BusinessPlus Single Sign-On (SSO)
BusinessPlus 20.11.0 and later
BusinessPlus supports single sign-on (SSO) authentication for administrative users and Employee Online through third-party identity providers (IDPs), including Google and Microsoft.
Pre-requisites for SSO configuration
BusinessPlus SSO should first be configured in a Test or other non-live environment for acceptance testing and user training.
BusinessPlus requirements
BusinessPlus SSO is available for versions 20.11.0 and later.
SSO is only available for BusinessPlus Core and Employee Online.
PC Products (for example: Admin Console, Document Capture, Workflow Designer, CDD) do not support SSO. PC Products require BP User (NUUPUS) credentials at login.
Cognos is supported with SSO for versions 22.4.0 and later.
You must have System Administrator access to the BusinessPlus (BP) environment where you want to set up SSO.
Access to NUUPCD, NUUPSO, NUUPUS, NUUTZZ.
Access to restart IIS on all BP and Employee Online (EO) servers.
Access to restart Data Processing Service on all BP web servers.
District Global Identifier (MOTU ID): Contact PowerSchool Support to request the MOTU District Global Identifier.
There needs to be a 1:1 user mapping between the BP or EO user account and the IDP account. If two accounts are in use (for example: Core BP and EO), these accounts must be merged by deactivating one account and keeping only one user account per user.
Keep the existing BP account which has security and deactivate the EO account.
Moving forward, use accounts which are autogenerated by NUUTNU, and add BP security to those accounts.
Employee Online
Active Employees require a user account in the district IDP to authenticate.
Terminated Employees (employees with a termination date) are able to use the Former Employee login, using their NUUPUS user id and password. The Former Employee login does not use SSO.
It is assumed that the employee’s district user account is deactivated.
The employee must have a valid password set in NUUPUS.
Customer Identity Provider (IDP) requirements
Identity Providers
Microsoft Azure
Google
Supported Identity Standard: OIDC
Complete Client Application Configuration
Client / Application ID and Client Secret
Redirect URIs (these are case sensitive)
BusinessPlus Core
https://<BusinessPlus Farm URI>/BTMQ/signin-oidc
Employee Online
DMZ: https://<Employee Online URI>/BusinessPlus/signin-oidc
Internal Web Server: https://<BusinessPlus Farm URI>/BusinessPlus/signin-oidc
Cognos: Refer to the Cognos SSO configuration section of this page.
Claim Identifier
Claim Identifier for Microsoft is "OID"
Claim Identifier for Google is "EMAIL"
Tenant ID (Microsoft Only): Refer to How do I find the Tenant ID question on FAQ: Setting up SSO.
Authority URL
Microsoft Azure: https://login.microsoftonline.com/[TenantID]/v2.0
Google: https://accounts.google.com
Create BSI AD User Account for PowerSchool Support. This account will be used for PowerSchool to be able to authenticate
Use this chart used to gather the necessary information:
| Provided By | Value |
---|---|---|
PowerSchool District Application GUID (MOTU ID) | PowerSchool |
|
PowerSchool Support IDP User | Customer |
|
Identity Provider
| Customer |
|
Claim Identifier
| Customer |
|
Tenant ID (Microsoft Azure Only) | Customer |
|
Client ID / Application ID | Customer |
|
Client Secret | Customer |
|
Redirect URIs | PowerSchool | BusinessPlus Core: https://<BusinessPlus Farm URI>/BTMQ/signin-oidc |
Map users for SSO (bulk and individual)
This should be completed by the customer with PowerSchool Services support as needed.
SSO Mappings are stored in the sso_user_mapping table.
Individual user provisioning
Open Admin Console.
Launch Security Admin / Manage Users.
Search for the User ID.
Select the SSO Mapping tab.
Add the mapping value and save.
At minimum, a PowerSchool support account would be needed (for example, BSI) to complete the configuration.
Field Name | Mandatory | Value |
---|---|---|
Mapping Value | Y | oid / email, depending on the claim type |
Bulk user provisioning
BusinessPlus supports importing users into the SSO mapping table using a .csv or .txt file. BusinessPlus supports COMMA or TAB separated records.
Common code setup
Launch NUUPCD
Add a record with below values
| Mandatory | Value |
---|---|---|
Code Category | Yes | NURL |
Code Value | Yes | ROLLOVER |
Ledger | Yes | @@ |
Code 3 | Yes | COMMA or TAB (file delimiter for import file) |
Create import file
Create a .csv or .txt file as follows for each BusinessPlus User ID.
