How to set up Single Sign-on / Google

Modified on Tue, Jan 2 at 11:56 AM

The end user experience

  1. The user will enter their username.  They do not need to enter a password.
  2. After clicking the logon button, they will be redirected to Google to perform the authentication.
  3. When the user successfully completes the authentication in Google, Google will redirect the user back to SchoolFi or the Employee Portal.

Buzz words

  • Google Workspace for Education is the product that this integrates with.
  • OIDC – OpenID Connect.  This is the protocol / standard that is used by SchoolFi to communicate with Google to hand off the Authentication process.   OIDC is an extension to the OAuth 2 protocol that defines the mechanisms for Authentication. 
  • https://openid.net/connect/
  • OAuth 2.0 – OAuth 2.0 is the industry-standard protocol for authorization.  https://oauth.net/2/

Setup performed in the Google Workspace for Education Dashboard

Step 1

Log into Google Cloud (https://console.cloud.google.com)

Go to API & Services

Step 2

Create a Project for SchoolFi SSO

Go to "Oath consent screen"

Choose Internal

Click Create

SchoolFi SSO

Support Email: some@yourdistrict.com

Application home page:  https://staff.schoolfi.net/mydistrict/    (Use your district's URL here)

Authorized Domain: schoolfi.net (If hosted on Genesis Cloud) or your schools domain.

Leave Policy and Servers link empty


Authorized Domain: mydistrict.com 


Developer Contact Info:

someone@yourdistrict.com


Scopes:

openid

Step 3

Go to Credentials:

Click +Create Credentials

Choose "Oauth Client Id"

Application Type: Web Application

Name: SchoolFi SSO

Authorized JavaScript Origin: https://staff.schoolfi.net 

Authorized redirect URI: (you need 2):

https://staff.schoolfi.net/mydistrict/auth/v1/code

and

https://portal.schoolfi.net/mydistrict/auth/v1/code


A Popup will show this data, copy and place it somewhere secure:

(It will look something like this:)

Client Id: 01234567890A-qnv94jff8iludi4i2k5rpucl7e1tgend.apps.googleusercontent.com

Client Secret: ABCDEF-ZfhknbXK75_LaYW1UoGbMMOLKpmA



Setup performed in SchoolFi

Go to System.Security.Single Sign on / MFA

Click Add Provider

Code: GOOGLE

Provider: Google Workspace for Education

Type: Single Sign-on

Client Id and Secret: Copy from Google Workspace


Go to the modify screen of the Google Provider.

In the Utiltiies notecard, click the "Auth Discovery Document Test" button.

A dialog box with a ton of JavaScript should appear.  Close it.

If any error appears, most likely the Firewall at your district is blocking the request to "https://accounts.google.com/.well-known/openid-configuration"


Click the "Lookup OAuth fields from Discovery Button"

The OAuth Token and Authorize URLs should populate.


Click the Refresh Publick Key button.

The Key Id, Modulus and Exponent fields should be populated.


Check the Enabled Employee Portal and SChoolFi Checkboxes and save.


Google SSO should now be ready for use.


Configuring SchoolFi Users to use Google SSO

Choose a user to test the Google SSO from the System -> Security -> Users screen.

Do not choose the user you are currently logged in as, you do not want to accidentally lock yourself out of the system if the feature is not setup correct.


Change the Authentication Type drop-down to the Single Sign-On option and click save. After an SSO Provider field will appear and select Google SSO and click save.

The Single Sign-on Id field should now display a warning if there is no value.  This must match the username or one if it’s aliases as it appears in Google.

Using a different browser (or log out of your current session); attempt to login as this user.


Configuring Employee Portal Users to use Google SSO

Choose an employee portal user to test the Google SSO from the Setup-> Employee Portal -> Users screen.

Do not choose the user you are currently logged in as, you do not want to accidentally lock yourself out of the system if the feature is not setup correct.

Change the Authentication Type drop-down to the Single Sign-On option and click save. After an SSO Provider field will appear and select Google SSO and click save.






Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article