Skip to main content
Skip table of contents

PowerSchool ERP Single Sign-On with Google or Microsoft as IdP

Unified Administration PowerSchool ERP supports single sign-on (SSO) authentication for administrative and staff users through third-party identity providers (IdPs), such as Google, Microsoft, etc.

Prerequisites

  • PowerSchool ERP version 19.4.16.0 and later.
  • The identity provider must be supported. The certified identity providers are Microsoft and Google. 
  • Support for the OIDC standard. Mobile Apps require Authorization Code PKCE Flow support.
  • User accounts must be provisioned for the identity provider.
  • The SSO Identifier field in PowerSchool ERP must be set to the value of the unique identifier from the identity provider. 
  • A user account for support must exist in the identity provider.

Set up Single Sign-On

This procedure is an overview of the steps involved in setting up single sign-on.  

  1. Contact PowerSchool to start setting up SSO. 
  2. Map your user accounts to the global ID you are using from the identity provider using the SSO Identifier field. First export a spreadsheet of user accounts by running the Export Users for SSO. Update the spreadsheet to enter the user's unique identifier. Then, use the Import Global Users utility to map the data file and upload values to the GLOBAL_USER_SSO_MAPPING table to assign the SSO Identifier values for users.
  3. PowerSchool will provide the Redirect URI needed to add the application to the identity provider and the PowerSchool District Application GUID needed to set up the SSO within PowerSchool ERP.
  4. In the identity provider, add the application registration and configure the OIDC application.
  5. Record the following information as you register the application:
    • Issuer URL 
    • Client ID
    • Client Secret
    • Global Identifier Claim (“email” if using Google, “oid” if using Microsoft)
    • Scopes (“openid email profile” if using Google or Microsoft)
  6. Configure and enable SSO for PowerSchool ERP.
    • For districts that run eSchoolPlus on Cloud, contact PowerSchool to enable SSO. Send the information for the application to the PowerSchool Implementation or Support team member so they can configure and enable SSO. Do not include the client ID and client secret in the same email. Also, include the user ID for the support account in your identity provider.
    • For districts that run PowerSchool ERP on premise, use the Environment Maintenance to define the AppSwitcher SSO Settings. Refer to the Single Sign-On help topic in the PowerSchool ERP System Administration help.
  7. The PowerSchool team member will send you the URL for SSO. Distribute the URL to users so they can start using SSO.

Frequently Asked Questions

When a user logs out, are they logged out of the identity provider?

Single sign-out is not supported at this time. Users are not signed out of the identity provider or other PowerSchool products when they sign out. Refer users to the appropriate location to sign out of the identity provider. 


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.