Identity Provider SSO

Introduction

PowerSchool Enrollment supports third-party identity provider (IdP) single sign-on (SSO), PowerSchool SIS IdP SSO, PowerSchool SIS unidirectional SSO, and eSchoolPlus SIS unidirectional SSO.

Third-Party Identity Provider SSO

PowerSchool Enrollment supports SSO authentication for school/district administrative users through third-party IdPs, such as Microsoft (Azure Active Directory, ADFS), Google (G Suit), etc., as long as the IdP supports OpenID Connect (OIDC). Using this functionality, your administrative users can authenticate into PowerSchool Enrollment using your IdP.

PowerSchool SIS Identity Provider SSO

PowerSchool Enrollment supports SSO authentication for school/district administrative users through the PowerSchool SIS as the IdP. Using this functionality, your administrative users can authenticate into PowerSchool Enrollment using the PowerSchool SIS as the IdP.

PowerSchool SIS Unidirectional SSO

PowerSchool Enrollment supports SSO authentication for school/district administrative users through the PowerSchool SIS. Using this functionality, your administrative users can authenticate into PowerSchool Enrollment by accessing it directly from within the PowerSchool SIS.

eSchoolPlus SIS Unidirectional SSO

PowerSchool Enrollment supports SSO authentication for school/district administrative users through the eSchoolPlus SIS. Using this functionality, your administrative users can authenticate into PowerSchool Enrollment by accessing it directly from within the eSchoolPlus SIS.

Configure Third-Party IdP SSO

1. Enable OIDC within IdP.
2. Add Redirect URI to IdP.
3. Provide IdP Credentials to PowerSchool Enrollment Support.
4. Configure Third-Party IdP SSO in PowerSchool Enrollment.
5. Enable Third-Party IdP SSO in PowerSchool Enrollment.

Enable OIDC within IdP

OIDC will need to be enabled within your IdP, if not already done.

Add Redirect URI to IdP

Add the following redirect URI to your IdP:

• US (and all non-Canadian countries) Redirect URI: https://registration.powerschool.com/admin/login/LoginOidcSsoRedirect.rails or https://enrollment.powerschool.com/admin/login/LoginOidcSsoRedirect.rails depending on what environment you use.
• Canadian Redirect URI: https://registration.ca.powerschool.com/admin/login/LoginOidcSsoRedirect.rails

Provide IdP Credentials to PowerSchool Enrollment Support

Provide the following credentials for your IdP to your PowerSchool Enrollment Support team:

• Issuer URL
• Client ID
• Client Secret
• Global Identifier Claim ("email" if using Google, "oid" if using Microsoft Azure Active Directory, "upn" if using Microsoft ADFS)
• Scopes ("openid email profile" if using Google or Microsoft)

Configure Third-Party IdP SSO in PowerSchool Enrollment

Your PowerSchool Enrollment Support team will need to configure third-party IdP SSO within PowerSchool Enrollment.

Enable Third-Party IdP SSO in PowerSchool Enrollment

Your PowerSchool Enrollment Support team will need to enable third-party IdP SSO within PowerSchool Enrollment and provide you with your new login URL.

Configure PowerSchool SIS IdP SSO

1. Retrieve OAuth Credentials from OAuth Plugin in PowerSchool SIS.
2. Set Up PowerSchool SIS Connection.
3. Install and Enable Admin Portal Plugin in PowerSchool SIS.
4. Enable PowerSchool SIS Admin SSO in PowerSchool Enrollment.
5. Configure PowerSchool SIS IdP SSO in PowerSchool Enrollment.
6. Enable PowerSchool SIS IdP SSO in PowerSchool Enrollment.

Retrieve OAuth Credentials from OAuth Plugin in PowerSchool SIS

For step-by-step instructions, see Before Getting Started.

Set Up PowerSchool SIS Connection

For step-by-step instructions, see Set Up PowerSchool SIS Connection. Requires Configuration role.

