PowerSchool SIS OIDC Single Sign-On with External IdP
Single sign-on authentication for users is supported for PowerSchool SIS using the OIDC standard with an external identity provider, such as Google or Microsoft.
The following scopes are requested as part of this authentication: openid (indicates that the application is using OIDC), profile (user's information), email.
Prerequisites
- Minimum PowerSchool SIS 20.11.0.0.
- The identity provider must be supported. The certified identity providers are Microsoft and Google.
- Only one identity provider may be used at a given time.
- Support for the OIDC standard. Mobile Apps require Authorization Code PKCE Flow support.
- User accounts must be provisioned for the identity provider.
- The Global Identifier field in PowerSchool SIS must match the selected Claim from the identity provider.
To enable Application Switching from PowerSchool SIS, the PowerSchool new experience must be enabled.
Before proceeding, ensure that the following are not enabled:
Set up Single Sign-On
This procedure is an overview of the steps involved in setting up single sign-on.
- Enable the PowerSchool SIS as OIDC Service Provider plugin from System > Server > System Settings > Plugin Management Configuration.
- Register the SIS application with the identity provider. If you are enabling SSO for students and parents using Microsoft and your district uses the PowerSchool Mobile app, you must also create an application for the PowerSchool Mobile app.
- Record the following information as you register the application:
- Client ID
- Client Secret
- Claim used as a user's unique ID for the identity provider
- In PowerSchool SIS, use District > System > Security > OIDC Authentication Setup to enable OIDC authentication and set up the identity provider values. Do not turn on OIDC authentication for users at this time.
- If you are enabling SSO for students and parents and your district uses the PowerSchool Mobile app, you must also set up OIDC authentication for the PowerSchool Mobile app.
- Map your user accounts to the global ID you are using from the identity provider.
- Use the PowerSchool SIS Data Export Manager to export the staff information.
- Export users from the identity provider.
- Merge data from the export files from the SIS and the identity provider.
- Use the PowerSchool SIS Data Import Manager to load the staff information.
- In PowerSchool SIS, use the OIDC Authentication Setup to enable OIDC authentication for the users. To limit potential disruptions to users, it is recommended that you enable OIDC authentication for users after hours and enable a persona other than staff first to confirm that SSO works to reduce risk that you are unable to sign in after enabling it.
- Test that the setup was successful by attempting to sign in as a teacher and a staff user.
Frequently Asked Questions
When a user signs out, are they signed out of the identity provider?
Single sign-out is not supported at this time. Users are not signed out of the identity provider or other PowerSchool products when they sign out. Refer users to the appropriate location to sign out of the identity provider.