Skip to main content
Skip table of contents

PowerSchool SIS as OIDC Service Provider for SSO

The PowerSchool SIS provides support for external OpenID Connect (OIDC) identity providers (IdP), which allows authorized users to single sign-on (SSO) into the PowerSchool SIS using their identity provider and then seamlessly navigating to any of their PowerSchool products with that single set of credentials. Certified IdPs are Microsoft Azure and Google, which support Multi-Factor Authentication (MFA). Staff, Teachers, Students, and Parents user types are all supported. Prerequisites must be met before setting up PowerSchool SIS SSO with External IdP.

PowerSchool SIS as OIDC Service Provider allows for the use of multiple IDPs in the same system. This is not available for PowerSchool SIS as SAML Service Provider.

Set Up PowerSchool SIS as OIDC Service Provider

To set up PowerSchool SIS as OIDC Service Provider, perform the following setup items in the order by which they appear.

Before proceeding, ensure that the following are not enabled:

Step 1: Enable PowerSchool SIS as OIDC Service Provider

The first step in setting up PowerSchool SIS as OIDC Service Provider is to enable the plugin.

  1. Navigate to the Plugin Configuration page.

  2. Select Enable/Disable next to PowerSchool SIS as OIDC Service Provider.

  3. Click Enable.

Step 2: Register the Application with the Identity Provider

Add PowerSchool SIS to Google

Refer to the Google documentation for detailed procedures on defining projects, adding OAuth clients, and defining the OAuth consent.

  1. Go to https://console.developers.google.com.

  2. Set up the OAuth consent information.

  3. Create credentials for an OAuth Client ID. Set up as a Web Application and enter the Redirect URI in Authorised redirect URI to indicate where users are redirected after successful authentication.
    PowerSchool SIS Redirect URI: Enter the name of your district's PowerSchool URL followed by /oidc/openid_connect_login, such as https://<powerschool domain>/oidc/openid_connect_login.

  4. Record the client ID and client secret.

If you have users who are under 18 years old, refer to Google documentation Manage access to unconfigured third-party apps for users designated as under 18 for additional required steps.

Add PowerSchool SIS to Microsoft

Refer to Microsoft's documentation for detailed instructions on registering applications, generating client secrets, and entering the Redirect URI for an application.

  1. Go to https://portal.azure.com as an admin of the IdP service.

  2. Register the application.

  3. For Supported Account Type, select Accounts in this organizational directory only.

  4. Indicate the application is a Web app and enter the Redirect URI where the identity provider will redirect the user after successful authentication.
    PowerSchool SIS Redirect URI: Enter the name of your district's PowerSchool URL followed by /oidc/openid_connect_login, such as https://<powerschool domain>/oidc/openid_connect_login.

  5. Generate the client secret and record both the Client ID and Client Secret value.

  6. Add a claim to your token (optional):

    1. Select Token Configuration >Add Optional Claim.

    1. Select the appropriate ID or Access as the Token Type.

    2. Select the claims you want to add.

    3. Click Add.

  • The Client Secret value is only viewable on initial creation

  • The Client Secret is found under the Value column and is not the same as Secret ID

Add PowerSchool Mobile App to Microsoft

If you plan to enable OIDC for students and parents, you must create another app registration for the PowerSchool Mobile app (which is used for iOS Client ID and Android Client ID), configure the scopes, and add the predefined redirect in addition to the PowerSchool SIS IdP configuration in order for mobile users to connect via SSO. This step is not necessary if Google is the IdP.

  1. Go to https://portal.azure.com as an admin of the IdP service.

  2. In the App Registrations section:Register the application as PowerSchool Mobile App.

    1. For Supported Account Type, select Accounts in this organizational directory only.

    2. For Platform Configuration, select Client Application (Web, iOS, Android, Desktop+Device).

  3. Select Authentication in the navigation menu.

  4. In the Mobile and desktop application section, add the URI: com.powerschool.developer.mobile://oidc/cb

  5. Click Save.

  6. Select API Permissions in the navigation menu.

    1. Click + Add a permission.

    2. Click Microsoft Graph on the Microsoft APIs tab in the Commonly used Microsoft APIs section.

    3. Select the Delegated permissions option.

    4. Check the email, offline_access, openid, and profile options.

    5. Scroll to the Users section and open the options.

    6. Check the User.ReadBasic.All option.

    7. Click Add permissions.

You will also need to configure PowerSchool Mobile for SSO. Refer to the Step 4: Optional - Setup PowerSchool Mobile App section for more information.

