Single Sign-On (SSO)

This page describes setups and functionality for using Single Sign-On (SSO) for PowerSchool ERP and related applications.

Hosted sites do not have access to the Environment Maintenance menu. PowerSchool maintains this information. Contact Support to provide the Client IDs, Client Secrets, Claim Identifier, and Identity Provider URLs to PowerSchool.

SSO Configuration

Follow the procedures below to complete the configuration for SSO. Also, complete steps to assign SSO Identifiers to users.

Add PowerSchool District GUID

Click the circle with your initials in the toolbar.
Select Environment Maintenance.

Only specific users will have permission for this menu.
Select the Business Entity that needs to be SSO enabled.
In the Additional Links panel, select AppSwitcher SSO Setup.
On the PowerSchool District GUID page, select Add to add a new GUID.
Complete the fields on the Single Sign-On Setup page and select Save.

Fields need to be completed for PowerSchool ERP and for each application that needs to be configured for SSO.

Fields

PowerSchool District GUID Configuration

PowerSchool District Application GUID	Character string is provided by PowerSchool.
Environment	Enter the Environment type: Test, Production, or other type used by the district

Single Sign-On Configuration

Identity Provider Name	Enter one of the following as used by the district: Microsoft Google Powerschool SIS
Claim Identifier	Enter the applicable identifiers for Single Sign-On services, matched to the Identity Provider Name: Microsoft: oid Google: email SIS IDP: account_identifier
Identity Provider URL	Enter one of the following URLs, matched to the Identity Provider Name: Microsoft - https://login.microsoftonline.com/<Tenant Profile ID>/v2.0 Google - https://accounts.google.com/ SIS URL
Identity Provider Scopes	This field automatically populates with openid, email, or profile. Do not edit.

PowerSchool ERP IDP Credentials

Client ID

Enter Client ID provided by the identity provider.

Client Secret

Enter the Client Secret provided by the identity provider.

Core Redirect URI

Enter one of the following URLs, matched to the Identity Provider Name:

Microsoft - https://<application server URI>//eFP19.4/PowerSchool ERP/SunGard.PowerSchool ERP.Web/<PS GUID>/signin-microsoft
Google - https://<application server URI>//eFP19.4/PowerSchool ERP/SunGard.PowerSchool ERP.Web/<PS GUID>/signin-google
SIS IDP - https://<application server URI>//eFP19.4/PowerSchool ERP/SunGard.PowerSchool ERP.Web/<PS GUID>/signin-sis

On the URLs above, enter your PowerSchool District Application GUID in the URL part labeled <PS GUID>.

Employee Access Center IDP Credentials

Client ID

Enter Client ID provided by the identity provider.

Client Secret

Enter the Client Secret provided by the identity provider.

EAC Redirect URI

Enter one of the following URLs, matched to the Identity Provider Name:

Microsoft - https://<workflow server URI>//eFP19.4/EmployeeAccessCenter/Web/<PS GUID>/signin-microsoft
Google - https://<workflow server URI>//eFP19.4/EmployeeAccessCenter/Web/<PS GUID>/signin-google
SIS IDP - https://<workflow server URI>//eFP19.4/EmployeeAccessCenter/Web/<PS GUID>/signin-sis

On the URLs above, enter your PowerSchool District Application GUID in the URL part labeled <PS GUID>.

Employee Timesheet IDP Credentials

Client ID

Enter Client ID provided by the identity provider.

Client Secret

Enter the Client Secret provided by the identity provider.

ETS Redirect URI

Enter one of the following URLs, matched to the Identity Provider Name:

Microsoft - https://<workflow server URI>//eFP19.4/EmployeeTimeSheet/Web/<PS GUID>/signin-microsoft
Google - https://<workflow server URI>//eFP19.4/EmployeeTimeSheet/Web/<PS GUID>/signin-google
SIS IDP - https://<workflow server URI>//eFP19.4/EmployeeTimeSheet/Web/<PS GUID>/signin-sis

On the URLs above, enter your PowerSchool District Application GUID in the URL part labeled <PS GUID>.

Cognos IDP Credentials

Client ID	Enter Client ID provided by the identity provider.
Client Secret	Enter the Client Secret provided by the identity provider.
ETS Redirect URI	Enter the URL provided by Cognos.

Vendor Punchout IDP Credentials

Client ID

Enter Client ID provided by the identity provider.

Client Secret

Enter the Client Secret provided by the identity provider.

VPO Redirect URI

Enter one of the following URLs, matched to the Identity Provider Name:

Microsoft - https://<workflow server URI>//eFP19.4/VendorPunchoutMS/Web/<PS GUID>/signin-microsoft
Google - https://<workflow server URI>//eFP19.4/VendorPunchoutgoogle/Web/<PS GUID>/signin-google
SIS IDP - https://<workflow server URI>//eFP19.4/VendorPunchoutsis/Web/<PS GUID>/signin-sis

On the URLs above, enter your PowerSchool District Application GUID in the URL part labeled <PS GUID>.

Enable Single Sign On for a Profile

Click the circle with your initials in the toolbar.
Select Environment Maintenance.
Select a Business Entity.
Select the profile that needs to be SSO enabled.
On the Profile Details page, select the Enable Single Sign-On checkbox for the applications for which you want to use SSO.

Cognos uses SSO if SSO is enabled for PowerSchool ERP.
Select the PowerSchool District Application GUID for the profile.
Select Save.