eSchoolPlus Single Sign-On
PowerSchool eSchoolPlus SIS supports single sign-on (SSO) using third-party identity providers, such as Google and Microsoft. There are multiple applications associated with eSchoolPlus SIS that must be registered applications in the identity provider. Refer to the Register Applications with the Identity Provider section below for more details.
eSchoolPlus supports SSO for the following user accounts:
- Administrators (users of eSchoolPlus SIS)
- Staff (users of Teacher Access Center)
- Parents
- Students
You must use the same identity provider for Administrators and Staff. You can use a different identity provider for Home Access Center users. For example, you could use Microsoft as the identity provider for students and use Google for parents.
The following scopes are requested as part of this authentication: openid (indicates that the application is using OIDC), profile (user's information), email.
Prerequisites
- Minimum eSchoolPlus version 20.4.0.0.
- The identity provider must be supported. The certified identity providers are Microsoft and Google.
- Support for the OIDC standard. Mobile Apps require Authorization Code PKCE Flow support.
- User accounts must be provisioned for the identity provider.
- The Global ID field in eSchoolPlus must match the selected Claim for the identity provider.
Set up Single Sign-On
Your implementation of eSchoolPlus determines whether you have a self-service option to configure SSO for eSchoolPlus. For Cloud customers, PowerSchool must configure and enable SSO.
- Contact PowerSchool to start setting up SSO.
- Map user accounts to the unique identifier for the identity provider using the Global ID field. First export a spreadsheet of user accounts by running the Export User Account Information. Update the spreadsheet to enter the user's unique identifier in the GlobalID field. Then, use the Import User Account Information utility to upload the Global ID values into the system.
- PowerSchool will provide the Redirect URIs for the eSchoolPlus applications.
- In the identity provider, add the application registration and configure the OIDC application. eSchoolPlus has multiple applications to register if you want to enable SSO. Record the following information as you register applications as you will need to provide it when setting up SSO.
- Issuer/Authority URL
- Claim for Global ID - identifies the user within the identity provider
- Client ID
- Client Secret
- Tenant ID from the identity provider, if provided
- If your district uses Whiteboard, record the Client ID and Client Secret for the public or native application. Note that some IdPs do not provide a Client Secret for public applications so you may not need to provide a client secret.
- Configure and enable SSO for eSchoolPlus.
- For districts that run eSchoolPlus on Cloud, contact PowerSchool to enable SSO. Provide the application information you recorded.
- For districts that run eSchoolPlus on premise, use the District Configuration Utility to define a tenant for the identity provider and assign a tenant to the application on the District Information Window. Refer to Define Tenants for Applications.
- After SSO has been enabled, share the appropriate application URL for end users so they can start using SSO.
Register Applications with the Identity Provider
When you add OIDC applications in the identity provider, you will need the Redirect URI for each of the applications that your district uses. The following applications are part of eSchoolPlus:
- eSchoolPlus SIS
- Teacher Access Center
- Home Access Center
- Enrollment Online Administrator
- Enrollment Online Registrar
- Whiteboard (No redirect URI is required)
- Admin Mobile app
- Family Mobile app
If your district uses Whiteboard or one of the mobile apps, you must set this application up following the specific instructions provided below because these are not web applications.
Whiteboard
- Create a separate OAuth 2.0 Client ID in Credentials.
- At the Authentication Type field, select Other. Then, in the Name field, enter text indicating this Client ID will be used for eSchoolPlus desktop applications. No Redirect URI is provided for this application.
- Record the Client ID and Client Secret.
Microsoft
- Create a separate app registration in Azure Active Directory.
- Complete the app registration.
- Click the Add a Redirect URI link.
- Click Add a Platform, and then select the Mobile and desktop applications option under Mobile and desktop applications.
- In the Configure Desktop + devices drawer, enter http://localhost in the Custom redirect URIs section.
- Click Configure.
- From the Overview page, copy the Client ID. Note that a Client Secret is not generated as it is not needed for Microsoft.
Admin Mobile and Family Mobile
When setting up the tenant for SSO in the District Configuration Utility, enter the settings for the Family Mobile app on the tenant that is used for Home Access Center.
If your district is using Google as the identity provider for the users who access the application, then there are no additional steps to set up the apps in the identity provider.
Contact PowerSchool for the Client IDs to enter when setting up the tenant for iOS Family Mobile, iOS Admin Mobile, Android Family Mobile, and Android Admin Mobile.
Microsoft
When setting up the tenant for SSO in the District Configuration Utility, you will use the same client ID for iOS Family Mobile, iOS Admin Mobile, Android Family Mobile, and Android Admin Mobile.
- Create a separate app registration in Azure Active Directory.
- Complete the app registration.
- Click the Add a Redirect URI link.
- Click Add a Platform, and then select the Mobile and desktop applications option under Mobile and desktop applications.
- In the Configure Desktop + devices drawer, enter the Redirect URIs for the applicable apps.
- Admin Mobile app: com.sungardps.plus360admin://oidc/cb
- Family Mobile app: com.sungardps.plus360home://oidc/cb
- Click Configure.
- From the Overview page, copy the Client ID. Note that a Client Secret is not generated as it is not needed for Microsoft.
- Add permissions to access the Microsoft Graph API. Set up delegated permissions for:
- offline_access
- openid
- profile
Application URL for SSO
After you have enabled single sign on for an application, you need to share the URL for SSO. Users who continue to use the previous URL for an application will not use single sign on with the external identity provider; they will log in with the eSchoolPlus account information stored.
Application | URL |
---|---|
eSchoolPlus SIS | https://<school district domain name>/eSchoolPlus/District/<tenant name> |
Teacher Access Center | https://<school district domain name>/TAC/District/<tenant name> |
Home Access Center | To support the ability to have one identity provider for students and another for guardians, the persona is now included in the URL. Parent: https://<school district domain name>/HAC/District/Parent/<tenant name> Student: https://<school district domain name>/HAC/District/Parent/<tenant name> |
Frequently Asked Questions
Where is the Global ID entered in eSchoolPlus?
The Global ID is entered on the following pages:
- Security Profile for eSchoolPlus SIS users
- Staff District Information for staff who use Teacher Access Center
- Student Addresses
- Contacts
When a user signs out, are they signed out of the identity provider?
Single sign-out is not supported at this time. Users are not signed out of the identity provider or other PowerSchool products when they sign out. Refer users to the appropriate location to sign out of the identity provider.