Headers are required in the import file.
Header | Mandatory | Value |
---|---|---|
user_id | Yes | BusinessPlus User ID |
mapping_id | Yes | Microsoft = OID Google = EMAIL |
Example Import File using Microsoft OID:
user_id,mapping_id
BSI,fe45a351bde745c38e902cd25b25f95a
SBI,648458afe7424a2d9abaf6d1c22b6e99
RBI,b494b939b88748c0a1efc4763aee5e47
Bulk import
Launch NUUTZZ
Click Location or Other and select the .csv or .txt import file.
Select Trial Mode as No. Select Yes to verify the import file first, if desired.
Click Submit.
Verify the job has completed and review the report file to confirm user mappings were added successfully.
Generate encryption key
An Encryption Key should be generated only once per environment. If you are unsure if an Encryption Key already exists, try to save the NUUPSO configuration first. Replacing the existing key or re-generating a new encryption key will invalidate existing encrypted data. To change the key, all encrypted data must be decrypted with the old key and re-encrypted with a new key manually, and then save that data into tables.
Additional Steps can be referenced at Step 9 of the OAUTH2 Email Configuration. Refer to BusinessPlus OAUTH2 Email Configuration documentation.
Open Admin Console.
Launch Configure Local Server plug-in.
In the Tools area, double-click the Generate Key tool. This will only need to be executed once per BP environment.
Enable App Switcher (Motu ID configuration)
App Switcher should only be enabled for Production/Live environments. App Switcher cannot be configured for both Production and Test environment links. This will allow clients to switch between PowerSchool products. If other PowerSchool products are not in use, then the App Switcher will allow users to switch between BP and EO more easily, but is not required if they only have BP.
Pre-requisites
SSO with an external identity provider must be enabled for all PowerSchool applications you intend to include in the Applications list.
A single identity provider must be used for administrator and staff users across all applications you intend to include.
Your district must have two or more PowerSchool applications where AppSwitcher is available.
Unified Classroom must not be enabled.
AppSwitcher has been requested and your district applications have been set up for AppSwitcher.
Enable Applications icon
Contact PowerSchool Support to request to have the Global Identifier (MOTU) updated with the App Switcher District Settings.
In BusinessPlus, launch NUUPCD.
Add a Record with the below values:
Code Category - MOTU
Code Value - MOTUID
Ledger - @@
Long Description - District Global Identifier (MOTU GUID)
Restart IIS after setting up the common code.
NUUPSO configuration
Launch NUUPSO
Add a record with below values:
Client ID
Client Secret
Authority URL
Microsoft Azure: https://login.microsoftonline.com/[TenantID]/v2.0
Google: https://accounts.google.com
Claim Type
Google, select Email
Microsoft, select OID
Vendor Name: Google or Microsoft
SSO Enabled: Selected
Press Enter to save settings.
Restart IIS on all BP and EO servers.
Open Administrator Command Prompt
Type IISReset into the command prompt, and press Enter. This will disconnect users.
If LDAP is also enabled at the district, it must be disabled in the BP Connection Properties. After disabling LDAP, a Restart of the Data Processing Services on all BP servers is required.
Cognos SSO configuration
22.4.0 or later
Pre-requisites
Complete SSO configuration for BusinessPlus.
Ensure Cognos server configuration has been completed by the Cognos team.
Identify the IDP URL (URL for Identity Provider - Microsoft or Google)
Microsoft Example:
Google Example:
Provide the Client ID and Client Secret from Identity Provider to Professional Services if they are assisting with setup.
Redirect URL has been created in the Identity Provider (by Cloud or TSG)
Cognos: https://<application server URI>//ibmcognos/redirect.asp
Provide the Claim Identifier to Professional Services if they are assisting with setup.
PowerSchool recommends OID as the Microsoft Claim Identifier. If you use a different identifier for your existing SSO, we can leverage your current Claim Identifier.
The Claim identifier for Google is Email.
Note: All configurations must be setup by a user with System Administrator privileges.
Provision Cognos for users
Login into Web Server where Admin Console is installed.
Select Manager Users.
Search for the User ID.
On the Main tab, select Cognos User.
Enable Cognos SSO
Open NUUPCO in BusinessPlus.
Select Cognos Enabled.
