Skip to main content
Skip table of contents

SSO Identity Provider (IDP) Switching Guide

This guide outlines the steps to switch your Single Sign-On (SSO) Identity Provider (IDP) from Microsoft to Google within PowerSchool ERP. It includes instructions for both Live and Test/Train environments.

 IDP Configuration (Configured by Customer)

Google IDP Configuration

  1. Go to https://console.developers.google.com

  2. From the Select a project list, choose a project.

  3. On the left, click Credentials.

  4. Select the client, located under OAuth 2.0 Client IDs if already client credentials are available else select "+CREATE CREDENTIALS" link to create new client credentials.

  5. Add the URL to the list located under Authorized redirect URIs.

  6. Select Create/Save.

Microsoft Azure IDP Configuration

  1. Go to https://portal.azure.com

  2. Log in as an admin of the IdP service.

  3. Near the top of the page or on the left (via switcher menu) select Azure Active Directory.

  4. On the left, under Manage, select App Registrations.

Find and select the application you want to configure. After you select the app, you see the application's overview or main registration page.

  1. Near the top right of the main page, select Redirect URIs.

  2. Select the type (most likely Web) then enter the Redirect URI.

  3. Select Save.

Part 1: Exporting Data from Microsoft IDP (Live Profile)

Steps to Export Data

  1. Log in to the Live profile in PowerSchool ERP.

  2. Navigate to: System Administration → Administration → Security → SSO Export

  3. Select Export Option: Choose to export both in CSV format.

  4. Update SSO Identifiers: Open the CSV file and replace old IDP emails with new ones.

Part 2: Importing Data to Google IDP (Test/Train Profile)

Prerequisites

  • Each district has a unique GUID for SSO with AppSwitcher.

  • For testing, generate a new GUID using an online tool:

  • GUID Generator: https://guidgenerator.com/

GUIDs generated externally are not supported by PowerSchool’s AppSwitcher but can be used for SSO flow testing.

 

 

AppSwitcher SSO Setup

Configuration Path: Environment Maintenance → Business Entity → AppSwitcher SSO Setup

Brief about SSO IDP Setup

Single Sign-On Configuration

In this section, we must provide the IDP details

·       Identity Provider Name

·       Claim Identifier

o   For Microsoft – “oid” or “preferred_username”

o   For Google – “email”

·       Identity Provider URL

o   For Microsoft - https://login.microsoftonline.com/[TenantID]/v2.0

o   For Google - https://accounts.google.com

·       Identity Provider Scopes – openid, email, profile

 

IDP Credentials

In this section, we must define Redirect URI for supported applications.

·       Client ID – Should be taken from the IDP

·       Client Secret – Should be taken from IDP

·       Redirect URI

PowerSchool ERP

  • For Microsoft – https://<app server URI>/erp/pserp/pserp.web/<PowerSchool District GUID>/signin-microsoft

  • For Google – https://<app server URI>/erp/pserp/pserp.web/<PowerSchool District GUID>/signin-google

Employee Access Center

  • §  For Microsoft – https://<eac server URI>/erp/EmployeeAccessCenter/Web/<PowerSchool District GUID>/signin-microsoft

  • §  For Google – https://<eac server URI>/erp/EmployeeAccessCenter/Web/<PowerSchool District GUID>/signin-google

o   Employee TimeSheet

  • §  For Microsoft – https://<ets server URI>/erp/EmployeeTimeSheet/Web/<PowerSchool District GUID>/signin-microsoft

  • §  For Google – https://<ets server URI>/erp/EmployeeTimeSheet/Web/<PowerSchool District GUID>/signin-google

o   Vendor Punchout

  • §  For Microsoft – https://<vpo server URI>/erp/VendorPunchout/Web/<PowerSchool District GUID>/signin-microsoft

  • §  For Google – https://<vpo server URI>/erp/VendorPunchout/Web/<PowerSchool District GUID>/signin-google

The above-mentioned application’s redirect URIs should be added as part of the Google IDP Configuration or Microsoft IDP Configuration by the admin.

Select configured GUID

Configuration Path: Environment Maintenance → Business Entity → Profile

Steps to Import Data

  1. Switch Profile: Log in to the Test/Train profile.

  2. (Optional but Recommended) Clear existing SSO Identifiers:

    • System Administration → Administration → Security → Clear SSO Identifier

  3. Navigate to Import Menu:

    • System Administration → Administration → Security → Import Global Users

  4. Upload CSV File: Select Upload, browse for your file, and select Load.

  5. Configure Import:

  • Select Set Column Titles after records load.

