PowerSchool Enrollment supports single sign-on (SSO) authentication for administrative users through third-party identity providers (IdPs), such as Google, Microsoft, etc.
- The identity provider must be supported. The certified identity providers are Microsoft and Google.
- Support for the OIDC standard. Mobile Apps require Authorization Code PKCE Flow support.
- User accounts must be provisioned for the identity provider.
- The Global Identifier field in Enrollment must match the selected Claim for the identity provider.
Set up Single Sign-On
This procedure is an overview of the steps involved in setting up single sign-on.
- Contact PowerSchool to start setting up SSO.
- In the identity provider, add the application registration and configure the OIDC application.
- Record the following information as you register the application:
- Issuer URL
- Client ID
- Client Secret
- Global Identifier Claim (“email” if using Google, “oid” if using Microsoft, "upn" if using Microsoft AD FS)
- Scopes (“openid email profile” if using Google or Microsoft)
- Send the information for the application to the PowerSchool Implementation or Support team member so they can configure and enable SSO. Do not include the client ID and client secret in the same email.
- The PowerSchool team member will send you the URL for SSO. Distribute the URL to users so they can start using SSO.
- Map your user accounts to the global ID you are using from the identity provider. Refer to Export and Import User Accounts procedures in PowerSchool Enrollment Admin Help.
Frequently Asked Questions
What happens if a user attempts to sign in using the previous URL that did not use SSO?
An alert appears indicating that the user cannot sign in. They can then click the Sign in with your school's/district's SSO (single sign-on) provider link to access the appropriate URL.
When a user logs out, are they logged out of the identity provider?
Single sign-out is not supported at this time. Users are not signed out of the identity provider or other PowerSchool products when they sign out. Refer users to the appropriate location to sign out of the identity provider.