Step 3: Set OIDC Authentication Settings

After registering the application with the identity provider, enable and configure the settings needed for establishing a successful SSO connection between an identity provider and the PowerSchool SIS as the service provider.

  1. In the PowerSchool SIS Administrator portal at the District context, navigate to the OIDC Authentication page.

  2. Select Add.

  3. Select the user type.
    Staff and Teacher share a user type because they share an IDP.

  4. Enter the IDP URL:

    1. For Google, https://accounts.google.com.

    2. For Microsoft, https://login.microsoftonline.com/[TenantID]/v2.0. The <Tenant ID> can be found on the Overview page of their Azure Active Directory.

  5. Enter the client ID and client secret provided by the IdP.

  6. Enter Scopes. Separate multiple entries using spaces.

    1. For Google, openid email. Google supports openid, email, and profile.

    2. For Microsoft, openid profile. Microsoft supports openid, profile, email, and offline_access.

  7. For Authentication ID/Identifying Claim, enter the IdP claim that will be use to match SIS users. For example, if you used an openid email for Google, you would enter email here.

    1. For Google, it is suggested to use the email claim. Google supports aud, email, email_verified, exp, family_name, given_name, iat, iss, locale, name, picture, and sub.

    2. For Microsoft it is suggested to use the oid claim. Microsoft supports acr, at_hash, aud, auth_time, c_hash, cloud_graph_host_name, cloud_instance_host_name, cloud_instance_name, email, exp, iat, iss, msgraph_host, name, nonce, oid, preferred_username, sub, tid, and ver.

  8. The Enable OIDC Authentication for field is determined by the user type selected.

  9. Click Submit.

Step 4: Optional - Setup PowerSchool Mobile App

You must set up the PowerSchool Mobile App for parent and student users to authenticate and use it. If you are using Microsoft as the IDP, you must register the PowerSchool Mobile app with Microsoft. Refer to Step 2: Register the Application with the Identity Provider for more information.


The mobile setup is only available when Parent or Student is selected as the user type on the Add OIDC Authentication page.

  1. Repeat Step 3: Set OIDC Authentication Settings. Select either Student or Parent as the user type.

  2. In the Mobile App Setup section, use the global configuration settings to enable SSO for the PowerSchool Mobile app:

    Google

    Microsoft

    • iOS Client ID: Use the Application (client) ID from the PowerSchool Mobile App app registration.

    • Android Client ID: Use the Application (client) ID from the PowerSchool Mobile App app registration.

    • Scopes: openid email profile offline_access https://graph.microsoft.com/user.readBasic.all

    • iOS Redirect URI: com.powerschool.developer.mobile://oidc/cb

    • Android Redirect URI: com.powerschool.developer.mobile://oidc/cb

  3. Click Submit.

Step 5: Map Users from IdP to SIS

After setting the OIDC Authentication settings, join the users from your identity provider and PowerSchool SIS together so the global identifier can be imported into the PowerSchool SIS establishing the connection between the SIS and your identity provider. Perform the following in the order by which they appear.

Export PowerSchool SIS Users

The first step in mapping users from the identity provider to the PowerSchool SIS is to export users from the PowerSchool SIS. All active users must be set up for SSO before exporting. The Global Identifier for the User Type of Staff is used to sign in to the PowerSchool Admin portal and the Global Identifier for User Type of Teacher is used to sign in to the PowerSchool SIS Teacher portal. A user can have access to both portals. In which case, the import file should contain two rows for the user, one with the User Type of Staff and another row with User Type of Teacher.

  1. In PowerSchool SIS for Administrators, navigate to the Data Export Manager page.

  2. In the Select Columns to Export section:

    1. Choose PowerSchool Data Sets as the Category.

    2. Choose one of the following from Export From:

      • SSO Staff Mapping

      • SSO Teacher Mapping

      • SSO Parent Mapping

      • SSO Student Mapping

    3. Select the columns to export:

      • For Staff and Teacher, User DCID, SSO User Type, Global Identifier are required.

