache-control: no-store, must-revalidate, private
connection: close
content-length: 0
date: Sat, 06 Dec 2025 20:51:59 GMT
www-authenticate: BASIC realm="PeopleSoft Enterprise PeopleTools"
x-oracle-dms-ecid: b518fc96-a79f-43d0-b527-6312383b1ace-0000003f
x-oracle-dms-rid: 0

This web service does not give you much information other than whether the credentials are valid or not and gives you a token. You will use this token in subsequent requests to act on behalf of the user.

Author Profile
Chris Malek

Chris Malek is a PeopleTools® Technical Consultant with over two decades of experience. He is available for consulting engagements.

Work with Chris
Subscribe to Updates
SWS Bolt-On
PeopleSoft Simple Web Services

SWS turns SQL into production REST APIs — ready for AI, modern apps, and partner integrations. One install, unlimited potential.

  • Configuration-driven, no coding required
  • JSON, XML, and CSV output
  • Works across all PeopleSoft pillars
  • Built on 25+ years of PeopleSoft expertise
Read More & Purchase
SWS Bolt-On
PeopleSoft Simple Web Services

A powerful PeopleSoft bolt-on that makes REST web services easy. You bring the SQL, SWS handles the rest.

  • Go from idea to production in minutes
  • Zero code migrations after install
  • JSON, XML, and CSV output supported
  • No PeopleCode or Integration Broker expertise required
Read More & Purchase
SWS Bolt-On
PeopleSoft Simple Web Services

Traditional PeopleSoft web services cost $3,600–$13,000 each to develop. SWS deploys production REST APIs in under 5 minutes through configuration alone.

  • No PeopleCode or Integration Broker expertise required
  • Works across Campus Solutions, HCM, and Financials
  • Built-in pagination, caching, and nested data structures
  • Trusted by institutions across higher education and government
Read More & Purchase
SWS Bolt-On
PeopleSoft Simple Web Services

Turn PeopleSoft data into clean REST APIs for AI integrations, modern applications, and vendor data feeds. Configuration-driven — no PeopleCode required.

  • Deploy production APIs in under 5 minutes
  • AI and LLM ready (RAG, chatbots, intelligent search)
  • JSON, XML, and CSV output
  • Zero modifications to delivered PeopleSoft objects
Read More & Purchase
psLens Platform
psLens Operations & Intelligence

Look up any record, field, page, or component, audit security, and monitor Integration Broker across every database — in seconds.

  • 30+ object types browsable
  • 16 real-time alert types
  • Read-only by design
  • No App Designer or SQL required
Learn More
psLens Platform
psLens Operations & Intelligence

A web console built for the PeopleSoft community — operational monitoring, security auditing, and metadata browsing in one tool.

  • Sub-second object search
  • Catch stuck IB messages before users do
  • Audit service permissions from one screen
  • Works in any browser
Learn More
psLens Platform
psLens Operations & Intelligence

On-demand security and operational reports for your PeopleSoft environment — no client install required.

  • 14 on-demand reports
  • Markdown export for AI/LLM workflows
  • No shared tenancy
  • Built on 25+ years of PeopleSoft expertise
Learn More
psLens Platform
psLens Operations & Intelligence

Research any PeopleSoft object and monitor system health from a single browser tab — no App Designer, no SQL.

  • 30+ PeopleSoft object types browsable
  • Real-time alerts before users report problems
  • Read-only and secure
  • Private alpha — early access now
Learn More