FAQ: Setting up SSO
The following content is provided to help administrators set up SSO by answering common questions for the certified identity providers. If the answers provided do not correspond to the identity provider's software, refer to the content provided by the identity provider for assistance.
How do I export a list of users from the identity provider?
Refer to the identity provider's documentation for information on how to download a list of users.
For Microsoft, refer to the documentation on the topic of download a list of users from Azure Active Directory portal.
How do I create a single file with user information from my PowerSchool product and the identity provider?
Refer to your spreadsheet tool's documentation on merging columns from two tables. Microsoft Excel's VLOOKUP function can be used to merge the two export files.
How do I know what scopes to use?
PowerSchool applications use the following default scopes that are provided for OIDC: openid, profile, email.
| Scope | Purpose |
|---|---|
| openid | Indicates that the application is using OIDC to verify identity. Required scope. |
| profile | Includes the default profile claims, including name and nickname. |
| Includes the email and email_verified claims. |
You must use these scopes, but you may also include other optional standard scopes or a custom scope defined by your district. For a list of the standard claims, refer to the OpenID Connect Spec: Standard Claims.
When entering a list of scopes, enter a space to separate the values. Do not use a comma or any other delimiter.
How do I find the Issuer URL?
To set up the SSO within the PowerSchool applications, the Issuer URL for authentication is required. The Issuer URL specifies the URL where the service provider can validate that the assertions it receives are issued from the correct identity provider.
| Identity provider | Issuer URL |
|---|---|
| https://accounts.google.com | |
| Microsoft | In the format of: <authentication-endpoint>/<tenant-id>/v2.0
|
How do I find the Tenant ID that is part of the Issuer URL for Microsoft Azure?
The Issuer URL used for Microsoft Azure includes the Tenant ID for your Azure AD tenant. The Tenant ID is not the same as the Tenant Name. It is the value shown in the Directory ID field in the Properties for Azure Active Directory.
- Go to https://portal.azure.com as an admin of the IdP service. Then, search for and select Azure Active Directory.
- Click Azure Active Directory.
- Under Manage, click Properties.
- Copy the value in the Directory ID field.