Skip to main content
Skip table of contents

FAQ: Setting up SSO

The following content is provided to help administrators set up SSO by answering common questions for the certified identity providers. If the answers provided do not correspond to the identity provider's software, refer to the content provided by the identity provider for assistance.

How do I export a list of users from the identity provider?

Refer to the identity provider's documentation for information on how to download a list of users.

For Microsoft, refer to the documentation on the topic of download a list of users from Azure Active Directory portal.

How do I create a single file with user information from my PowerSchool product and the identity provider?

Refer to your spreadsheet tool's documentation on merging columns from two tables. Microsoft Excel's VLOOKUP function can be used to merge the two export files.

How do I know what scopes to use?

PowerSchool applications use the following default scopes that are provided for OIDC: openid, profile, email.

openidIndicates that the application is using OIDC to verify identity. Required scope.
profileIncludes the default profile claims, including name and nickname.
emailIncludes the email and email_verified claims.

You must use these scopes, but you may also include other optional standard scopes or a custom scope defined by your district. For a list of the standard claims, refer to the OpenID Connect Spec: Standard Claims.

When entering a list of scopes, enter a space to separate the values. Do not use a comma or any other delimiter.

How do I find the Issuer URL?

To set up the SSO within the PowerSchool applications, the Issuer URL for authentication is required. The Issuer URL specifies the URL where the service provider can validate that the assertions it receives are issued from the correct identity provider.

Identity providerIssuer URL

In the format of: <authentication-endpoint>/<tenant-id>/v2.0

How do I find the Tenant ID that is part of the Issuer URL for Microsoft Azure?

The Issuer URL used for Microsoft Azure includes the Tenant ID for your Azure AD tenant. The Tenant ID is not the same as the Tenant Name. It is the value shown in the Directory ID field in the Properties for Azure Active Directory.

  1. Go to as an admin of the IdP service. Then, search for and select Azure Active Directory.
  2. Click Azure Active Directory.
  3. Under Manage, click Properties.
  4. Copy the value in the Directory ID field.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.