Developer Portal

 Home Getting Started Integration Options Overview Create Cart Collect Payment Reconciliation FAQs Overview Send Fees Collect Payment Overview Create Invoice Update Invoice AutoPay Subscriptions Invoice by Email Collect Payment Pay Express Payment Testing Certify Your Integration Overview Retrieve Payments Reconciliation District SSO PowerSchool

Developer Portal

Contact Us

Have a question or need help? We’re here to support you!

For technical questions, integration support, feedback or feature requests, please contact us at  hss-partnersupport@e-hps.com

 Sign In

Developer Sign In
Sign in with MSB user

District Single Sign-On (SSO)

Single Sign-On (SSO) enables district staff to securely access MySchoolBucks (MSB) using their existing district credentials. With SSO enabled, users authenticate through the district’s Identity Provider (IdP) and are redirected into MySchoolBucks.

MySchoolBucks primarily supports SAML 2.0–based integrations and leverages a secure middleware layer for validating authentication tokens and mapping user attributes.

MySchoolBucks also supports OpenID Connect (OIDC) integrations. While most enterprise identity providers use SAML as the primary protocol for SSO, OIDC may be supported depending on district configuration.

This page focuses on district-level SSO for staff and administrative users.

How It Works

Authentication Flow

  1. The user loads the MSB provided custom link from their browser. Often, districts will add this to a district portal or dashboard interface. This link will be formatted with a district specific IdP Hint and formatted as follows:
    2. https://www.myschoolbucks.com/ver2/keysso?kc_idp_hint=YourIdPHint
  2. User authenticates with the district Identity Provider.
  3. District Identity Provider returns a signed authentication token.
  4. MySchoolBucks validates the token and maps attributes to a new or existing MSB user.
  5. User is logged into MSB with permissions defined by the district.

MySchoolBucks SSO Business Rules

  • An MSB user account is created automatically at first successful SSO login.
  • No MSB-specific password is generated or required for SSO authentication.
  • If role mapping is configured, MSB user role and access scope are determined by attributes passed from the district Identity Provider.
  • If role mapping is not configured, the user account will be created with default access and may require manual role assignment within MSB.
  • Removing a user from the district Identity Provider does not automatically remove or deactivate the MSB user account. MSB does not receive asynchronous updates from the IdP. If the user attempts to log in after being removed from the IdP, authentication will fail and access will be denied.
  • MySchoolBucks does not support multiple roles for a single SSO user. Therefore, district staff must maintain a separate parent account within MSB (using a personal email address). SSO login attempts will fail for a district user with an existing MSB parent account using their district email address.

Supported User Attribute Mappings

  • Email Address (set as MSB Username) *
  • First Name *
  • Last Name *
  • MSB Role (MSB roles may require additional attributes, see Role Mapping documentation)
  • MSB Store (for scoped user access)
  • MSB School
  • MSB Department
    • *Indicates required attributes

Implementation Process

MySchoolBucks follows a structured onboarding approach.

1. Discovery & Planning

  • Confirm Identity Provider type.
  • Review timeline and access requirements.
  • Identify attribute mapping needs.

2. Sandbox Configuration

  • MSB provides a sandbox environment URL.
  • MSB provides the Assertion Consumer Service (ACS) URL and Entity ID for SAML response routing and validation.
  • District provides metadata URL to MSB team after configuring their Identity Provider.

3. Working Session(s)

  • Initial authentication connection is tested.
  • Required attributes (email, first name, last name) and authentication flow are validated.
  • Confirm role mapping configuration (if applicable).
  • Validate store, school, or department scoping (if required).

4. Production Deployment

  • Determine handling of existing MSB accounts prior to go-live and acceptable user login access.
  • Activate production SSO configuration and confirm login with a district user.
  • Optionally, district can download and customize documentation for their SSO implementation (see below in Resources).

Contact Us

If your district is interested in implementing Single Sign-On with MySchoolBucks, please contact our Partner Integrations team at hss-partnersupport@e-hps.com

To streamline onboarding, please include:

  • Target implementation timeline
  • Primary technical contact name & email address
  • Identity Provider type
  • Desired attribute mappings and IdP source fields (example: MSB role, MSB school store)