...

...

...

...

...

...

...

...

...

...

...

Overview

Welcome! This page is to help district implement Google Single Sign-on (SSO) into the PowerSchool login process. PowerSchool’s official documentation is available here: PowerSchool's instructions.

If you are a NBEC/NWOCA member district, feel free to reach out to our IT Services team with any questions.

Step 1: Enable PowerSchool SIS as OIDC Service Provider

...

1. In your new tab, go here https://console.developers.google.com/.

2. Select Create Project
   

   

3. Give your project any name you want.

4. Make sure that the org and location fields are set to your Google domain and then click on "Create."
   

   Image RemovedImage Added

5. Please wait while your project is created. A notification will appear confirming its creation. Once the notification is displayed, you can click on Select Project.
   

   

6. You should be taken to the dashboard for your project. Click on the navigation menu.

   

7. Select APSs & Services then OAuth consent screen.
   

   

8. For "User Type" select "External" and then "Create"
   

   

9. Name your app, specify a support email address in the User Support Email field, and optionally add a logo.
   

   Image RemovedImage Added

10. For the App Domain section, put your PowerSchool website address in the first field. Leave the next two fields blank.
    

    

11. For "Authorized Domains" click on "Add Domain" and enter the name of your Google domain (hilltopcadets.org, fayettesch.org, etc.) and nwoca.org.
    

    

12. Enter an email address for the Developer Contact Information, then click Save and Continue.

13. Click Save and Continue for step 2 Scopes and step 3 Test users, then select Back to Dashboard at the bottom of the summary page.
    

    

    

14. On the left of the screen, click on Credentials.
    

    

15. After the Credentials page loads, click on +Create Credentials, then select OAuth Client ID.
    

    

16. For application type select Web Application and give it a name.

17. Under Authorized Redirect URIs, click on Add URI

18. Enter your PowerSchool address followed by /oidc/openid_connect_login

    

19. Next, click on Create.

20. A pop-up window will appear with the Client ID and Client Secret. Copy and paste these into a text document as they will be needed later. You can close Google Cloud and return to PowerSchool for Step 3.
    

    

...

1. On the start page within the PowerSchool SIS Admin portal, choose System Management in the left-hand menu.

2. System Management will open, and select Security.

3. Click OIDC Authentication.
   

   

4. Select Add.

5. In the user dropdown select the user type you want.Note: If all three options are needed repeat steps 5 - 10 for each user dropdown.
   

   

6. Enter https://accounts.google.com for the IDP URL.

7. Enter the client ID and client secret that was received from Google Cloud during Part 2: Configure the Google Web App.

8. Enter openid email for the Scopes field.

9. For Authentication ID / Identifying Claim, enter email.

10. Check the Enable OIDC Authentication for the personas you need.

    1. Note: Users will be signed out of PowerSchool once these are checked, you can wait to enable this once you have finished the rest of the setup.

11. Click Submit.
    

    Image RemovedImage Added

Step 4: Map Users from Google to PowerSchool

...

1. On the start page within the PowerSchool SIS Admin portal, choose Data and Reporting in the left-hand menu.

2. Data and Reporting will open, then select Export.

3. Under Export click Data Export Manager. 
   

   

4. In the Select Columns to Export section:

   1. Choose PowerSchool Data Sets as the Category.

   2. Choose one of the following from Export From. Note - : You will need to run this multiple times if you need to export all users.
      **Warning: To get all of your Staff and Teachers you need to export both the Staff Mapping and Teacher Mapping**

      1. SSO Staff Mapping

      2. SSO Teacher Mapping

      3. SSO Parent Mapping

      4. SSO Student Mapping

5. Select the columns to export, it is helpful to also include email or first and last name so it is easier to identify the user in the CSV file.

   1. For Staff and Teacher, User DCID, SSO User Type, Global Identifier are required.

   2. For Parent, Person ID, SSO User Type, Global Identifier are required.

   3. For Student, Student DCID, SSO User Type, Global Identifier are required.

   4. Click Next.

      

6. In the Select/Edit Records section, you can use the Built In Filters to narrow the list of records to export, then click Next.

7. In the Export Summary and Output Options section:

   1. Change the Export File Name extension from .txt to .csv.

   2. Choose Comma as the Field Delimiter.

   3. Choose UTF-8 as the Character Set.
      

      

8. Click Export.

...

1. Open the CSV file you exported.

2. In the export, you will need to add the email address to the corresponding User. This is where exporting the email address or name is helpful.

   Image RemovedImage Added

3. Once the Global Identifier field has been updated you can delete the additional columns you exported.

   Image RemovedImage Added

Part C: Import Merdged Data to PowerSchool

...

Step 6: Test SSO for Users

Note: If you did not check the Enable OIDC Authentication in Step 3, #10 you will need to do that before attempting to test SSO.

After mapping the users from the Google to PowerSchool SIS, test the SSO connection. Be sure to test each persona in another browser or using an incognito window before ending your current session.

...