Skip to main content
Skip table of contents

Employee Records Single Sign-On

Single sign-on authentication for users is supported for Unified Talent Employee Records using an external identity provider, such as Google or Microsoft. Employee Records is part of a group of Unified Talent products that use the same configuration for SSO. When you enable SSO for Employee Records, it is also enabled for Application Tracking and Perform.

The following scopes are requested as part of this authentication: openid (indicates that the application is using OIDC), profile (user's information), email.


  • The identity provider must be supported. The certified identity providers are Microsoft and Google. 
  • Support for the OIDC standard. Mobile Apps require Authorization Code PKCE Flow support.
  • User accounts must be provisioned for the identity provider.
  • Your district must use the latest version of the Data Import Tool. If you are using Sync 1 or Sync 2, you must upgrade to the latest tool. When you contact PowerSchool to start setting up SSO, indicate that your district needs to upgrade from the legacy tool.
  • The Global ID field in Employee Records must match the selected Claim from the identity provider.

Set up Single Sign-On

This procedure is an overview of the steps involved in setting up single sign-on. 

Applicant Tracking, Perform, and Employee Records use the same set of user records. If users were already mapped for one of these products, skip Step 2.

  1. Contact PowerSchool to start setting up SSO. 
  2. Map your user accounts to the global ID you are using from the identity provider in the staff import file. Move the spreadsheet to the standard location for integrating files with Applicant Tracking, Employee Records, and Perform so the file can be synchronized with the applications.
  3. PowerSchool will provide the Redirect URI for the application.
  4. In the identity provider, add the application registration and configure the OIDC application.
  5. Record the following information as you register the application:
    • Client ID
    • Client Secret
    • Claim used for the Global ID
  6. Send the information for the application to the PowerSchool Implementation or Support team member so they can configure and enable SSO. Do not include the client ID and client secret in the same email.
  7. The PowerSchool team member will send you the URL for SSO. Distribute the URL to users so they can start using SSO.

Frequently Asked Questions

When a user signs out, are they signed out of the identity provider?

Single sign-out is not supported at this time. Users are not signed out of the identity provider or other PowerSchool products when they sign out. Refer users to the appropriate location to sign out of the identity provider. 

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.