Hello!
I posted here, but I lost access. Can anybody help with this?
Thanks!
Jim
Hi @mcginnj3,
Someone will be reaching out about your access as a Partner.
Your original post is below.
Empty openid_identifier during SSO.
I am running into an issue where the openid_identifier argument during SSO authentication with a plugin is not passing the username, just an empty string. This is happening for a Microsoft OIDC enabled environment. It happens for new users added after the change to use Microsoft OIDC. These new users are given usernames that begin with ##, and I believe that may be causing the issue. For example:
For user "joe", the working URL query would look like: openid_identifier=https://[school].powerschool.com/oid/admin/joe
For user "##asdf", it would look like: openid_identifier=https://[school].powerschool.com/oid/admin/
Notice there is nothing that comes over for the ##asdf account. Because of this, we cannot authenticate the user.
Is this a known issue? Is there a way to change the ## format to something that might come over in the SSO authentication with the plugin (assuming that's the issue)? I have seen many environments where there is ~~ instead of ##, and these work just fine.
Hi @mcginnj3,
It has been seen in some instances that if the email is used as the global identifier and it does not match exactly, for example, case differences, between the two systems it will not authenticate. For example, Joe@powerschool.com will not authenticate with Joe@PowerSchool.com.
The ## is expected behavior to show that the two systems do not match for authentication. The ## is not an issue.
You can review the OIDC Troubleshooting Errors list to see if your error is listed to assist with the reason for the issue and to help you track down the culprit.
If you are still having the authentication issue, would you please share a few items:
Thanks very much for the help, Cindy. I looked through your ideas, but I don't think this solves my issue (but perhaps you are directing me on the right path and I haven't figured that out yet..).
The screen shot would literally be C# code, as that's where the problem is evident. When a user clicks on the application link (in the application pop-up window), for instance, PowerSchool redirects to the link provided in the plugin xml file, under the openid element. During this call, the user is authenticated. The username is passed to our server via PowerSchool, and this is by way of the returnurl argument. It is in this argument value that anybody with ## in their user name is not passed in--it's empty. But only these users.
This is why I suspect the # as the issue, as PowerSchool does not allow these (or a list of other special characters) to be input in most places on the site, probably for these kinds of reasons.
Hi @mcginnj3,
Apologies for the tardy response. Were you able to resolve this issue? If you are still facing this issue then we recommend reaching out to the PowerSchool Support team who can look into this code for you and take a closer look at your setup while accessing your site and can help you troubleshoot this issue further.
ParitoshT
Community Moderator