Most school districts are probably in the process of implementing MFA (multi-factor authentication) as most insurance providers are making MFA a requirement for coverage (not to mention it’s just a good idea). Many districts we work with are using third party solutions like Duo, SAASPASS, or similar and while these services work great, they can be expensive, and you can enable MFA on PowerSchool for free without these third-party services.
In this guide we will walk you through the process of setting MFA up for admin PowerSchool users using Google Workspace as the IDP. In order for this to work, you need to have MFA enabled on your admin user’s Google accounts.
Warning: There are steps in this process where you can lock your users out of the admin side of PowerSchool, so please be careful. Make sure you have another admin logged in before you enable SSO with MFA, and take a snapshot if you are running PowerSchool on a VM. If you have the luxury of testing this on a sandbox instance of PowerSchool or a training system, that would be a good idea.
Let’s get started….
PowerSchool
Log into PowerSchool as an administrative user and navigate to:
- System
- System Settings
- Plugin Management Configuration
- Enabled the plugin titled PowerSchool SIS as OIDC Service Provider
Now that the plugin is enabled, let’s head over and configure OpenID in your Google Workspace.
Google Workspace
Let’s switch gears and head over to our Google Workspace and setup OpenID. You can do this by navigating to https://console.developers.google.com/
First, we need to create an OAuth consent screen by clicking on the link titled OAuth consent Screen on the left hand menu. Create a new consent screen, which will collect general information about your organization and ask for some URLs and other information like privacy policy, etc. Make sure you configure the consent screen to be for Internal Users only. Enter the required information and continue to create the consent screen.
Next we need to setup the credentials, which is done by clicking on the Credentials link on the left-hand panel.
- Click on Create Credentials
- Select OAuth Client ID
- For application type, select Web Application
- Give it a meaningful name like PowerSchool
- In the Authorized JavaScript Origins enter the root domain of your PowerSchool server like “https://ps.yourdistrict.net”
- In the Authorized Redirect URIs enter “https://[yourpsdomainname]/oidc/openid_connect_login”
- Click Save, make sure you record you client_id and client_secret, as well as download the JSON file provided.
Back to PowerSchool
Warning: In this step you could potentially lock your admins out if you enable OIDC for your users prematurely.
In the admin side of PowerSchool, navigate to:
- System
- Security
- OIDC Authentication Setup
In the OIDC Authentication Setup Screen
- Enable OIDC Authentication by clicking on the checkbox
- For the IDP URL enter https://accounts.google.com
- Enter your client ID and client secret from Google
- In the scopes box enter openid email
- In the Authentication ID/Identifying Claim enter email
- Danger Zone: Do not click on any of the Enable OIDC Authentication for XXXXX Users yet, as once you do this will lock those users into only using OIDC.
Let’s take a step back and look at what we just setup here. We have configured PowerSchool to use Google Workspace as an OIDC authentication source. We also told PowerSchool that we will be using the user’s email as the Authentication ID/Identifying Claim, which is important because that is how we will map a user from Google to an Admin user in PowerSchool. This means we need to make sure that this email address is present is the user’s Identity Provider Global ID field. So let’s set that up on a test admin and give this a try.
Navigate to:
- PowerSchool admin home screen
- Locate an admin user
- Edit the user and go to their Security Settings page
- On the Admin Access and Roles page, enter the user’s email as it is in Google Workspace in the field titled Identity Provider Global ID
- Click Submit
Moment of Truth
Warning: Here is where you can lock yourself out of the system if you are not careful, so find an admin friend in PowerSchool that you can have login prior to enabling OIDC. This way they can change the setting back if things don’t work.
Here we go, let’s enable OIDC for admin users by:
- In PowerSchool navigate to System
- Security
- OIDC Authentication Setup
- Enable Enable OIDC Authentication for Staff Users
- Click Submit
Now leave that window alone, stay logged in, and open a new private browser tab and attempt to login to PowerSchool admin. You should be redirected to Google to enter your username, password, and MFA. Then redirected back to PowerSchool as your admin user if all goes well.
If that worked, now you just need to populate all admin user’s email addresses in the Identity Provider Global ID field and you now have PowerSchool working with MFA.
And Finally…
Just in case you weren’t aware, we make a pretty neat Parent-Teacher Conference solution that integrates with PowerSchool via single sign-on too. It will also work with the setup you’ve just configured above. If you would like to consider using PowerPTC, we offer a free 30 day trial. If you’d like to test our product out head on over to the registration page.
In addition, we have a free data-mover called Report Out for all the self-hosted districts out there which helps you move data between your information silos. Again, it’s completely free and you can check that out here: Report Out .