...
Overview
Welcome! This page is to help district implement Google Single Sign-on (SSO) into the PowerSchool login process. PowerSchool’s official documentation is available here: PowerSchool's instructions.
Below are instructions given to NWOCA by West Unity:
...
If you are a NBEC/NWOCA member district, feel free to reach out to our IT Services team with any questions.
Step 1: Enable PowerSchool SIS as OIDC Service Provider
The first step in setting up PowerSchool SIS as OIDC Service Provider is to enable the plugin.
On the start page within the PowerSchool SIS Admin portal, choose System Management in the main left-hand menu.
Click System Settings.
Click Plugin Management System Management will open, then select Server.
Under Server Setup click Plugin Configuration.
Select Enable/Disable nextto PowerSchool
On the Plugin Configuration Page scroll down to PowerSchool SIS as OIDC Service Provider, then select Enable/Disable so the box is checked.
After you select the checkbox you will be presented with this screen, Click Enable.
Part 2: Set up the Google OAuth
Go You can return to the main PowerSchool page and open a new tab in your web browser.
Step 2: Configure the Google Web App
In your new tab, go here https://console.developers.google.com/On the top left, next to "Google Cloud Platform," select "New Project" or click the down arrow and in the box that opens up click on "New Project.".
Select Create Project
Give your project any name you want.
Make sure that the org and location fields are set to your google Google domain and then click on "Create."
It will take a second but there should be a notifications box that pops up on the next screen that says something about creating your project. Once it's done, open your project.
On the left side, click on "Credentials."
- Then click on "Configure Consent Screen."
Please wait while your project is created. A notification will appear confirming its creation. Once the notification is displayed, you can click on Select Project.
You should be taken to the dashboard for your project. Click on the navigation menu.
Select APSs & Services then OAuth consent screen.
For "User Type" select "External" and then "Create"
Give Name your app a name like powerschool or something. Enter your email in the support email field and add a Logo if you want., specify a support email address in the User Support Email field, and optionally add a logo.
For the App Domain section, put your school PowerSchool website address in the first field and don't worry about the other . Leave the next two fields blank.
For "Authorized Domains" click on "Add Domain" and enter the name of your Google domain "elginacademy(hilltopcadets.org". If you have an ITC partner, add their domain name as well (ie http://, fayettesch.org, etc.) and nwoca.org ).
And then in the last field on the page, put your email address and click on "
Enter an email address for the Developer Contact Information, then click Save and Continue."
The next page is just to let your users know what information Google will be looking at. You don't have to put anything here at all. So click on "Save and Continue." and on the next screen click on "Back to Dashboard."
NOW.
Click Save and Continue for step 2 Scopes and step 3 Test users, then select Back to Dashboard at the bottom of the summary page.
On the left of the screen, click back on " Credentials."
At After the top of that Credentials page loads, click on "+Create Credentials"Click on ", then select OAuth Client ID."
For "Application Type" application type select Web Application and give it a name.
In the section at the bottom that says "Under Authorized Redirect URIs, " click on "Add URI"
In that box, they want you to enter your powerschool address. Our is https://louisvillepublicschools.powerschool.com
BUT after your address you need to add in /
Enter your PowerSchool address followed by /oidc/openid_connect_login
I don't know what your PS address is, but it would look something like this when it's done..... https://elginacademy.powerschool.com/oidc/openid_connect_login
Then click on "Create."
- Copy
Next, click on Create.
A pop-up window will appear with the Client ID and Client Secret to a word document or something so you can copy and paste it later.
...
. Copy and paste these into a text document as they will be needed later. You can close Google Cloud and return to PowerSchool for Step 3.
Step 3: Link Google to Powerschool
On the start page within the PowerSchool SIS Admin portal, choose System Management in the main left-hand menu.
System Management will open, and select Security.
Click OIDC Authentication Setup.
Select Enable OIDC Authentication Add.
Enter the IDP URL:
- For Google,
In the user dropdown select the user type you want.Note: If all three options are needed repeat steps 5 - 10 for each user dropdown.
Enter https://accounts.google.com for the IDP URL.
Enter the client ID and client secret provided by the IdP (this is what you copied from the Google OAUTH step)
Enter Scopes. Separate multiple entries using spaces.
For Google, openid emailthat was received from Google Cloud during Part 2: Configure the Google Web App.
Enter openid email for the Scopes field.
For Authentication ID / Identifying Claim, enter the IdP claim that will be used to match SIS users.
For Google, it is suggested to use theemail
claim.
Caution: Do not select any of
Check the Enable OIDC Authentication for Users settings at this timethe personas you need.
Note: Users will be signed out of PowerSchool once these are checked, you can wait to enable this once you have finished the rest of the setup.
Click Submit.
...
Step 4:
...
Repeat Step 3.
Use the global configuration settings to enable SSO for the PowerSchool Mobile app:
|
Part 5: Link Faculty Accounts to Google Accounts
Log in to Powerschool Administrator and make sure you're at the District level. If you're not, you should be able to click that little down arrow and switch over. And if you can't, just pick a school and go that route.
On the left hand side of the screen, scroll down to "System Management" and click on "Security."