Complete the following data fields. Values provided are examples only.
Cognos URL: http://bp-cognos11.corp.powerschool.int:9300/bi/v1/disp
Root URL: https://bp-cognos11.bp.powerschool.com/ibmcognos/bi/v1/disp
Select SSO Enabled.
Enter your Client ID and Client Secret. The Client secret will be encoded to Base64 format after saving the record.
Enter the Authority URL.
Claim Type: OID or Email
Vendor: Microsoft or Google
Click Generate Secret to populate Private Key and Public Key. Private Key is encrypted when you save the record.
Issuer: powerschool
Audience: ibmcognos
Timeout: Enter number of minutes.
Save changes.
Reload CAP Properties
When changes are made in the Manage Cognos Configuration (NUUPCO) page, the following steps must be completed to update the Cognos properties.
Navigate to the following URL in the web browser: https://<application server URL>:9300/bi/?CAMNamespace=businessPlus&capReloadPropertiesFile=true
Reload of properties is successful when the message appears: Motio Custom Security: The custom authentication provider properties file was reloaded. Do not click the Sign In button.
Log out of the BusinessPlus application.
Restart IIS.
Disable SSO configuration from NUUPSO
Launch BusinessPlus application as a user with System Administrator privileges (for example: BSI).
Navigate to NUUPSO.
Clear the SSO Enabled checkbox.
Press Enter to Save.
Logout of BusinessPlus.
Restart IIS on all Web Servers and EO Servers. If LDAP was previously enabled, enable LDAP in the Connection Properties and restart Data Processing Service on all Web Servers.
Disable App Switcher from NUUPCD
App Switcher can also be disabled in BusinessPlus Test environment so it does not link to any other Production/Live PowerSchool products.
Launch BusinessPlus application as a user with System Administrator privileges (for example: BSI).
Launch NUUPCD.
Search for and select the MOTU record with below criteria:
Code Category - MOTU
Code Value - MOTUID
Delete MOTU ID from Long Description field.
Save the Record.
Log out and then log back in to BusinessPlus.
Disable SSO configuration from database
If the IDP cannot be reached for authentication or if errors exist with the SSO configuration, it may be necessary to disable SSO via SQL update statement.
Launch Admin Console as a user who has access to the SQL Query screen.
Open Database Admin / Utilities / SQL Query.
Run the following SQL Update Statement: update sso_client_config set sso_enabled = N
Close Admin Console.
Restart IIS on all Web Servers and EO Servers. If LDAP was previously enabled, enable LDAP in the Connection Properties and restart Data Processing Service on all Web Servers.
Test SSO
Access BusinessPlus
Access the BP Farm URL.
When you load the BP Farm URL, it navigates to the loading page when the user tries to login immediately after IIS reset. After some time, a message instructs you to retry using Reload Page.
Click Reload Page and the system redirects to the Microsoft or Google authentication page.
Enter valid district credentials.
After you are authenticated by the IDP, your BusinessPlus personal dashboard loads.
The App Switcher waffle icon should display.
Verify that Change Password is not displayed in the user name menu.
Click Sign Out. You will be signed out from BusinessPlus but not from the identity provider.
Click Return to BusinessPlus. Your dashboard should load without having to re-authenticate.
Access Employee Online
Employee Online should be tested using both EO on the dedicated EO (DMZ Hosted) server and the internal BP Farm servers. Repeat the steps for each URL.
Access the EO URL.
The Account Login page should appear, directing the user to select their authentication method.
Active Employees: Click here to log in with single sign-on (SSO)
Former Employees: Click here to log in
Active Employees
Click Active Employees: Click here to log in with single sign-on (SSO).
The user should be redirected to their IDP (Google or Microsoft) for authentication.
Enter valid district credentials. After authenticated by the IDP, the user should see the Employee Online home page.
The App Switcher waffle icon should display.
Former Employees
To test, use an employee who has a termination date in the Term Date field on their Employee Master record (HREMEN). Verify the termination date aligns with the EO Global Settings for allowing terminated users access to Employee Online.
Click on Former Employees: Click here to log in.
The user should be redirected to the legacy Employee Online login page.
Login using a terminated employee NUUPUS user account. After authenticated, the user should see the Employee Online home page.
Terminate Employee
Disable the SSO or LDAP/AD account. This is done by IT.
HREMEN: Mark the employee as terminated using the Term Date on the Term Info tab. The EO application will refer to the Term Date to allow the traditional login.
