PowerSchool SSO Transition FAQ

Up until recently, PowerSchool sign-in for all users was handled through a username and password system. After configuration and testing we have been turning on PowerSchool SSO (single sign-on), which is integrated with each district’s existing Google accounts.

The way this works is through a plugin enabled in the PowerSchool Admin interface. Once properly configured in both PowerSchool and the Google backend, we are able to redirect the sign-in buttons in PowerSchool to a Google sign-in page that employs a user’s existing district email credentials.

This can be turned on separately for different user categories as follows:

Student users
Teacher users
Staff users
Parents and guardians

Each of these account types is tied to a different side of PowerSchool: PowerTeacher, PowerSchool Admin, the student interface, and the parent access interface.

Since many teachers and staff interact with both PowerTeacher and PowerSchool admin, until both sides are enabled the old passwords are not entirely useless- don’t throw them away!

A common security concern with this new system is that a student can simply click the login button on your PowerSchool if you are away from the computer and it will sign in without issue. This is a valid concern, but there is an easy fix- if you step away from your computer or leave the room, even momentarily, lock your screen by pressing 'Windows Key + L'. This will ensure there is no unauthorized access to your accounts provided your students do not know your login password.

Here’s how it all works on an individual level…

The most important part of configuring a user’s access in the new SSO system is called the ‘global identifier’. This is a field within PowerSchool that signals to the new sign in system which email account is tied to them. Whatever email address is in the ‘global identifier’ field is what is used to check access when they attempt to log in.

When setting up the new system, we added global identifiers for users by pulling a list of all email addresses by user category, picking through it to fix any obvious errors, then ‘importing’ the emails as the global identifier field.

Here is an example of troubleshooting a teacher’s login on the new system:

A teacher at Ironwood is trying to sign in to their PowerTeacher. When they go to the PowerTeacher sign in page, they get an error message saying their account is not mapped to an existing account.
They call SupportNet and someone on the helpdesk opens their ‘Account Access and Affiliations’ page in PowerSchool Admin. They see that the ‘global identifier’ field is empty.
The helpdesk tech enters the teacher’s @ironwoodschools.org email into the global identifier field and submits the changes, and tells the teacher to try again.
The teacher is able to successfully enter PowerTeacher while signed in to their Ironwood email.

Common Problems Explained

There are three common causes for error in the new sign-in system. I will list them and provide the common solutions, some of which can be done by district admin staff, while others must be corrected by REMC staff.

Problem 1
- Student/teacher/staff has the incorrect global identifier
- This can be anything. An old email, a personal email, something missed in a name change. Whatever is entered in the global identifier field MUST match their district email address.
- District staff with admin access (secretaries, etc.) can fix this quite easily by opening the user’s ‘Account Access and Affiliations’ page and correcting their global identifier. Note that the ‘Admin Access’ page and the ‘Account Access’ page are separate and, if the user in question is using both PowerTeacher and PowerSchool Admin, they will both need to be updated.

Path to the ‘Account Access’ options

Identity Provider Global ID - this must be set to district email!

Problem 2
- User is signed in with a different email account.
- This is one of the most common issues, PowerSchool will complain about access denied or that there is no existing user account mapped.
- When clicking the sign-in button, it will pull whatever account you are currently signed in to on Google: if this is a personal email or an external district email, it will not match the global identifier, and you will get rejected.
  - On Google Chrome, by default opening a new tab brings you to a generic Google search page. In the top right you can see the profile picture of whatever account your are currently signed in as. If there is a sign-in button there, you are not signed in at all.
  - Multiple accounts can be signed in at once. PowerSchool usually gives an option to choose when signing in for the first time.
- The fix is to simply sign in to your district email address or whatever address is mapped to your account in the global identifier- if you are not sure, you can ask your admin staff or call the helpdesk.
Problem 3
- User email or global identifier is linked to an external domain (different school, university, company, entity)
  - These are special cases and are most commonly seen by the ISDs. They include external users at places like the CTE, traveling teachers from KBOCC, Gogebic, etc. This can also include users who are external to their school but still under REMC, such as a Hancock teacher with PowerSchool access to Dollar Bay.
    - In short, this is what this means. Our example school is Dollar Bay:
      - teacher@dbschools.us = Internal
      - student@student.dbschools.us = Internal
      - staff@dollarbay.k12.mi.us = Internal
      - ted@remc1.org = External!
      - teacher@hancock.k12.mi.us = External!
      - vendor@vendorcompany.com = External!
      - teacher@gogebic.edu = External!
    - All emails marked as external will NOT function unless explicitly added in the backend API for the sign-on system. This is something that must be fixed by REMC staff. If the user has an appropriate internal email and for some reason their global identifier is tied to an external one, change it (or call the helpdesk)!
    - By default we have added the following domains to each school:
      - @remc1.net, @remc1.org - ALL SCHOOLS
      - @copperisd.org - All CCISD districts
      - @goisd.org - All GOISD districts
  - External domains are not difficult or time consuming to add but we would like to avoid it when possible. If there are teachers who are consistently working in your PowerSchool, it is probably best to get them an appropriate email address.
  - We can add any needed domain as long as their mail accounts are through Google. Outlook is a bit more complicated and beyond the scope of this guide. If you have external users from Gogebic Community College or the KBOCC, you will need to consider making them a district email.

Above are the most common issues, though occasionally others can pop up, usually dealing with our back-end configuration.

If you have any questions or concerns, do not hesitate to contact the helpdesk. Many things can be cleared up just through a quick explanation and/or demonstration.