PowerSchool SIS as SAML Service Provider
PowerSchool can be configured as a SAML service provider for single sign-on, which allows authorized users can use the PowerSchool SIS Admin portal, the PowerSchool SIS Teacher portal, and the PowerSchool SIS Student and Parent portal as the central location from which to access their PowerSchool systems with a single set of credentials. For information about creating a SAML Service Provider plugin in order to configure the PowerSchool SIS as a SAML Service Provider, refer to the PowerSchool as a SAML Service Provider section of the PowerSchool Developer Site.
To set up PowerSchool SIS as SAML Service Provider, perform the following setup items in the order by which they appear.
Step 1: Enable SAML Service Provider
Use the Plugin Management Dashboard to enable the SAML Service Provider plugin. Enabling the plugin establishes the PowerSchool SIS as a SAML service provider.
- Navigate to the Plugin Configuration page.
Select Enable/Disable next to the SAML Service Provider plugin that was previously installed.
- Click Enable.
Step 2: Configure SAML Service Provider
Use the SAML Service Provider Setup page to configure the settings needed for establishing a successful SSO connection between an identity provider and the PowerSchool SIS as the service provider.
- Navigate to the Plugin Configuration page.
- Select the plugin name for the SAML Service Provider plugin that was previously installed.
- Click SAML Service Provider.
In the External Identity Provider Settings section:
Enter the external identity provider's public URL for Entity ID.
Enter the service provider's Metadata URL. The value is supplied by the service provider, which allows the IDP to communicate with the service provider application.
Click View IDP Metadata to view the external identity provider's IDP Metadata, which must match what is stored in the PowerSchool SIS. This information can be used to diagnose communication issues.
In the Local Service Provider Settings section, enter the local service provider's name.
- In the Advanced SAML Service Provider Settings:
Enter the Assertion Subject NameIdentifier to change the attribute PowerSchool SIS evaluates from the SAML Response. By default, PowerSchool SIS uses the authenticationId attribute from the SAML response to access the state-id or psguid value. When this value is blank authenticationId is used.
Select Enable forceAuth if your SAML IdP supports forceAuth and has a long assertion lifespan. When enabled, PowerSchool SIS will force re-authentication against the SAML IdP if the SAML assertion is no longer valid.
- Click Save.
Step 3: Enable SAML Authentication
Use the Enable SAML Authentication page to enable SAML single sign-on, which allows authorized users to use the PowerSchool SIS Admin portal, the PowerSchool SIS Teacher portal, and the PowerSchool SIS Student and Parent portal as the central location from which to access their PowerSchool systems with a single set of credentials.
- Navigate to the Enable SAML Authentication page.
- To enable SAML Single Sign-On for PowerSchool, select Enable SAML Authentication for Admin Users.
- To enable SAML Single Sign-On for the PowerSchool SIS Teacher portal, select Enable SAML Authentication for Teacher Users
- Click Submit.