PowerSchool SIS as OIDC Service Provider for SSO
On this page:
The PowerSchool SIS provides support for external OpenID Connect (OIDC) identity providers (IdP), which allows authorized users to single sign-on (SSO) into the PowerSchool SIS using their identity provider and then seamlessly navigating to any of their PowerSchool products with that single set of credentials. Certified IdPs include Microsoft Azure and Google, which support Multi-Factor Authentication (MFA). Staff, Teachers, Students, and Parents user types are all supported. Prerequisites must be met before setting up PowerSchool SIS SSO with External IdP.
Set Up PowerSchool SIS as OIDC Service Provider
To set up PowerSchool SIS as OIDC Service Provider, perform the following setup items in the order by which they appear.
Before proceeding, ensure that the following are not enabled:
Step 1: Enable PowerSchool SIS as OIDC Service Provider
The first step in setting up PowerSchool SIS as OIDC Service Provider is to enable the plugin.
- On the start page within the PowerSchool SIS Admin portal, choose System in the main menu.
- Click System Settings.
- Click Plugin Management Configuration.
- Select Enable/Disable next to PowerSchool SIS as OIDC Service Provider.
- Click Enable.
Step 2: Register the Application with the Identity Provider
Add PowerSchool SIS to Google
Refer to the Google documentation for detailed procedures on defining projects, adding OAuth clients, and defining the OAuth consent.
- Set up the OAuth consent information.
- Create credentials for an OAuth Client ID. Set up as a Web Application and enter the Redirect URI in Authorised redirect URI to indicate where users are redirected after successful authentication.
PowerSchool SIS Redirect URI: Enter the name of your district's PowerSchool URL followed by /oidc/openid_connect_login, such as https://<powerschool domain>/oidc/openid_connect_login. - Record the client ID and client secret.
Add PowerSchool SIS to Microsoft
Refer to Microsoft's documentation for detailed instructions on registering applications, generating client secrets, and entering the Redirect URI for an application.
Go to https://portal.azure.com as an admin of the IdP service.
- Register the application.
- For Supported Account Type, select Accounts in this organizational directory only.
- Indicate the application is a Web app and enter the Redirect URI where the identity provider will redirect the user after successful authentication.
PowerSchool SIS Redirect URI: Enter the name of your district's PowerSchool URL followed by /oidc/openid_connect_login, such as https://<powerschool domain>/oidc/openid_connect_login. Generate the client secret and record both the Client ID and Client Secret value.
- The Client Secret value is only viewable on initial creation
- The Client Secret is found under the Value column and is not the same as Secret ID
- Add a claim to your token (optional):
- Select Token Configuration >Add Optional Claim.
Select the appropriate ID or Access as the Token Type.
Select the claims you want to add.
- Click Add.
Add PowerSchool Mobile App to Microsoft
If you plan to enable OIDC for students and parents, you must create another app registration for the PowerSchool Mobile app (which is used for iOS Client ID and Android Client ID), configure the scopes, and add the predefined redirect in addition to the PowerSchool SIS IdP configuration in order for mobile users to connect via SSO. This step is not necessary if Google is the IdP.
- Go to https://portal.azure.com as an admin of the IdP service.
- In the App Registrations section:
- Register the application as PowerSchool Mobile App.
- For Supported Account Type, select Accounts in this organizational directory only.
- For Platform Configuration, select Client Application (Web, iOS, Android, Desktop+Device).
- Select Authentication in the navigation menu.
- In the Mobile and desktop application section, add the URI: com.powerschool.developer.mobile://oidc/cb
- Click Save.
- Select API Permissions in the navigation menu.
- Click + Add a permission.
- Click Microsoft Graph on the Microsoft APIs tab in the Commonly used Microsoft APIs section.
- Select the Delegated permissions option.
- Check the email, offline_access, openid, and profile options.
- Scroll to the Users section and open the options.
- Check the User.ReadBasic.All option.
- Click Add permissions.
You will also need to configure PowerSchool Mobile for SSO.
