Special Programs Single Sign-On
Single sign-on authentication for users is supported for Special Programs using an external identity provider, such as Google or Microsoft.
The following scopes are requested as part of this authentication: openid (indicates that the application is using OIDC), profile (user's information), email.
Prerequisites
- The identity provider must be supported. The certified identity providers are Microsoft and Google.
- Support for the OIDC standard. Mobile Apps require Authorization Code PKCE Flow support.
- User accounts must be provisioned for the identity provider.
- The selected identity provider determines the claim that is used. If you use Google, the claim is email. If you use Microsoft, the recommended claim is oid, but any of the supported claims may be used.
- The User SSO ID (IdPUserID) field in the user's profile in Special Programs must match the selected claim from the identity provider. The User SSO ID field is displayed from the Manage User SSO ID option.
Set up Single Sign-On
This procedure is an overview of the steps involved in setting up single sign-on.
- Contact PowerSchool to start setting up SSO.
- Map your user accounts to the global ID you are using from the identity provider. Use the Special Programs Data Connectivity Tool for bulk processing of user accounts.
- Use the Special Programs Data Connectivity Tool to export the staff information, including the ID and name.
- Export users from the identity provider.
- Merge data from the export files from Special Programs and the identity provider.
- Use the Special Programs Data Connectivity Tool to import the identity provider's claim value to the IdPUserID field for staff.
- PowerSchool will provide the Redirect URI for the application.
- In the identity provider, add the application registration and configure the OIDC application.
- Record the following information as you register the application:
- Client ID
- Client Secret
- Send the information for the application to the PowerSchool Implementation or Support team member so they can configure and enable SSO. Do not include the client ID and client secret in the same email.
Set up Single Sign-On after Special Programs 20.11 Release
The Special Programs 20.11 release includes the self-service ability to set up SSO.
- Map your user accounts to the global ID you are using from the identity provider. Use the Special Programs Data Connectivity Tool for bulk processing of user accounts.
- Use the Special Programs Data Connectivity Tool to export the staff information, including the ID and name.
- Export users from the identity provider.
- Merge data from the export files from Special Programs and the identity provider.
- Use the Special Programs Data Connectivity Tool to import the identity provider's claim value to the IdPUserID field for staff.
- PowerSchool will provide the Redirect URI for the application.
- In the identity provider, add the application registration and configure the OIDC application.
- Record the following information as you register the application:
- Client ID
- Client Secret
- For Microsoft Azure, also record the Tenant ID for the Azure AD Tenant.
- Log into Special Programs as a system administrator, and then select Administration > Configuration.
- Click the Integration tab, and then click Single Sign-On.
- Click Add Mapping.
- Select the external identity provider and enter the required information.
Frequently Asked Questions
When a user signs out, are they signed out of the identity provider?
Single sign-out is not supported at this time. Users are not signed out of the identity provider or other PowerSchool products when they sign out. Refer users to the appropriate location to sign out of the identity provider.
Which SSO field is used in Staff Security Settings?
The Staff Security Settings page (Administration > Security > Staff Security Groups tab > Security Settings option) has two fields to configure the SSO field to use for staff IDs.
- The OpenID Connect SSO Staff ID Field specifies the field to use for single sign-on with an external third party identity provider, such as Google, Microsoft, or eSchoolPLUS, using the OpenID Connect protocol.
- The External SSO Staff ID field is used if your district uses another form of SSO, such as relying on PowerSchool SIS or relying on an external identity provider using the SAML protocol.