Install and Enable Admin Portal Plugin in PowerSchool SIS

Requires your PowerSchool Enrollment Support team to first provide you with the PowerSchool Enrollment admin portal plugin.

1. Sign in to the PowerSchool SIS Admin portal as a System Administrator.
2. From the start page, choose System > System Settings > Plugin Management Configuration.
3. Click Install.
4. Click Choose File.
5. Select the PowerSchool Enrollment admin portal plugin.
6. Click Install.
7. Select Enable/Disable next to the PowerSchool Enrollment admin portal plugin.
8. Click Enable.

Enable PowerSchool SIS Admin SSO in PowerSchool Enrollment

For step-by-step instructions, see Enable Admin SSO. Requires Configuration role.

Configure PowerSchool SIS IdP SSO in PowerSchool Enrollment

Your PowerSchool Enrollment Support team will need to configure PowerSchool SIS IdP SSO within PowerSchool Enrollment. Requires PowerSchool SIS version 20.4.0.0 or later.

Enable PowerSchool SIS IdP SSO in PowerSchool Enrollment

Your PowerSchool Enrollment Support team will need to enable PowerSchool SIS IdP SSO within PowerSchool Enrollment and provide you with your new login URL. Requires PowerSchool SIS version 20.4.0.0 or later.

Configure PowerSchool SIS Unidirectional SSO

1. Retrieve OAuth Credentials from OAuth Plugin in PowerSchool SIS.
2. Set Up PowerSchool SIS Connection.
3. Install and Enable Admin Portal Plugin in PowerSchool SIS.
4. Enable PowerSchool SIS Admin SSO in PowerSchool Enrollment.

Retrieve OAuth Credentials from OAuth Plugin in PowerSchool SIS

For step-by-step instructions, see Before Getting Started.

Set Up PowerSchool SIS Connection

For step-by-step instructions, see Set Up PowerSchool SIS Connection. Requires Configuration role.

Install and Enable Admin Portal Plugin in PowerSchool SIS

Requires your PowerSchool Enrollment Support team to first provide you with the PowerSchool Enrollment admin portal plugin.

1. Sign in to the PowerSchool SIS Admin portal as a System Administrator.
2. From the start page, choose System > System Settings > Plugin Management Configuration.
3. Click Install.
4. Click Choose File.
5. Select the PowerSchool Enrollment admin portal plugin.
6. Click Install.
7. Select Enable/Disable next to the PowerSchool Enrollment admin portal plugin.
8. Click Enable.

Enable PowerSchool SIS Admin SSO in PowerSchool Enrollment

For step-by-step instructions, see Enable Admin SSO. Requires Configuration role.

Configure eSchoolPlus SIS Unidirectional SSO

The following steps need to be taken in the following order to configure eSchoolPlus SIS unidirectional SSO:

1. Register Enrollment Integration as Application in eSchoolPlus SIS.
2. Enable Enrollment Integration and Retrieve API Credentials from eSchoolPlus SIS.
3. Set Up eSchoolPlus SIS Connection.
4. Enable eSchoolPlus SIS Admin SSO in PowerSchool Enrollment.
5. Grant Users Access to PowerSchool Enrollment in eSchoolPlus SIS.

Register Enrollment Integration as Application in eSchoolPlus SIS

eSchoolPlus SIS Support will need to register the Enrollment Integration as an application within eSchoolPlus SIS. Requires eSchoolPlus SIS Support access in eSchoolPlus SIS.

Enable Enrollment Integration and Retrieve API Credentials from eSchoolPlus SIS

For step-by-step instructions, see Before Getting Started.

Set Up eSchoolPlus SIS Connection

For step-by-step instructions, see Set Up eSchoolPlus SIS Connection. Requires Configuration role.

Enable eSchoolPlus SIS Admin SSO in PowerSchool Enrollment

For step-by-step instructions, see Enable Admin SSO. Requires Configuration role.