      • For Parent, Person ID, SSO User Type, Global Identifier are required.

      • For Student, Student DCID, SSO User Type, Global Identifier are required.

    4. Click Next.

  3. In the Select/Edit Records section, you can use the Built In Filters to narrow the list of records to export, then click Next.

  4. In the Export Summary and Options Output section:

    1. Change the Export File Name extension from .txt to .csv.

    2. Choose Comma as the Field Delimiter.

    3. Choose UTF-8 as the Character Set.

  5. Click Export.

Records to Export may differ from the record selection, as some records may be duplicate users who access multiple schools.

Export Identity Provider Users (Optional)

Next, export users from your identity provider. Refer to your identity provider for details.

Merge the IdP and SIS Export Files

The PowerSchool SIS user export files and the identity provider user export file need to be merged into one file. The purpose is to get the data from the Microsoft or Google files into the Global ID column of the PowerSchool file so that it can be imported. You can use the VLOOKUP function in Microsoft Excel or a similar application to merge the two export files.

Import Merged Files

When a global identifier is defined a randomly generated username and/or password will be populated if the value of the field is blank. The randomly generated username will start with ~~.

Once you have merged the PowerSchool SIS user export files and the identity provider user export file, you can then import it into the PowerSchool SIS. Using the Data Import Manager, you can import new global identifiers, as well as update and delete existing global identifiers of users in PowerSchool. To import a contact global identifier, it is required that the contact has an access account existing in PowerSchool. Having an access account is not required for other user types. The following fields are required for importing global ID for each user type:

Entity

Rule

User DCID

The DCID field from the Users table. Required to import a staff global identifier or teacher global identifier.

Student DCID

The DCID field from the Students table. Required to import a student global identifier.

Person ID

The ID field from the Person table. Required to import a contact global identifier.

SSO User Type

Required to import global identifier for all user types. The supported values are STAFF, TEACHER, STUDENT, PARENT.

Global Identifier

Required to import global identifier for all user types. If the user has no global identifier, it will be created for the user, If the user already has a global identifier, that would be updated. To delete the global identifier of the user, specify #delete.

Import File

  1. In PowerSchool SIS for Administrators, navigate to the Data Import Manager page.

  2. Select the source and target:

    1. Choose the file you want to import.

    2. Choose SSO User Mapping as the Import Into.

    3. Choose Comma as the Field Delimiter.

    4. Choose Unicode as the Character Set.

  3. Click Next.

  4. Click Next.

  5. Click Import.

Verify Imported Merged Files

Once the PowerSchool SIS user export files and the identity provider user export file are merged into one file and imported back into the PowerSchool SIS, you will want to verify that your identity provider's global identifier appears in the PowerSchool SIS. Re-run the exports to ensure that Global ID column data appears as expected.

Step 6: Test SSO for Personas

After mapping the users from the identity provider to the PowerSchool SIS, test the SSO connection between your identity provider and the PowerSchool SIS as the service provider. To test a persona, enable OIDC authentication and then verify that you can sign in to the respective portal. Be sure to test each persona in another browser or using an incognito window before ending your current session.

Enabling OIDC authentication for users without also defining Global Identifiers for users will prevent users from being able to sign in.

  1. In PowerSchool SIS for Administrators, navigate to the OIDC Authentication page.

  2. Select Enable OIDC Authentication for the persona you want to test. It is recommended that you first test teachers, then parents, then students, and finally staff.

  3. Click OK.

  4. Click Submit, but do not close the window.

  5. Based on your Step 3 selection, choose the user you want to test.

  6. Open a new private browser window.

  7. Based on your Step 3 selection, enter the URL of your district's PowerSchool SIS Teacher, Student and Parent, or Admin portal and press ENTER or RETURN. The PowerSchool SIS portal should redirect to the IdP's sign-in page.

  8. Sign in with the user's credentials. For teacher, parent, and student, if the PowerSchool SIS portal launches, the setup has been configured properly. For staff, if the PowerSchool SIS Admin portal launches and you are expelled from your first session, as you are only allowed one session at a time, the setup has been configured properly.

  9. For parent, and student, open the PowerSchool Mobile app. Sign in with the user's credentials.

Step 7: Enable OIDC Authentication

The final step of setting up the PowerSchool SIS as OIDC Service Provider is to enable OIDC authentication.

