The end user experience
- The user will enter their username. They do not need to enter a password.
- After clicking the logon button, they will be redirected to Google to perform the authentication.
- When the user successfully completes the authentication in Google, Google will redirect the user back to SchoolFi or the Employee Portal.
Buzz words
- Google Workspace for Education is the product that this integrates with.
- OIDC – OpenID Connect. This is the protocol / standard that is used by SchoolFi to communicate with Google to hand off the Authentication process. OIDC is an extension to the OAuth 2 protocol that defines the mechanisms for Authentication.
- https://openid.net/connect/
- OAuth 2.0 – OAuth 2.0 is the industry-standard protocol for authorization. https://oauth.net/2/
Setup performed in the Google Workspace for Education Dashboard
Step 1
Log into Google Cloud (https://console.cloud.google.com)
Go to API & Services
Step 2
Create a Project for SchoolFi SSO
Go to "Oath consent screen"
Choose Internal
Click Create
SchoolFi SSO
Support Email: some@yourdistrict.com
Application home page: https://staff.schoolfi.net/mydistrict/ (Use your district's URL here)
Authorized Domain: schoolfi.net (If hosted on Genesis Cloud) or your schools domain.
Leave Policy and Servers link empty
Authorized Domain: mydistrict.com
Developer Contact Info:
someone@yourdistrict.com
Scopes:
openid
Step 3
Go to Credentials:
Click +Create Credentials
Choose "Oauth Client Id"
Application Type: Web Application
Name: SchoolFi SSO
Authorized JavaScript Origin: https://staff.schoolfi.net
Authorized redirect URI: (you need 2):
https://staff.schoolfi.net/mydistrict/auth/v1/code
and
https://portal.schoolfi.net/mydistrict/auth/v1/code
A Popup will show this data, copy and place it somewhere secure:
(It will look something like this:)
Client Id: 01234567890A-qnv94jff8iludi4i2k5rpucl7e1tgend.apps.googleusercontent.com
Client Secret: ABCDEF-ZfhknbXK75_LaYW1UoGbMMOLKpmA
Setup performed in SchoolFi
Go to System.Security.Single Sign on / MFA
Click Add Provider
Code: GOOGLE
Provider: Google Workspace for Education
Type: Single Sign-on
Client Id and Secret: Copy from Google Workspace
Go to the modify screen of the Google Provider.
In the Utiltiies notecard, click the "Auth Discovery Document Test" button.
A dialog box with a ton of JavaScript should appear. Close it.
If any error appears, most likely the Firewall at your district is blocking the request to "https://accounts.google.com/.well-known/openid-configuration"
Click the "Lookup OAuth fields from Discovery Button"
The OAuth Token and Authorize URLs should populate.
Click the Refresh Publick Key button.
The Key Id, Modulus and Exponent fields should be populated.
Check the Enabled Employee Portal and SChoolFi Checkboxes and save.
Google SSO should now be ready for use.
Configuring SchoolFi Users to use Google SSO
Choose a user to test the Google SSO from the System -> Security -> Users screen.
Do not choose the user you are currently logged in as, you do not want to accidentally lock yourself out of the system if the feature is not setup correct.
Change the Authentication Type drop-down to the Single Sign-On option and click save. After an SSO Provider field will appear and select Google SSO and click save.
The Single Sign-on Id field should now display a warning if there is no value. This must match the username or one if it’s aliases as it appears in Google.
Using a different browser (or log out of your current session); attempt to login as this user.
Configuring Employee Portal Users to use Google SSO
Choose an employee portal user to test the Google SSO from the Setup-> Employee Portal -> Users screen.
Do not choose the user you are currently logged in as, you do not want to accidentally lock yourself out of the system if the feature is not setup correct.
Change the Authentication Type drop-down to the Single Sign-On option and click save. After an SSO Provider field will appear and select Google SSO and click save.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article