Grant Users Access to PowerSchool Enrollment in eSchoolPlus SIS

1. Sign in to the eSchoolPlus SIS Admin portal as a System Administrator.
2. Search for Security Profile.
3. Click Add (+) in the Resources section.
4. Expand the Enrollment Integration item.
5. Expand the Setup And Configuration item.
6. Grant the user either Read or Read/Write access to the VIEW item.
7. Click OK.
8. Repeat for each user.

Manage User Identifiers

To utilize SSO, users must be mapped to a user within the IdP or SIS. This allows the user to sign in to PowerSchool Enrollment using the IdP credentials or access PowerSchool Enrollment directly through the SIS, and be authenticated into the linked account.

There are three methods by which to enter a user's identifier (also known as, global identifier):

Only users with the Administrator role can perform these actions.

• Enter a global identifier while creating a new account.
• Enter/edit/delete a global identifier while editing an existing account.
• Enter/edit/delete a global identifier(s) by importing accounts.

Additionally, if using either PowerSchool SIS IdP SSO, PowerSchool SIS unidirectional SSO, or eSchoolPlus SIS unidirectional SSO, each user can self-register their global identifier.

Either Configure Third-Party IdP SSO for Third-Party IdP SSO, Enable PowerSchool SIS Admin SSO for PowerSchool SIS IdP SSO, Enable PowerSchool SIS Admin SSO for PowerSchool SIS unidirectional SSO, or Enable eSchoolPlus SIS Admin SSO for eSchoolPlus SIS unidirectional SSO must be done before you're able to manage users' global identifiers.

Create a New User Account

1. From the main menu, select Admin Accounts (or Users > Admin Accounts if you have access to more than one user account type).
2. Click Create New Account.
3. Enter information in the required fields, including the Global Identifier. The Global Identifier must be unique.
4. Click Create.

Edit an Existing User Account

1. From the main menu, select Admin Accounts (or Users > Admin Accounts if you have access to more than one user account type).
2. Select an account.
3. To edit the account's IdP identifier:
   
   1. In the Third-Party Identity Provider Account section (if using third-party IdP SSO) or the Linked SIS Accounts section (if using either PowerSchool SIS IdP SSO or eSchoolPlus SIS IdP SSO), click Edit.
   2. Edit the Global Identifier. The Global Identifier must be unique.
   3. Click Save.

Export and Import User Accounts

Export User Accounts

1. From the main menu, select Admin Accounts (or Users > Admin Accounts if you have access to more than one user account type).
2. Click Export Accounts in the Import/Export Accounts section. A comma-separated value (CSV) file is downloaded through your browser, containing the following columns:
   • LastName
   • FirstName
   • EmailAddress
   • Nickname
   • Title
   • OfficePhone
   • CellPhone
   • OtherPhone
   • Phone
   • Fax
   • Note
   • Identifier - The Identifier column contains the Global Identifier for each account.

Import User Accounts

• Importing accounts can be used to create new accounts and update existing accounts. The primary key is the EmailAddress column.
• Only the following columns are required to be present in the imported file: LastName, FirstName, EmailAddress.
• If a column is excluded from the imported file, any existing data related to that column will not be deleted.
• If a column is included in the imported file, and if the column contains no value for an account, the existing data related to that column for that account will be deleted.

1. From the main menu, select Admin Accounts (or Users > Admin Accounts if you have access to more than one user account type).
2. Click Choose File in the Import/Export Accounts section, and select the comma-separated value (CSV) file you want to import. The following are the supported column headers:
   • LastName
   • FirstName
   • EmailAddress
   • Nickname
   • Title
   • OfficePhone
   • CellPhone
   • OtherPhone
   • Phone
   • Fax
   • Note
   • Identifier - The Identifier column is used to enter, edit, or delete the Global Identifier for each account. The Identifier must be unique.
3. Click Import.