  1. In PowerSchool SIS for Administrators, navigate to the OIDC Authentication page.

  2. Select Enable OIDC Authentication for the user you want to enable.

  3. Click OK.

  4. Click Submit.

Usernames and Passwords

When OIDC authentication is enabled, usernames and passwords for Teacher users, Parent users, Student users, and Staff users are replaced with a global identifier.

Manage Global Identifiers

After initially setting up PowerSchool SIS as an OIDC service provider, you may find that you need to add, edit, or delete a global identifier for one or more users. Users must be active and have SSO enabled for their user type.

You can add, edit, or delete global identifiers for multiple users or for individual users.

Manage Global Identifier for Individual Users

  1. For staff member and teacher users:

    1. Navigate to the Admin Access and Roles page.

    2. Enter the teacher's Identity Provider Global ID.

    3. Click Submit.

  2. For a student contact user:

    1. Navigate to the contact's page.

    2. Scroll to the Web Account Access section.

    3. Click Add Account or Edit Account.

    4. Enter the contact's Global Identifier.

    5. Click Submit.

  3. For a student user:

    1. Navigate to the Guardian and Student Account Access page.

    2. Enter the student's Student Global Identifier.

    3. Click Submit.

Troubleshooting Errors

The following is a list of issues you may encounter and what may cause the issue.

Issue

Possible Cause

HTTP Status 401 - Authentication Failed: OpenID Connect User not authorized for the application

A PCAS_ExternalAccountMap record matching the UserType and OpenIDUserAccountID could not be found.

HTTP Status 401 - Authentication Failed

The id_token returned by 3rd Party IdP failed validation.

A possible reason is PS SIS server time is at least one minute slower than the 3rd Party IdP server time.

HTTP Status 401 - Authentication Failed: No Issuer found: null

Because there is no value or the value is wrong for the com.powerschool.openidconnect.sp.idp-url configitem record, the SIS cannot validate the issuer and does not know where to redirect the users.

Because the cert chain is incomplete the SIS is unable to load the 3rd Party IdP's configurations via the /.well-known/openid-configuration endpoint.

HTTP Status 401 - Authentication Failed: No PCAS_Account found for token.

The SIS is unable to find a user based on the Identifying Claim through the PCAS_ExternalAccountMap.

HTTP Status 401 - Authentication Failed: OpenID Connect User not authorized for the application

PCAS_Account.IsEnabled=0 due to no username or password for the Student, Teacher, or Admin. In order for a PCAS_Account to be marked as enabled a username and password must be defined. For password fields these should be long (12+ character) unique random values.

HTTP Status 401 - Authentication Failed: Unable to obtain Access Token: 401 Unauthorized

The client id or secret does not line up with the values in third-party IdP.

HTTP Status 401 - Authentication Failed: Unable to find an appropriate signature validator for ID Token

Can occur after a change DNS name. Restarting the PowerSchool SIS in most cases resolves this issue.

HTTP Status 500 - java.lang.NullPointerException com.powerschool.sp.PSSPAuthenticationSuccessHandler.on
AuthenticationSuccess(PSSPAuthenticationSuccessHandler.java:124) com.powerschool.sp.PSSPAuthentication
SuccessHandler$$FastClassBySpringCGLIB$$cc83666e.invoke(<generated>)


com.powerschool.sp.PSSPAuthenticationSuccessHandler$$EnhancerBySpringCGLIB$$f48d9dd.on
AuthenticationSuccess(<generated>) org.mitre.openid.connect.client.OIDCAuthenticationFilter$TargetLinkURI
AuthenticationSuccessHandler.onAuthenticationSuccess(OIDCAuthenticationFilter.java:716)

Teachers are not set to active for a school and the SIS cannot find an affiliated school for the user since they are not active.

Disable PowerSchool SIS as OIDC Service Provider

To no longer use PowerSchool SIS as OIDC Service provider, you can disable the plugin from the Plugin Management Configuration page.

  1. Navigate to the Plugin Configuration page.

  2. Select Enable/Disable next to PowerSchool SIS as OIDC Service Provider.

  3. Click Disable.

If the plugin is enabled again, the OIDC settings will remain the same from when the plugin was previously enabled.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.