Click this link to go to PowerSchool's instructions.

Step 1: Enable PowerSchool SIS as OIDC Service Provider

The first step in setting up PowerSchool SIS as OIDC Service Provider is to enable the plugin.

On the start page within the PowerSchool SIS Admin portal, choose System Management in the left-hand menu.
System Management will open, then select Server.
Under Server Setup click Plugin Configuration.
On the Plugin Configuration Page scroll down to PowerSchool SIS as OIDC Service Provider, then select Enable/Disable so the box is checked.
After you select the checkbox you will be presented with this screen, Click Enable. You can return to the main PowerSchool page and open a new tab in your web browser.

Step 2: Configure the Google Web App

In your new tab, go here https://console.developers.google.com/.
Select Create Project
Give your project any name you want.
Make sure that the org and location fields are set to your Google domain and then click on "Create."
Please wait while your project is created. A notification will appear confirming its creation. Once the notification is displayed, you can click on Select Project.
You should be taken to the dashboard for your project. Click on the navigation menu.
Select APSs & Services then OAuth consent screen.
For "User Type" select "External" and then "Create"
Name your app, specify a support email address in the User Support Email field, and optionally add a logo.
For the App Domain section, put your PowerSchool website address in the first field. Leave the next two fields blank.
For "Authorized Domains" click on "Add Domain" and enter the name of your Google domain (hilltopcadets.org, fayettesch.org, etc.) and nwoca.org.
Enter an email address for the Developer Contact Information, then click Save and Continue.
Click Save and Continue for step 2 Scopes and step 3 Test users, then select Back to Dashboard at the bottom of the summary page.
On the left of the screen, click on Credentials.
After the Credentials page loads, click on +Create Credentials, then select OAuth Client ID.
For application type select Web Application and give it a name.
Under Authorized Redirect URIs, click on Add URI
Enter your PowerSchool address followed by /oidc/openid_connect_login
Next, click on Create.
A pop-up window will appear with the Client ID and Client Secret. Copy and paste these into a text document as they will be needed later. You can close Google Cloud and return to PowerSchool for Step 3.

Step 3: Link Google to Powerschool

On the start page within the PowerSchool SIS Admin portal, choose System Management in the left-hand menu.
System Management will open, and select Security.
Click OIDC Authentication.
Select Add.
In the user dropdown select the user type you want. If all three options are needed repeat steps 5 - 10 for each user dropdown.
Enter https://accounts.google.com for the IDP URL.
Enter the client ID and client secret that was received from Google Cloud during Part 2: Configure the Google Web App.
Enter openid email for the Scopes field.
For Authentication ID / Identifying Claim, enter email.
Check the Enable OIDC Authentication for the personas you need.
Click Submit.

Step 4: Map Users from Google to PowerSchool

Part A: Export PowerSchool SIS Users

The first step in mapping users from Google to PowerSchool SIS is to export users from PowerSchool SIS. All active users must be set up for SSO before exporting. The Global Identifier for the User Type of Staff is used to sign in to the PowerSchool Admin portal and the Global Identifier for User Type of Teacher is used to sign in to the PowerSchool SIS Teacher portal. A user can have access to both portals. In which case, the import file should contain two rows for the user, one with the User Type of Staff and another row with User Type of Teacher.

On the start page within the PowerSchool SIS Admin portal, choose Data and Reporting in the left-hand menu.
Data and Reporting will open, then select Export.
Under Export click Data Export Manager.
In the Select Columns to Export section:
1. Choose PowerSchool Data Sets as the Category.
2. Choose one of the following from Export From. **Note - You will need to run this multiple times if you need to export all users.**
  1. SSO Staff Mapping
  2. SSO Teacher Mapping
  3. SSO Parent Mapping
  4. SSO Student Mapping
Select the columns to export:
1. For Staff and Teacher, User DCID, SSO User Type, Global Identifier are required.
2. For Parent, Person ID, SSO User Type, Global Identifier are required.
3. For Student, Student DCID, SSO User Type, Global Identifier are required.
4. Click Next.
In the Select/Edit Records section, you can use the Built In Filters to narrow the list of records to export, then click Next.
In the Export Summary and Output Options section:
1. Change the Export File Name extension from .txt to .csv.
2. Choose Comma as the Field Delimiter.
3. Choose UTF-8 as the Character Set.
Click Export.

Part B: Merge Export with Google Data

Optional: Export users from Google Admin Console to use with the PowerSchool Export

Part C: Import Merdged Data to PowerSchool

Import File

In PowerSchool SIS for Administrators, navigate to the Data Import Manager page.
Select the source and target:
1. Choose the file you want to import.
2. Choose SSO User Mapping as the Import Into.
3. Choose Comma as the Field Delimiter.
4. Choose Unicode as the Character Set.
Click Next.
Click Next.
Click Import.

Verify Imported Merged Files

Once the PowerSchool SIS user export files and the identity provider user export file are merged into one file and imported back into the PowerSchool SIS, you will want to verify that your identity provider's global identifier appears in the PowerSchool SIS. Re-run the exports to ensure that Global ID column data appears as expected.

Step 6: Test SSO for Personas

After mapping the users from the identity provider to the PowerSchool SIS, test the SSO connection between your identity provider and the PowerSchool SIS as the service provider. To test a persona, enable OIDC authentication and then verify that you can sign in to the respective portal. Be sure to test each persona in another browser or using an incognito window before ending your current session.

Enabling OIDC authentication for users without also defining Global Identifiers for users will prevent users from being able to sign in.

In PowerSchool SIS for Administrators, navigate to the OIDC Authentication page.
Select Enable OIDC Authentication for the persona you want to test. It is recommended that you first test teachers, then parents, then students, and finally staff.
Click OK.
Click Submit, but do not close the window.
Based on your Step 3 selection, choose the user you want to test.
Open a new private browser window.
Based on your Step 3 selection, enter the URL of your district's PowerSchool SIS Teacher, Student and Parent, or Admin portal and press ENTER or RETURN. The PowerSchool SIS portal should redirect to the IdP's sign-in page.
Sign in with the user's credentials. For teacher, parent, and student, if the PowerSchool SIS portal launches, the setup has been configured properly. For staff, if the PowerSchool SIS Admin portal launches and you are expelled from your first session, as you are only allowed one session at a time, the setup has been configured properly.
For parent, and student, open the PowerSchool Mobile app. Sign in with the user's credentials.

Step 7: Enable OIDC Authentication

The final step of setting up the PowerSchool SIS as OIDC Service Provider is to enable OIDC authentication.

In PowerSchool SIS for Administrators, navigate to the OIDC Authentication page.
Select Enable OIDC Authentication for the user you want to enable.
Click OK.
Click Submit.

[Work in Progress] - Enabling Google Single Sign-on (SSO) in PowerSchool