Self-Register Global Identifier

This self-registration process is only available if using either PowerSchool SIS IdP SSO, PowerSchool SIS unidirectional SSO, or eSchoolPlus SIS unidirectional SSO, and is not available if using a third-party IdP.

PowerSchool SIS

1. Sign in to the PowerSchool SIS Admin portal.
2. Choose Enrollment from the main menu or select Enrollment from the Applications menu.
3. If your PowerSchool SIS account is not yet linked to a PowerSchool Enrollment account, enter your PowerSchool Enrollment account credentials,

4. Click Sign In. This automatically takes the claim identifier from the PowerSchool SIS account and links it to the PowerSchool Enrollment account as the Global Identifier. All subsequent attempts at accessing PowerSchool Enrollment using this PowerSchool SIS account's credentials will result in the automatic authentication into the linked PowerSchool Enrollment account.

eSchoolPlus SIS

1. Sign in to the eSchoolPlus SIS Admin portal.
2. Chose Enrollment from the My eSchoolPlus menu.
3. If your eSchoolPlus SIS account is not yet linked to a PowerSchool Enrollment account, enter your PowerSchool Enrollment account credentials.

4. Click Sign In. This automatically takes the claim identifier from the eSchoolPlus SIS account and links it to the PowerSchool Enrollment account as the Global Identifier. All subsequent attempts at accessing PowerSchool Enrollment using this eSchoolPlus SIS account's credentials will result in the automatic authentication into the linked PowerSchool Enrollment account.

Identity Provider SSO

Using your IdP or SIS account credentials, you can authenticate into PowerSchool Enrollment.

Login URLs

If using third-party IdP SSO or PowerSchool SIS IdP SSO, you will need to sign in to PowerSchool Enrollment using a non-standard URL.

The standard PowerSchool Enrollment login URLs are as follows:

• US (and all non-Canadian countries) Standard Login URL: registration.powerschool.com/admin or enrollment.powerschool.com/admin depending on what environment you use.
• Canadian Standard Login URL: registration.ca.powerschool.com/admin

Third-Party IdP Login URLs

When using third-party IdP SSO, to access PowerSchool Enrollment directly, you will need to use a URL similar to the following:

• US (and all non-Canadian countries) Third-Party IdP Example Login URL: registration.powerschool.com/admin/login/loginoidcsso.rails?ssoprovider=genericoidc&_districtid=00000000-0000-0000-0000-000000000000 or enrollment.powerschool.com/admin/login/loginoidcsso.rails?ssoprovider=genericoidc&_districtid=00000000-0000-0000-0000-000000000000 depending on what environment you use (where 00000000-0000-0000-0000-000000000000 is replaced with a GUID related to your school/district)
• Canadian Third-Party IdP Example Login URL: registration.ca.powerschool.com/admin/login/loginoidcsso.rails?ssoprovider=genericoidc&_districtid=00000000-0000-0000-0000-000000000000 (where 00000000-0000-0000-0000-000000000000 is replaced with a GUID related to your school/district)

• Your PowerSchool Enrollment Support team will provide this login URL to you.
• If you attempt to sign in to PowerSchool Enrollment using the standard login URL, an alert appears indicating that you cannot. Click Sign in with your school's/district's SSO (single sign-on) provider to access the appropriate URL.

PowerSchool SIS IdP Login URLs

When using PowerSchool SIS IdP SSO, to access PowerSchool Enrollment directly, you will need to use a URL similar to the following:

• PowerSchool SIS IdP Example Login URL: SISURL/admin/openid/oidredirectaction.action?pluginName=PowerSchool%20Enrollment%20Admin%20Portal&linkTitle=PowerSchool%20Enrollment%20Admin%20Portal (where SISURL is replaced with your PowerSchool SIS base URL, and assuming the installed admin portal plugin has a name of "PowerSchool Enrollment Admin Portal" and a link title of "PowerSchool Enrollment Admin Portal")

