Tenant Information Window
There are two tenant types that can be defined.
- SSO / App Switcher - You can add multiple tenants of this type to specify the SSO and AppSwitcher settings.
- PowerSchool Services - This tenant is used to connect to PowerSchool services such as the Data Exchange Cloud.
Different fields display based on the tenant type you are viewing.
SSO / App Switcher Tenants
On this window, define the tenant for the district, the identity provider, and/or the App Switcher ID. You must enter a Name and the Tenant ID. Then, you can enter SSO or App Switcher ID values. It is valid to use SSO without App Switcher, and vice versa.
An identity provider is a trusted provider that manages user credentials so you can use single sign-on (SSO) to access eSchoolPlus applications.
Note that tenant information is stored in the Task database. When you make changes to a Tenant record or to the Tenant selected for an application, you must open the configuration file on other servers so you can keep settings in synch. Refer to Define Tenants for Applications.
General
| Field | Description |
|---|---|
| Name | Enter a name that uniquely identifies the tenant for the school district. This value is used to select the tenant for an application on the District Information window and is included in the entry page URL for single sign on. Include text that identifies the school district. Avoid spaces and characters that would be encoded inside a URL. Required. If this value is changed after the tenant is associated with an application, then a warning displays telling you that the tenant name will be modified for all district/applications where it is used. The entry page URL used for the district and application will also change as the name is part of the URL. |
| Identity Provider | Select the identity provider. Other fields on this window will be populated with default values based on the selected identity provider. The valid options are: None, Google, Microsoft Azure, Microsoft AD FS, or Other. |
| Mobile "Sign in with" Friendly Name | To display a friendly name for the options users should use to sign in, enter the text to display. Otherwise, the value selected in the Identity Provider field displays. |
| Tenant ID | Unique identifier for the tenant. Required. If you are configuring SSO with Microsoft, set this value to the GUID that can be found on the App Registration page on the Azure Active Directory portal. Otherwise, It is recommended that you use a utility like https://www.guidgenerator.com/ to create a new tenant ID. This value must be unique across all tenants. |
| IDP URL | The URL to the identity provider. This URL is generated when configuring the identity provider. It must be a valid URL and must use HTTPS.
To validate the URL, a call is made to the following endpoint of the entered URL to verify the identity provider can be reached: .well-known/openid-configuration |
| Global ID Claim | Enter the claim name that identifies the user within the identity provider.
After a user is signed in with the identity provider and is authorized to access the application, the identity provider will provide a list of claims that contain data associated with the user (for example, first name, last name, email). One of the claims identifies the user within the identity provider. In eSchoolPlus, this is referred to as the user's Global ID. |
| Scopes | Enter the list of scopes required when redirecting a user to an identity provider for authorization. Separate the list of scopes with a single space. This list of scopes must include the following items as a minimum openid, profile, and email. |
Web Application
If you entered identity provider values in the fields above, you must enter a Client ID and Client Secret for Web Application.
| Field | Description |
|---|---|
| Client ID | Enter the Client ID or Application ID generated by your identity provider for the application. To allow users to log in using an identity provider, you have to register the application. The process to register the application varies based on the identity provider. During the process, the identity provider will generate a unique identifier, usually called Client ID or an Application ID. |
| Client Secret | Enter the Client Secret generated by your identity provider. This value is required to complete the process for authorizing access to applications. |
Native Applications
The fields in this sub-section only need to be completed if the district uses one of the eSchoolPlus mobile apps or the Master Schedule Whiteboard. For these applications, you need to register a "public" application with the identity provider. "Public" applications are required because of their inability to effectively secure a client secret.
| Field | Description |
|---|---|
| Client ID | Enter the Client ID generated by your identity provider for the public application. |
| Client Secret | Enter the Client Secret generated by your identity provider for the public application. If Microsoft is the identity provider, leave this field blank as Microsoft does not provide a client secret when registering for a public application. |
| Redirect URI | Enter URI that the Identity Provider's authorization endpoint shall redirect to once the authorization is completed. When a Client ID is entered, the Redirect URI defaults based on format for the selected identity provider. This field is not applicable to the Whiteboard. |
| Whiteboard Port Range | The port range to use when Whiteboard authenticates a user with the identity provider. |
App Switcher
In this section, enter the Client GUID generated for the district in PowerSchool's District Client Setup for the administrator and teacher personas. For district administrators who manage the District Configuration Utility, this information must be provided by PowerSchool.
You can configure either one client or use two separate clients (one for administrators and another for teachers). Enter the appropriate Client GUID in the App Switcher ID field for the persona.
PowerSchool Services Tenant
The PowerSchool Services tenant is currently used to set up a connection to the Data Exchange Cloud which is only supported for Delaware.
For the PowerSchool Services tenant, the values in the General section are pre-populated and should not be changed.