Step 3: Set OIDC Authentication Settings
After registering the application with the identity provider, enable and configure the settings needed for establishing a successful SSO connection between an identity provider and the PowerSchool SIS as the service provider.
- On the start page within the PowerSchool SIS Admin portal, choose System in the main menu.
- Click OIDC Authentication Setup.
- Select Enable OIDC Authentication.
- Enter the IDP URL:
For Google, https://accounts.google.com.
For Microsoft, https://login.microsoftonline.com/[TenantID]/v2.0. The <Tenant ID> can be found on the Overview page of their Azure Active Directory.
Enter the client ID and client secret provided by the IdP.
Enter Scopes. Separate multiple entries using spaces.
For Google, openid email. Google supports openid, email, and profile.
For Microsoft, openid profile. Microsoft supports openid, profile, email, and offline_access.
For Authentication ID / Identifying Claim, enter the IdP claim that will be used to match SIS users. For example, if you used openid email for Google, you would enter email here.
For Google, it is suggested to use the email claim. Google supports aud, email, email_verified, exp, family_name, given_name, iat, iss, locale, name, picture, and sub.
For Microsoft, it is suggested to use the oid claim. Microsoft supports acr, at_hash, aud, auth_time, c_hash, cloud_graph_host_name, cloud_instance_host_name, cloud_instance_name, email, exp, iat, iss, msgraph_host, name, nonce, oid, preferred_username, sub, tid, and ver.
Do not select any of the Enable OIDC Authentication for Users settings at this time.
Click Submit.
Step 4: Optional - Setup PowerSchool Mobile App
You must setup PowerSchool Mobile App in order for parent and student users to authenticate and use the PowerSchool Mobile App. If you are using Microsoft as the IdP, you must register the PowerSchool Mobile app with Microsoft.
- Repeat Step 3.
Use the global configuration settings to enable SSO for the PowerSchool Mobile app:
Google - iOS Client ID: 162669419438-v9j0hrtnbkifi68ncq6jcr3ngadp2o0o.apps.googleusercontent.com
- Android Client ID: 162669419438-egansm7coo8n7h301o7042kad9t9uao9.apps.googleusercontent.com
- Scopes: openid email profile
- iOS Redirect URI: com.powerschool.portal://
- Android Redirect URI: com.powerschool.portal://
Microsoft - iOS Client ID: Use the Application (client) ID from the PowerSchool Mobile App app registration.
- Android Client ID: Use the Application (client) ID from the PowerSchool Mobile App app registration.
Scopes: openid email profile offline_access https://graph.microsoft.com/user.readBasic.all
iOS Redirect URI: com.powerschool.developer.mobile://oidc/cb
Android Redirect URI: com.powerschool.developer.mobile://oidc/cb
- Click Submit.
Step 5: Map Users from IdP to SIS
After setting the OIDC Authentication settings, join the users from your identity provider and PowerSchool SIS together so the global identifier can be imported into the PowerSchool SIS establishing the connection between the SIS and your identity provider. Perform the following in the order by which they appear.
Export PowerSchool SIS Users
The first step in mapping users from the identity provider to the PowerSchool SIS is to export users from the PowerSchool SIS. All active users must be set up for SSO before exporting. The Global Identifier for the User Type of Staff is used to sign in to the PowerSchool Admin portal and the Global Identifier for User Type of Teacher is used to sign in to the PowerSchool SIS Teacher portal. A user can have access to both portals. In which case, the import file should contain two rows for the user, one with the User Type of Staff and another row with User Type of Teacher.
- On the start page within the PowerSchool SIS Admin portal, choose System in the main menu.
- Click Page and Data Management.
- Click Data Export Manager.
- In the Select Columns to Export section:
- Choose PowerSchool Data Sets as the Category.
Choose one of the following from Export From:
SSO Staff Mapping
SSO Teacher Mapping
SSO Parent Mapping
SSO Student Mapping
Select the columns to export:
For Staff and Teacher, User DCID, SSO User Type, Global Identifier are required.