• Your PowerSchool Enrollment Support team will provide this login URL to you.
• When using PowerSchool SIS IdP SSO, there is a configurable option (SSO Authentication Only) to allow or disallow users to sign in to PowerSchool Enrollment directly using their PowerSchool Enrollment account credentials through the standard login URL. This option is configured by your PowerSchool Enrollment Support team. If SSO Authentication Only is disabled, users can still sign in to PowerSchool Enrollment using the standard login URL using their PowerSchool Enrollment account credentials. If SSO Authentication Only is enabled, users are unable to sign in to PowerSchool Enrollment using the standard login URL. If you attempt to sign in to PowerSchool Enrollment using the standard login URL, an alert appears indicating that you cannot.

PowerSchool SIS Unidirectional SSO Login URLs

When using PowerSchool SIS unidirectional SSO, to access PowerSchool Enrollment directly, you will need to use the standard URL.

When using PowerSchool SIS unidirectional SSO, there is a configurable option (SSO Authentication Only) to allow or disallow users to sign in to PowerSchool Enrollment directly using their PowerSchool Enrollment account credentials through the standard login URL. This option is configured by your PowerSchool Enrollment Support team. If SSO Authentication Only is disabled, users can still sign in to PowerSchool Enrollment using the standard login URL using their PowerSchool Enrollment account credentials. If SSO Authentication Only is enabled, users are unable to sign in to PowerSchool Enrollment using the standard login URL. If you attempt to sign in to PowerSchool Enrollment using the standard login URL, an alert appears indicating that you cannot.

eSchoolPlus SIS Unidirectional SSO Login URLs

When using eSchoolPlus SIS unidirectional SSO, to access PowerSchool Enrollment directly, you will need to use the standard URL.

When using eSchoolPlus SIS unidirectional SSO, there is a configurable option (SSO Authentication Only) to allow or disallow users to sign in to PowerSchool Enrollment directly using their PowerSchool Enrollment account credentials through the standard login URL. This option is configured by your PowerSchool Enrollment Support team. If SSO Authentication Only is disabled, users can still sign in to PowerSchool Enrollment using the standard login URL using their PowerSchool Enrollment account credentials. If SSO Authentication Only is enabled, users are unable to sign in to PowerSchool Enrollment using the standard login URL. If you attempt to sign in to PowerSchool Enrollment using the standard login URL, an alert appears indicating that you cannot.

Login Behavior

Direct Access with Standard Login URL

This is only applicable to PowerSchool SIS IdP SSO, PowerSchool SIS unidirectional SSO, and eSchoolPlus SIS unidirectional SSO, given SSO Authentication Only is disabled.

1. Open your web browser to the appropriate standard login URL.
2. On the PowerSchool Enrollment login page, sign in to your PowerSchool Enrollment account.

Direct Access with IdP SSO URL

This is only applicable to Third-Party IdP SSO and PowerSchool SIS IdP SSO.

1. Open your web browser to the appropriate URL.
2. On your IdP's login page, sign in to your IdP account. PowerSchool Enrollment launches and you will be brought into your linked PowerSchool Enrollment account.

PowerSchool SIS Access

This is only applicable to PowerSchool SIS IdP SSO and PowerSchool SIS unidirectional SSO.

1. Sign in to the PowerSchool SIS Admin portal.
2. Choose Enrollment from the main menu or select Enrollment from the Applications menu. PowerSchool Enrollment launches and you will be brought into your linked PowerSchool Enrollment account.

eSchoolPlus SIS Access

This is only applicable to eSchoolPlus SIS unidirectional SSO.

1. Sign in to the eSchoolPlus SIS Admin portal.
2. Choose Enrollment from the My eSchoolPlus menu. PowerSchool Enrollment launches and you will be brought into your linked PowerSchool Enrollment account.

Sign Out

When you are finished working in PowerSchool Enrollment, be sure to sign out. Note that when you sign out of PowerSchool Enrollment, you may still be signed in to your IdP or SIS. To completely sign out, visit your IdP or SIS that you used to sign in.