Providing student access to EdPotential
In this article, we'll cover how can provide student access to EdPotential.
The steps below need to be completed by the Google Workspace or Microsoft Azure Global Administrator.
Step 1
You first need to confirm students use the same Single Sign-On (SSO) system as school staff. This is essential to providing student access.
Step 2
If you do not have Teacher as a role in your EdPotential application in your Google Workspace or Microsoft Entra ID you will need to create this role.
In Google Workspace:
- Click the SAML attribute mapping section in the EdPotential app settings
- Under Group membership (optional), select the group(s) you would like to have access to EdPotential.
- Set the App attribute value to mlepRole
- Click Save.
In MicrosoftEntra ID:
- Click on ‘...’ on the Attributes and Claims page
- Click on Transformation to create an additional claims transformation (role).
- Set the claim: “http://schemas.microsoft.com/…/claims/role” to Teacher, and optionally, Senior Leadership.
We will then check that teachers can still log in by using the test account provided during onboarding. If this account is no longer active we will ask the Deputy Principal (DP) to log in.
Step 3: Add a Student role to the EdPotential application.
Our next step is to differentiate between teachers and students in your SSO setup so that we can assign different permissions to the two groups.
Repeat Step 2, this time adding a role Student.
- This group must only contain the students who are to have access. For example, if you are only wanting to provide access to Year 12 and Year 13 students, only these students (and a test student account, as explained in Step 4 below) should be in the Students group.
- You will need to add Student ID as an attribute. To do so, set the claim "http://schemas.xmlsoap.org/claims/commonName", or another comparable attribute, to the student ID.
Step 4: Add a test student account
As the next step of testing we need a test student account which has an account in KAMAR. This will enable us to check that a student only sees their own report when they log in.
One possibility is to share with us the account of a student who has left (with a new password), if that student still has an active account in KAMAR.
The test account will need to have the Student ID attribute set.
Please provide the full email address of the test account, as sometimes students are on a different domain.
We will test that this login gives access to only this student's report on EdPotential.
Step 5: Final testing (to be completed by the DP)
While we have tested access with a test student account, it's advisable we have one further check. We suggest the DP runs through this process with one student while they oversee so they can confirm everything works as expected.
To do so they will need to direct a student to log in at their EdPotential sign-in page. The student should only see their own report.