Wednesday, October 15, 2014

Parent Single Log-In with PowerSchool - Part I

Part I - Overview, Create or Update PowerSchool Parent accounts using PHP cURL

Earlier this year I had a chance to work on a project which is creating a Single Log-In system for Parents using the PowerSchool data. Unlike other kind of users in PowerSchool (Students, Teacher) Parents cannot be bind to an Active Directory server (Yes, my life would be easier if they support LDAP for Parent accounts!), they are stored in a separate place in the database.

After searching around for a while, I recognized that the only way for me to build a Single Log-In system for Parents is using the PowerSchool API and implement the SAML 2.0 protocol. The purpose of PowerSchool supporting this protocol is for developers to create a Single Sign-On layer for customized apps to use PowerSchool as an Identity Provider.

To learn the PowerSchool API and to implement the SAML protocol which I never heard before is not a big deal to me as a developer, but in the limited amount of time, I was not sure if I can catch up with the projection. Luckily, a PS Administrator from Hong Kong International School, Sheldon Wai, had found a hack-around way to build a Single Log-In system without touching the PowerSchool API or SAML protocol. He used the cURL  module of PHP to manipulate Parent accounts in PowerSchool. Explicitly, he accessed the admin page of his school's PowerSchool website using cURL to create or update Parent accounts. By this way, he controlled all the Parent accounts and easily sync those accounts to other web applications. Because this way of accounts synchronization is totally different than the definition of Single Sign-On, I call this kind of system Single Log-In.

Here is the work flow:


1. The cURL PHP script (or even fancier with a web application which will call that script) will play a role of Parent accounts creator / updater. There are something you should keep in mind:

* The account creating or updating process needs to be taken place here, and not via the PS web interface.

* The Parent account creating link of PowerSchool needs to be hidden (public page).

* Each student record needs to have a Family_Ident and father or mother email address in order for the script to create Parent account for that student.

* You need to set up a PS admin account.

* You need to pre-create the Parent accounts (username, email, initial password). You can store them somewhere or just use a csv file.

Using the following scripts, credited to Sheldon Wai at Hong Kong International School:

PSSSOSettings.php:


CreatePSParentAcc.php:


UpdatePSParentAcc.php:


(I made some changes to make the script work with https and my school specific needs)


2. After creating or updating Parent accounts into PowerSchool, I can create or update those accounts into a LDAP server.


3. Then all my customized web applications can authenticate parents against the LDAP server.


In the next blog post, I will introduce the Django application I'm using to manipulate this PHP cURL script.


Update July 31, 2015: the php script is still working perfectly in PowerSchool 9.x