  • Select all or specific rows.

  • Map columns accordingly.

  1. Complete Import: Click Do not save mapping and finish the process.

  2. Verify: Check the Users screen to confirm new IDP emails are correctly mapped

Result: New IDP is now active in your Live profile. This process should be performed by a system administrator.

After this complete process, IIS restart is required. Not all are required; you just need to check the installed server, and that server’s IIS restart is required.

  • eFP SSO – App server

  • EAC SSO – EAC Server / Edge Server / Workflow Server

  • ETS SSO – EAC Server / Edge Server / Workflow Server

  • VPO SSO – EAC Server / Edge Server / Workflow Server

  •  

 

 

 

 

 

 

Switching IDP Within the Same Profile (Live)

Note: GUID Creation is not required as PowerSchool will provide one GUID to create SSO with AppSwitcher setting for LIVE profile. For that GUID, configuration can be done for new IDP.

Steps to Export Data

  1. Log in to the Live profile in PowerSchool ERP.

Configuration Path: Environment Maintenance → Business Entity → AppSwitcher SSO Setup

Brief about SSO IDP Setup

Single Sign-On Configuration

In this section, we must provide the IDP details

·       Identity Provider Name

·       Claim Identifier

o   For Microsoft – “oid” or “preferred_username”

o   For Google – “email”

·       Identity Provider URL

o   For Microsoft - https://login.microsoftonline.com/[TenantID]/v2.0

o   For Google - https://accounts.google.com

·       Identity Provider Scopes – openid, email, profile

 

 

IDP Credentials

In this section, we must define Redirect URI for supported applications.

·       Client ID – Should be taken from the IDP

·       Client Secret – Should be taken from IDP

·       Redirect URI

o   PowerSchool ERP

§  For Microsoft – https://<app server URI>/erp/pserp/pserp.web/<PowerSchool District GUID>/signin-microsoft

§  For Google – https://<app server URI>/erp/pserp/pserp.web/<PowerSchool District GUID>/signin-google

o   Employee Access Center

§  For Microsoft – https://<eac server URI>/erp/EmployeeAccessCenter/Web/<PowerSchool District GUID>/signin-microsoft

§  For Google – https://<eac server URI>/erp/EmployeeAccessCenter/Web/<PowerSchool District GUID>/signin-google

o   Employee TimeSheet

§  For Microsoft – https://<ets server URI>/erp/EmployeeTimeSheet/Web/<PowerSchool District GUID>/signin-microsoft

§  For Google – https://<ets server URI>/erp/EmployeeTimeSheet/Web/<PowerSchool District GUID>/signin-google

o   Vendor Punchout

§  For Microsoft – https://<vpo server URI>/erp/VendorPunchout/Web/<PowerSchool District GUID>/signin-microsoft

§  For Google – https://<vpo server URI>/erp/VendorPunchout/Web/<PowerSchool District GUID>/signin-google

  1. Select configured GUID

Configuration Path: Environment Maintenance → Business Entity → Profile

 

 

 

 

 

 

  1. Navigate to: System Administration → Administration → Security → SSO Export

  1. Select Export Option: Choose to export Users, Employees, or Both in CSV format.

  1. Update SSO Identifiers: Open the CSV file and replace old IDP emails with new ones.


Example: mailto:xyz@microsoft.com (Old IDP email) → xyz@google.com (new IDP email)

 

 

 

  1. (Optional but Recommended) Clear existing SSO Identifiers:


   System Administration → Administration → Security → Clear SSO Identifier

  1. Navigate to Import Menu:


   System Administration → Administration → Security → Import Global Users

  1. Upload CSV File: Click Upload, browse for your file, and click Load.

  1. Configure Import:

  • Click Set Column Titles after records load.

  • Select all or specific rows.

  • Map columns accordingly.

 

10. Complete Import: Click Do not save mapping and finish the process.

11. Verify: Check the Users screen to confirm new IDP emails are correctly mapped.

Result: New IDP is now active in your Live profile.
Note: This process should be performed by a system administrator.

After this complete process, IIS restart is required. All are not required, it just you need to check installed server, that server’s IIS restart is required.

eFP SSO – App server

EAC SSO – EAC Server / Edge Server / Workflow Server

ETS SSO – EAC Server / Edge Server / Workflow Server

VPO SSO – EAC Server / Edge Server / Workflow Server

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close