Single sign-on authentication for users is supported for Unified Talent SmartFind Express using an external identity provider, such as Google or Microsoft.
- The identity provider must be supported. The certified identity providers are Microsoft and Google.
- Support for the OIDC standard. Mobile Apps require Authorization Code PKCE Flow support.
- User accounts must be provisioned for the identity provider.
- AD FS 4.0 or greater.
- The Global User ID field in SmartFind Express must match the selected Claim from the identity provider. The selected identity provider determines the claim that is used. If you use Google, the claim is email. If you use Microsoft, the claim is oid.
Set up Single Sign-On
This procedure is an overview of the steps involved in setting up single sign-on.
- Contact PowerSchool to start setting up SSO.
- In the identity provider, add the application registration and configure the OIDC application.
- Record the following information as you register the application:
- Client ID
- Client Secret
- Send the information for the application to the PowerSchool Implementation or Support team member so they can configure and enable SSO. Do not include the client ID and client secret in the same email.
- After PowerSchool configures SSO for SmartFind Express, we will provide the application's Redirect URI for the identity provider.
- Update the SmartFind Express application in the identity provider to specify the Redirect URI.
- Map your user accounts to the global ID you are using from the identity provider.
- Contact PowerSchool to indicate that SSO can be enabled. The application server will need to be restarted after SSO is enabled.
Register the Application with the Identity Provider
Add SmartFind Express to Google
There may be additional settings that you can configure for the applications or Google may have updated the interface. Refer to Google documentation on Setting up OAuth 2.0.
- Open https://console.developers.google.com as an administrator.
- If needed, create a new project and define the OAuth consent information.
- In Credentials, create credentials for an OAuth Client ID.
- Set up a web application with the PowerSchool application name.
- If you have the application's Redirect URI, add it in the Authorized redirect URIs section. Otherwise, edit the application later to add the Redirect URI.
- Copy and save the Client ID and Client Secret values that display after the app is created. These values need to be added in the PowerSchool application.
To add the redirect URI after the app is created, select Credentials and edit the app.
Add SmartFind Express to Microsoft
The instructions provided are intended to guide administrators to set up PowerSchool applications that use OIDC. There may be additional settings that you can configure for the applications or Microsoft may have updated the interface. Refer to Microsoft documentation on registering an application with the Microsoft identity platform.
- Go to https://portal.azure.com as an admin of the IdP service. Then, search for and select Azure Active Directory.
- In App registrations, add a new registration to set up the application. Enter an application name and select the supported account types.
- In Authentication, add a platform configuration. Select Web and then enter the Redirect URI for the application.
- In Certificates & secrets, add a new client secret and copy both the secret's Value and Secret ID. These values need to be added in the PowerSchool application.
- Add a claim to your token (optional):
- Select Token Configuration > Add Optional Claim.
Select the appropriate ID or Access as the Token Type.
Select the claims you want to add.
- Click Add.
Map Users for SSO
An operator can import a batch of users with their SSO credentials (global identifiers).
- Create a bulk import file based on the format specified.
- Choose System Operations > Import/Export > On-Demand Import.
- Browse and select your bulk import file. The Delimited option must be selected with Delimiter set as | (single pipe).
- Click Run Now.
Bulk Import File Format
Max, Field Length
"A" (Add), "C" (Change), ”D”(Delete)
“2" (Always for all the files)
Identity Provider ID
System generated ID of the identity provider
The access ID of the employee
Global User ID
The global user ID for the profile for the identity provider; text field with no maximum length configured
For system-generated ID of the identity provider, choose Startup > Authentication > SSO: Manage Identity Providers > Identity Providers List. The ID column displays the system-generated ID for the identity provider.
Add: W|A|2|Identity Provider Id|Access Id|Global user Id|
Change: W|C|2|Identity Provider Id|Access Id|Global user Id|
For Add(A) : Identity Provider Id, Access Id, Global user Id, all 3 are mandatory
For Change(C) : Identity Provider Id, Access Id, Global user Id, all 3 are mandatory
The Lenient Import processing parameter is set to ON or OFF. This system-level parameter allows districts control over how strictly import records are processed. The setting is contained with other background parameters established during system setup.
If set to OFF: when a record is imported to Add data, but the system finds the key fields for the record already in the system, it fails the record (and provides an error message); when a record is imported to Change data, but the system does not find the key fields to make the change, the system fails the record (and provides an error message).
If set to ON: when a record is imported to Add data, but the system finds the key fields for the record already in the system, it will process as a Change record; when a record is imported to Change data, but the system does not find the key fields for the record, the system will process as an Add record.
Remove Previously-Imported Global Identifiers
For Delete(D): Only identity provider ID is mandatory. Different combinations achieve different tasks.
If only Identity Provider ID is provided, all mappings/relations for the given Idp will be deleted : W|D|2|Identity Provider Id| | |
If Identity Provider ID is provided with Access ID, any row matching both will be deleted : W|D|2|Identity Provider Id| Access ID| |
If Identity Provider ID is provided with Global user ID, any row matching both will be deleted : W|D|2|Identity Provider Id| |Global User ID|
If Identity Provider ID is given along with Global user ID & Access ID, a row will be deleted only if it matches all the three fields : W|D|2|Identity Provider Id|Access Id|Global user Id|
Individual User Mapping
A SmartFind Express user can link their own credentials to SSO.
The SmartFind Express user logs in to the web application using the traditional login method.
They choose Profile > Identity Provider Mapping.
The user will see the logo of the identity provider and see an option to link their credentials for using SSO.
The user will be asked to authenticate with the identity provider. Upon successful login, the user's credentials will be linked and mapped to use the district's SSO feature for that identity provider.
Frequently Asked Questions
When a user signs out, are they signed out of the identity provider?
Yes, when the user signs out of SmartFind Express, they will be redirected to the sign out URL for the identity provider.