On the next screen, scroll down to "Security" and select "OIDC Authentication Setup." (You've already been here before)
If the box next to "Enabled..." isn't blue, go ahead and enable it.
Let's start with the Teacher users. Click on the box next to "Enable OIDC Authentication for Teachers." You're turning on Google auth for ONLY teachers right now since you don't have that many.
Scroll down that page and click on "Submit."
Then click on Powerschool SIS up at the very top to go back to the start page.
Change the search drop down to "Staff"
Select "Teachers."
That will bring up a list of all of your teachers. Click on the first one listed.
On the left side of the screen, select "Security Settings." This is where you change passwords and stuff.
Now, instead of the password field that you used to see, you'll see "Identity Provider Global ID."
This is where you match up the user and their Google email address and the reason we had to do that step in Google Cloud. For an ITC partner, you would put their domain email too, matching the email domain you added in Google Cloud.
Once you enter the email address click on Submit and go to the next teacher by clicking the right arrow on the top left corner of the screen.
Repeat the process for each person. Assuming you have a teacher account AND a PS admin account, you can safely change this for you without affecting your ability to sign in. It's also one of the reasons that I didn't enable Google SSO for my staff section. That allows me to enforce some different password rules for that group. You can test if it works by going to the teacher login page for your PS instance and it should be a google login now.....hopefully. Sign in with your google stuff and make sure you see your name. That should be it.
...
As shared by: (8/2021)
Nate Simons
Director of Technology
Esports Coach
Louisville Public Schools
Edits made by Alex Cummins
Millcreek-West Unity Schools
...
Map Users from Google to PowerSchool
Part A: Export PowerSchool SIS Users
The first step in mapping users from Google to PowerSchool SIS is to export users from PowerSchool SIS. All active users must be set up for SSO before exporting. The Global Identifier for the User Type of Staff is used to sign in to the PowerSchool Admin portal and the Global Identifier for User Type of Teacher is used to sign in to the PowerSchool SIS Teacher portal. A user can have access to both portals. In which case, the import file should contain two rows for the user, one with the User Type of Staff and another row with User Type of Teacher.
On the start page within the PowerSchool SIS Admin portal, choose Data and Reporting in the left-hand menu.
Data and Reporting will open, then select Export.
Under Export click Data Export Manager.
In the Select Columns to Export section:
Choose PowerSchool Data Sets as the Category.
Choose one of the following from Export From. Note: You will need to run this multiple times if you need to export all users.
**Warning: To get all of your Staff and Teachers you need to export both the Staff Mapping and Teacher Mapping**SSO Staff Mapping
SSO Teacher Mapping
SSO Parent Mapping
SSO Student Mapping
Select the columns to export, it is helpful to also include email or first and last name so it is easier to identify the user in the CSV file.
For Staff and Teacher, User DCID, SSO User Type, Global Identifier are required.
For Parent, Person ID, SSO User Type, Global Identifier are required.
For Student, Student DCID, SSO User Type, Global Identifier are required.
Click Next.
In the Select/Edit Records section, you can use the Built In Filters to narrow the list of records to export, then click Next.
In the Export Summary and Output Options section:
Change the Export File Name extension from .txt to .csv.
Choose Comma as the Field Delimiter.
Choose UTF-8 as the Character Set.
Click Export.
Part B: Merge Export with Google Data
Optional: Export users from Google Admin Console to use with the PowerSchool Export
Open the CSV file you exported.
In the export, you will need to add the email address to the corresponding User. This is where exporting the email address or name is helpful.
Once the Global Identifier field has been updated you can delete the additional columns you exported.
Part C: Import Merdged Data to PowerSchool
Import File
In PowerSchool SIS for Administrators, navigate to the Data Import Manager page.
Select the source and target:
Choose the file you want to import.
Choose SSO User Mapping as the Import Into.
Choose Comma as the Field Delimiter.
Choose Unicode as the Character Set.
Click Next.
Click Next.
Click Import.
Verify Imported Merged Files
Once the PowerSchool SIS user export files and the identity provider user export file are merged into one file and imported back into the PowerSchool SIS, you will want to verify that your identity provider's global identifier appears in the PowerSchool SIS. Re-run the exports to ensure that Global ID column data appears as expected.
Step 6: Test SSO for Users
Note: If you did not check the Enable OIDC Authentication in Step 3, #10 you will need to do that before attempting to test SSO.
After mapping the users from the Google to PowerSchool SIS, test the SSO connection. Be sure to test each persona in another browser or using an incognito window before ending your current session.
Enter the URL of your district's PowerSchool SIS Teacher, Student and Parent, or Admin portal and press ENTER or RETURN. The PowerSchool SIS portal should redirect to Google’s sign-in page.
With SSO enabled the URLs will no longer need pw.html. If you have links shared with your users that include pw.html you should update them. Ex: https://district.ps.nwoca.org/teachers/
Sign in with the user's credentials. For teacher, parent, and student, if the PowerSchool SIS portal launches, the setup has been configured properly. For staff, if the PowerSchool SIS Admin portal launches and you are expelled from your first session, as you are only allowed one session at a time, the setup has been configured properly.
For parent, and student, open the PowerSchool Mobile app. Sign in with the user's credentials.