Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            How to set up Single Sign-on / Google

            Modified on Tue, Jan 2 at 11:56 AM

            The end user experience

            1. The user will enter their username.  They do not need to enter a password.
            2. After clicking the logon button, they will be redirected to Google to perform the authentication.
            3. When the user successfully completes the authentication in Google, Google will redirect the user back to SchoolFi or the Employee Portal.

            Buzz words

            • Google Workspace for Education is the product that this integrates with.
            • OIDC – OpenID Connect.  This is the protocol / standard that is used by SchoolFi to communicate with Google to hand off the Authentication process.   OIDC is an extension to the OAuth 2 protocol that defines the mechanisms for Authentication. 
            • https://openid.net/connect/
            • OAuth 2.0 – OAuth 2.0 is the industry-standard protocol for authorization.  https://oauth.net/2/

            Setup performed in the Google Workspace for Education Dashboard

            Step 1

            Log into Google Cloud (https://console.cloud.google.com)

            Go to API & Services

            Step 2

            Create a Project for SchoolFi SSO

            Go to "Oath consent screen"

            Choose Internal

            Click Create

            SchoolFi SSO

            Support Email: some@yourdistrict.com

            Application home page:  https://staff.schoolfi.net/mydistrict/    (Use your district's URL here)

            Authorized Domain: schoolfi.net (If hosted on Genesis Cloud) or your schools domain.

            Leave Policy and Servers link empty


            Authorized Domain: mydistrict.com 


            Developer Contact Info:

            someone@yourdistrict.com


            Scopes:

            openid

            Step 3

            Go to Credentials:

            Click +Create Credentials

            Choose "Oauth Client Id"

            Application Type: Web Application

            Name: SchoolFi SSO

            Authorized JavaScript Origin: https://staff.schoolfi.net 

            Authorized redirect URI: (you need 2):

            https://staff.schoolfi.net/mydistrict/auth/v1/code

            and

            https://portal.schoolfi.net/mydistrict/auth/v1/code


            A Popup will show this data, copy and place it somewhere secure:

            (It will look something like this:)

            Client Id: 01234567890A-qnv94jff8iludi4i2k5rpucl7e1tgend.apps.googleusercontent.com

            Client Secret: ABCDEF-ZfhknbXK75_LaYW1UoGbMMOLKpmA



            Setup performed in SchoolFi

            Go to System.Security.Single Sign on / MFA

            Click Add Provider

            Code: GOOGLE

            Provider: Google Workspace for Education

            Type: Single Sign-on

            Client Id and Secret: Copy from Google Workspace


            Go to the modify screen of the Google Provider.

            In the Utiltiies notecard, click the "Auth Discovery Document Test" button.

            A dialog box with a ton of JavaScript should appear.  Close it.

            If any error appears, most likely the Firewall at your district is blocking the request to "https://accounts.google.com/.well-known/openid-configuration"


            Click the "Lookup OAuth fields from Discovery Button"

            The OAuth Token and Authorize URLs should populate.


            Click the Refresh Publick Key button.

            The Key Id, Modulus and Exponent fields should be populated.


            Check the Enabled Employee Portal and SChoolFi Checkboxes and save.


            Google SSO should now be ready for use.


            Configuring SchoolFi Users to use Google SSO

            Choose a user to test the Google SSO from the System -> Security -> Users screen.

            Do not choose the user you are currently logged in as, you do not want to accidentally lock yourself out of the system if the feature is not setup correct.


            Change the Authentication Type drop-down to the Single Sign-On option and click save. After an SSO Provider field will appear and select Google SSO and click save.

            The Single Sign-on Id field should now display a warning if there is no value.  This must match the username or one if it’s aliases as it appears in Google.

            Using a different browser (or log out of your current session); attempt to login as this user.


            Configuring Employee Portal Users to use Google SSO

            Choose an employee portal user to test the Google SSO from the Setup-> Employee Portal -> Users screen.

            Do not choose the user you are currently logged in as, you do not want to accidentally lock yourself out of the system if the feature is not setup correct.

            Change the Authentication Type drop-down to the Single Sign-On option and click save. After an SSO Provider field will appear and select Google SSO and click save.






            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0