- For Parent, Person ID, SSO User Type, Global Identifier are required.
- For Student, Student DCID, SSO User Type, Global Identifier are required.
- Click Next.
- In the Select/Edit Records section, you can use the Built In Filters to narrow the list of records to export, then click Next.
In the Export Summary and Options Output section:
Records to Export may differ from the record selection, as some records may be duplicate users who access multiple schools.
Change the Export File Name extension from .txt to .csv.
- Choose Comma as the Field Delimiter.
- Choose UTF-8 as the Character Set.
Click Export.
Export Identity Provider Users (Optional)
Next, export users from your identity provider. Refer to your identity provider for details.
Merge the IdP and SIS Export Files
The PowerSchool SIS user export files and the identity provider user export file need to be merged into one file. The purpose is to get the data from the Microsoft or Google files into the Global ID column of the PowerSchool file so that it can be imported. You can use the VLOOKUP function in Microsoft Excel or a similar application to merge the two export files.
Import Merged Files
When a global identifier is defined a randomly generated username and/or password will be populated if the value of the field is blank. The randomly generated username will start with ~~.
Once you have merged the PowerSchool SIS user export files and the identity provider user export file, you can then import it into the PowerSchool SIS. Using the Data Import Manager, you can import new global identifiers, as well as update and delete existing global identifiers of users in PowerSchool. To import a contact global identifier, it is required that the contact has an access account existing in PowerSchool. Having an access account is not required for other user types. The following fields are required for importing global ID for each user type:
Entity | Rule |
---|---|
User DCID | The DCID field from the Users table. Required to import a staff global identifier or teacher global identifier. |
Student DCID | The DCID field from the Students table. Required to import a student global identifier. |
Person ID | The ID field from the Person table. Required to import a contact global identifier. |
SSO User Type | Required to import global identifier for all user types. The supported values are STAFF, TEACHER, STUDENT, PARENT. |
Global Identifier | Required to import global identifier for all user types. If the user has no global identifier, it will be created for the user, If the user already has a global identifier, that would be updated. To delete the global identifier of the user, specify #delete. |
Import File
On the start page within the PowerSchool SIS Admin portal, choose System in the main menu.
Click Page and Data Management.
Click Data Import Manager.
Select the source and target:
- Choose the file you want to import.
- Choose SSO User Mapping as the Import Into.
- Choose Comma as the Field Delimiter.
- Choose Unicode as the Character Set.
Click Next.
Click Next.
Click Import.
Verify Imported Merged Files
Once the PowerSchool SIS user export files and the identity provider user export file are merged into one file and imported back into the PowerSchool SIS, you will want to verify that your identity provider's global identifier appears in the PowerSchool SIS. Re-run the exports to ensure that Global ID column data appears as expected.
Step 6: Test SSO for Personas
After mapping the users from the identity provider to the PowerSchool SIS, test the SSO connection between your identity provider and the PowerSchool SIS as the service provider. To test a persona, enable OIDC authentication and then verify that you can sign in to the respective portal. Be sure to test each persona in another browser or using an incognito window before ending your current session.
Enabling OIDC authentication for users without also defining Global Identifiers for users will prevent users from being able to sign in.
- On the start page within the PowerSchool SIS Admin portal, choose System in the main menu.
- Click OIDC Authentication Setup.
- Select Enable OIDC Authentication for the persona you want to test. It is recommended that you first test teachers, then parents, then students, and finally staff.
- Click OK.
Click Submit.
Do not close this window.
Based on your Step 3 selection, choose the user you want to test.
- Open a new private browser window.
Based on your Step 3 selection, enter the URL of your district's PowerSchool SIS Teacher, Student and Parent, or Admin portal and press ENTER or RETURN. The PowerSchool SIS portal should redirect to the IdP's sign-in page.
Sign in with the user's credentials. For teacher, parent, and student, if the PowerSchool SIS portal launches, the setup has been configured properly. For staff, if the PowerSchool SIS Admin portal launches and you are expelled from your first session, as you are only allowed one session at a time, the setup has been configured properly.
