Set Up SAML SSO for Staff with PowerSchool SIS as the idP

With the help of a plugin, you can use the PowerSchool Student Information System (SIS) as an identity provider (IdP) to support Security Assertion Markup Language (SAML). The plugin is an XML file that describes the necessary details for a SAML connection, such as user attributes, Service Provider (SP) Uniform Resource Names (URNs), and more.

Ensure you have completed the steps to prepare SAML single sign-on (SSO) for staff.

Save the plugin XML configuration table

Copy and save this XML code as Naviance-Staff.xml to a location such as Documents or Desktop.

1 <?xml version="1.0" encoding="UTF-8"?>

2 <plugin xmlns="http://plugin.powerschool.pearson.com"

3 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

4 xsi:schemaLocation='http://plugin.powerschool.pearson.com plugin.xsd'

5 name="Naviance Staff SSO"

6 version="1.0"

7 description="Access Naviance via PowerSchool SIS as a Staff Member">

8 <identityAttribute>

9 <entity name="users" attribute="dcid" />

10 </identityAttribute>

11 <saml name="NavianceStaff"

12 entity-id="urn:auth0:hobsons:1000000DUS-staff-saml-1"

13 metadata-url="https://accounts.naviance.com/samlp/metadata?connection=1000000DUS-staff-saml-1"

14 base-url="https://id.naviance.com"

15 spec-compliant="true">

16 <links>

17 <link display-text="Naviance Succeed" title=""

18 path="/samlsso?institutionId=1000000DUS@amp;userType=staff">

19 <ui_contexts>

20 <ui_context id="admin.header"/>

21 <ui_context id="teacher.header"/>

22 </ui_contexts>

23 </link>

24 </links>

25 </saml>

26 <publisher name="Yanming Zhu">

27 <contact email="yanming.zhu@powerschool.com" />

28 </publisher>

29 </plugin>

Identify the PowerSchool SIS SSO URL

To connect Naviance to the PowerSchool SIS, identify the Single sign-on bindings using this URL template.

https://powerschool.fakeschool.k12.us:443/powerschool-saml-sso/profile/SAML2/Redirect/SSO

Replace powerschool.fakeschool.k12.us with your PowerSchool SIS Public URL, such as powerschool.yourschool.org. Do not remove :443 from the URL

Download the PowerSchool SIS SSO certificate

1. From the Start Page, choose System under Setup in the Main Menu.

2. From Server, select System Settings.

3. Select Digital Certificate Management.

4. Select the Key Store tab, if needed.

5. In the List of Certificates with Private Key section, click Export for the PowerSchool certificate key pair you want to export.

   • PowerSchool recommends using the Default SAML Signing Certificate. However, you can use a different key pair.

   • The PowerSchool certificate is saved to your Downloads folder when exported.

Create the Naviance SAML connection

1. Navigate to the gear icon and select Setup.

2. Select Single Sign-On (SSO) Options.

3. Select Configure for SAML SSO.

4. Select Add SAML Connection.

5. From Step 1 Getting Started:

   1. Enter Naviance PS SIS - Staff in Create a Display Name for your SAML Connection.

   2. Select Other from the Select a SAML Connection Type list.

   3. Select Staff from Select User Types for this Connection.

   4. Select Next.

6. From Step 2 Copy Naviance Service Provider Information:

   1. Copy your Entity ID to a text editor or other location for reference. This will be similar to urn:auth0:hobsons:1000000DUS-staff-saml-1.

   2. Select Next.

7. From Step 3 Enter IDP Information:

   1. Enter everything after the @ in your staff email addresses in Tenant Domain. For example, if staff use LastFirst@fakeschool.k12.us, enter fakeschool.k12.us as the tenant domain.

   2. Enter the PowerSchool SIS SSO URL from the previous sections in SSO URL.

   3. Upload the PowerSchool SIS SSO certificate from the previous sections.

   4. Select Advance Configuration.

   5. Change Choose Federation Type to The NameID field in your IDP will be mapped to federationID field in Naviance.

8. Select Create Connection.

9. Select Connect Now.

10. Copy the Metadata URL to a text editor or other location for reference This will be similar to https://accounts.naviance.com/samlp/metadata?connection=1000000DUS-staff-saml-1.

Configure the plugin XML file

Refer to the XML code at the beginning of this page.

1. Copy the Entity ID from Naviance and replace the placeholder "entity-id" on Line 12 of the Naviance-Staff.xml

2. Copy the Metadata URL from Naviance and replace the placeholder "metadata-url" on Line 13 of the Naviance-Staff.xml

3. Copy your Unique District ID, which is "1000000DUS" in the table, and replace "1000000DUS" after "institutionId=" on Line 18 of the Naviance-Staff.xml

   • Do not remove or alter after the "&amp;" for the rest of the line.

4. Save the file.

Install and configure the PowerSchool SIS plugin

1. Install and enable the plugin in the PowerSchool SIS.

2. Clients can refer to the PowerSchool SIS Administrator Help page for additional information on installing plugins to the PowerSchool SIS.

3. Select the Naviance Staff SSO from the Plugin List to view the configuration screen.

4. Select Single Sign-On Settings.

5. Change Single Sign-On Certificate to the PowerSchool SIS SSO Certificate from the previous sections.

6. Verify the Entity ID and Metadata URL contain your Unique District ID.

7. Select Save.

Verify access to Naviance Succeed

To verify the configuration was successful, test the connection with another staff member or use an incognito browser window to log in to Naviance. Logging out of Naviance may lock all users out of Naviance. The PowerSchool DCID must be set to the Federation ID Field in the Naviance profile for the staff member verifying access.

Both of these locations should be accessible via the PowerSchool SIS Authentication:

• Direct from the Application Links Drawer in PowerSchool SIS.

• From https://id.naviance.com when typing their email address.