NUUPUS or Admin Console, Manage Users
Employee ID to have no access:
Remove all security roles
Set status to I (inactive)
Click the No Password, LDAP/SSO checkbox
Remove SSO Mapping
Rebuild the user
Employee ID to have EO access:
Clear the No Password, LDAP/SSO checkbox
Make sure EMPLOYEE association is set
Set status to P if you want to force a password change.
There is no defined process of sharing ID and initial password as part of SSO.
FAQs and troubleshooting
If the traditional BP Login page is displayed:
Clear local browser cache and attempt to login again.
Refresh the browser window until user is redirected to the IDP login screen.
Make sure the redirect URLs are configured in IDP.
Google Application redirect URIs may be case sensitive.
Review against Redirect URIs saved in BusinessPlus web.config on all BP Servers (internal and external).
Verify the X:\inetpub\wwwroot\BusinessPlus\web.config accurately reflects the server URL.
On the BP Servers, the URL should reflect the BP Farm.
On the EO Server, the URL should reflect the EO URL.
<add key="ida:PostLogoutRedirectUri" value="https://<application server URI>/BusinessPlus/account/SignIn" />
<add key="ida:RedirectUri" value="https://<application server URI>/businessplus/signin-oidc"/>
<add key="NewRelic.AgentEnabled" value="true" />
<add key="NewRelic.AppName" value="EmployeeOnline" />
These settings are updated by using the BP Config utility and should be reviewed after running the BP Configuration utility. Make sure on item number 4, that the URL value uses the correct BP farm URLS and not http://localhost.
Verify LDAP is not enabled. LDAP and SSO cannot be both enabled. Disable LDAP via Connection Properties in Admin Console.
Restart BP Data Processing Services and Reset IIS on all BP Web Servers. Reset IIS on EO Servers.
When a user logs out, are they logged out of the identity provider?
Single sign-out is not supported at this time. Users are not signed out of the identity provider or other PowerSchool products when they sign out. Refer users to the appropriate location to sign out of the identity provider.
As a best practice for optimal security and privacy, when multiple employees access Employee Online using the same device, consider implementing the following recommendations:
a. Avoid using non-individual accounts : To prevent accessing information of any other employee avoid using non-individual accounts. This applies to the operating level ( Windows, iOS) and the BusinessPlus (application level)
b. Use Incognito Browser Window: To logout after each session from the BusinessPlus application and Identity provider. Quit the browser completely after each active session.
Does the HREMEN, Termination tab, Term Date need to be equal to today or in the past?
The Term Date needs to be in the past.
What happens if there is no SSO Mapping value and no Term Date?
The employee cannot log in to the application.
A Welcome to BusinessPlus page appears and includes the following messages and buttons:
Your account was signed into BusinessPlus Application using your district’s identity provider. The identity provider’s session has not been signed out.
Authentication failed. Click below to retry
If the problem persists, contact your administrator.
Button: Click here to log in with SSO - Current Employee
Button: Click here to log in - Former Employee
What happens if employee’s Term Date is blank, today or in the future and has a valid SSO Mapping ID?
Only SSO Login is allowed, and employee can login.
What happens if employee’s Term Date is blank, today or in the future and has an invalid SSO Mapping ID?
Only SSO Login is allowed, and user does not have valid mapping, so user cannot login.
A Welcome to BusinessPlus page appears and includes the following messages and buttons:
Your account was signed into BusinessPlus Application using your district’s identity provider. The identity provider’s session has not been signed out.
Authentication failed. Click below to retry
If the problem persists, contact your administrator
Button: Click here to log in with SSO - Current Employee
Button: Click here to log in - Former Employee
What happens if employee’s Term Date is in the past and has an invalid SSO Mapping ID?
Employee cannot log in with SSO but can log in with Former Employee login option.
What happens if employee’s Term Date is in the past and has a valid SSO Mapping ID?
Employee can login with SSO and Former Employee login option.
What happens if employee’s Term Date is in the past and has no SSO Mapping ID?
Employee cannot login with SSO but can log in with Former Employee login option.
What happens to the Change Password Option in the EO application when SSO is enabled?
For Current Employee, the Change Password option is not available in the EO application.
For Former Employee, the Change Password option is displayed in the EO application, by selecting the circle with the user’s login initials in it.
There is no defined process of sharing ID and initial password as part of SSO.