- For parent, and student, open the PowerSchool Mobile app. Sign in with the user's credentials.
Step 7: Enable OIDC Authentication
The final step of setting up the PowerSchool SIS as OIDC Service Provider is to enable OIDC authentication.
- On the start page within the PowerSchool SIS Admin portal, choose System in the main menu.
- Click OIDC Authentication Setup.
- Select Enable OIDC Authentication for the user you want to enable.
- Click OK.
Click Submit.
Usernames and Passwords
When OIDC authentication is enabled, usernames and passwords for Teacher users, Parent users, Student users, and Staff users are replaced with a global identifier.
Manage Global Identifiers
After initially setting up PowerSchool SIS as an OIDC service provider, you may find that you need to add, edit, or delete a global identifier for one or more users. Users must be active and have SSO enabled for their user type.
You can add, edit, or delete global identifiers for multiple users or for individual users.
Manage Global Identifier for Individual Users
- On the start page, search for and select the user.
- For staff member and teacher users:
- Navigate to the staff record using Staff Search
- Choose Security Settings staff page from the left menu.
- Click Admin Access and Roles.
- Enter the teacher's Identity Provider Global ID.
Click Submit.
- For a student contact user:
- Navigate to the contact record using Contact Search
- Scroll to the Web Account Access section.
- Click Add Account or Edit Account.
- Enter the contact's Global Identifier.
- Click Submit.
- For a student user:
- Navigate to the student record using Student Search
- Choose the Access Accounts student page from the left menu.
- Enter the student's Student Global Identifier.
- Click Submit.
Troubleshooting Errors
The following is a list of issues you may encounter and what may cause the issue.
Issue | Possible Cause |
---|---|
HTTP Status 401 - Authentication Failed: OpenID Connect User not authorized for the application | A PCAS_ExternalAccountMap record matching the UserType and OpenIDUserAccountID could not be found. |
HTTP Status 401 - Authentication Failed | The id_token returned by 3rd Party IdP failed validation. A possible reason is PS SIS server time is at least one minute slower than the 3rd Party IdP server time. |
HTTP Status 401 - Authentication Failed: No Issuer found: null | Because there is no value or the value is wrong for the com.powerschool.openidconnect.sp.idp-url configitem record, the SIS cannot validate the issuer and does not know where to redirect the users. Because the cert chain is incomplete the SIS is unable to load the 3rd Party IdP's configurations via the /.well-known/openid-configuration endpoint. |
HTTP Status 401 - Authentication Failed: No PCAS_Account found for token. | The SIS is unable to find a user based on the Identifying Claim through the PCAS_ExternalAccountMap. |
HTTP Status 401 - Authentication Failed: OpenID Connect User not authorized for the application | PCAS_Account.IsEnabled=0 due to no username or password for the Student, Teacher, or Admin. In order for a PCAS_Account to be marked as enabled a username and password must be defined. For password fields these should be long (12+ character) unique random values. |
HTTP Status 401 - Authentication Failed: Unable to obtain Access Token: 401 Unauthorized | The client id or secret does not line up with the values in third-party IdP. |
HTTP Status 401 - Authentication Failed: Unable to find an appropriate signature validator for ID Token | Can occur after a change DNS name. Restarting the PowerSchool SIS in most cases resolves this issue. |
HTTP Status 500 - java.lang.NullPointerException com.powerschool.sp.PSSPAuthenticationSuccessHandler.on … | Teachers are not set to active for a school and the SIS cannot find an affiliated school for the user since they are not active. |
Disable PowerSchool SIS as OIDC Service Provider
To no longer use PowerSchool SIS as OIDC Service provider, you can disable the plugin from the Plugin Management Configuration page.
- On the start page within the PowerSchool SIS Admin portal, choose System in the main menu.
- Click System Settings.
- Click Plugin Management Configuration.
- Select Enable/Disable next to PowerSchool SIS as OIDC Service Provider.
- Click Disable.
If the plugin is enabled again, the OIDC settings will remain the same from when the plugin was previously enabled.