Veracross integration and SSO setup guide

Avatar
Misty Flowers

Finalsite's Veracross integration syncs constituent data (faculty, students, parents, alumni), relationships, academic class rosters, and athletics via hourly API updates. Single sign-on uses Veracross as the identity provider via OAuth/OpenID Connect. Setup requires configuring an OAuth app in Veracross Axiom and providing credentials to a Finalsite integration specialist.

đź’ˇQuick answers

  • What data does the Veracross integration sync to Finalsite? Constituent profiles (faculty, students, parents, alumni), student-parent relationships, academic class rosters (powering chat and email groups), and athletics teams, schedules, and results.
  • Is admissions data included in the Veracross integration? No; admissions data is not currently supported via this integration.
  • How does Veracross SSO work for end users? Users enter their username on the Finalsite staggered login page, are redirected to the Veracross login screen, and are returned to their Finalsite portal automatically after successfully authenticating.
  • What must be configured in Veracross Axiom before SSO can be set up? An OAuth application with the openid and sso scopes enabled, and the correct Redirect URI registered (your domain followed by /integration/veracrossauth.cfm).
  • Does the Veracross sync delete events when they are cancelled? No; the sync does not delete events. Mark the event as Cancelled in Veracross to reflect the status change in Finalsite.

Finalsite’s integration with Veracross is a powerful, one-way sync that transforms your SIS data into personalized website experiences. We offer an option that will allow your users to log into Finalsite via Veracross. This is a redirect authentication that will send users in roles set to use Veracross Authentication to Veracross to log in, and then redirect back to Finalsite.

This guide covers everything from initial data mapping to the 2026 security standards for single sign-on.

In this Article

Step 1: Understand what data can be synced

Before starting, it is important to know which "buckets" of data Finalsite pulls from Veracross. Our integration targets the Veracross REST API to facilitate hourly updates.

Product suite Article count Integrated GTM projects
Constituents Faculty, students, parents, alumni Basic profile info (name, email, etc.)
Relationships Student-to-parent links Respects the parent_portal_access flag
Academic data Classes and rosters Powers Finalsite chat and email groups
Athletics Teams, schedules, results Managed via Finalsite athletics manager

⚠️ Important Note

Admissions data is not currently supported via this specific integration.

Data mapping document

Download the document, "Veracross - Data Mapping Guide 2.0" to access the default mapping of the data from Veracross that is brought over into Finalsite. This is very flexible, so specific modifications can usually be handled during your implementation process.

Step 2: Configure athletics manager (optional)

If your school uses Athletics Manager, the sync handles the heavy lifting for your schedules.

Teams

  • Teams created in Veracross will be pulled into Finalsite as teams in Athletics Manager.
  • After the initial creation of the team in Finalsite, the team’s properties will not update.
  • Some data from Veracross does not correlate exactly with data in Athletics Manager, requiring independent edits in Finalsite.
  • Once a team’s information is created in the initial setup in Finalsite, any changes made there will stay and won’t be overwritten by future syncs.
  • Admins should ensure default seasons, levels, and sports are set appropriately for all teams to ensure smooth team creation.
  • The teams synchronization can optionally populate coaches in Finalsite if coaches are populated via a constituent feed.
  • The Description field is used to “match” teams, so it should remain consistent year-to-year.
  • Team rosters can be populated based on data from Veracross. In order for this feature to work, you MUST be using the Finalsite-Veracross constituent integration.

Events

  • By default, the sync will pull 6 months forward and 2 months back for athletics events. This can be adjusted to fit specific needs.
  • Events will be created and updated in Finalsite every hour to ensure prompt updates for cancellations and other status changes.
  • Events in Finalsite must be associated with a specific team. Events in Veracross not tied to a team will not be imported.
  • The sync will not delete events. Marking the event as “Cancelled” is recommended to reflect the status change in Finalsite. Ensure events are only published in Veracross after confirmation and finalization to minimize corrections. 
  • Veracross allows creation of single events spanning multiple days, but these are presented as unique events in the data. They will be created as individual instances in Finalsite. It is recommended to create multi-day events as unique individual events in Veracross for better results when synced to Finalsite.
  • For additional information on how this is handled in Athletics Manager, check out the article, "Managing Event Status in Athletics Manager", especially on the difference between Canceling and Deleting events.

⚠️ Important Note

Reach out to Finalsite support for help making any changes to your Veracross integration.

Step 3: Prepare for SSO (identity and access management)

Single sign-on (SSO) allows your users to log into Finalsite using their Veracross credentials. This utilizes Veracross as the identity provider (IdP).

To begin, a user with the OAuth_App_Admin role must configure the OAuth application within Axiom, which is the backend in Veracross where your school's data lives and is configured for use. 

Configure settings in Axiom 

⚠️ Important Note

If you are unable to edit the record or if the Client Secret is hidden, verify that your user account has been assigned the OAuth_App_Admin role in Veracross.

To begin, a user with the OAuth_App_Admin role must configure an OAuth application in Axiom:

  • Enable required scopes: Inside the OAuth Application record, locate the Scopes tab. You must enable the following to allow for mandatory OpenID Connect (OIDC) authentication:

    • openid: (Mandatory) Required for OpenID Connect 1.0 integrations. This is the modern standard for all new and existing clients.

    • sso: Required for standard OAuth 2.0 protocol support.

  • Register the Redirect URI: In the same OAuth Application record, you must ensure the Redirect URI / Redirect URL list contains the following specific callback URL:
    • Redirect URI: Redirect URI should be the website's domain, followed by /integration/veracrossauth.cfm.
    • Why it matters: This exact URI is required for the OpenID "handshake" to securely return the user to your portal.
  • Finalize the app: Once the app is created and the scopes/URIs are saved, stay on this screen to collect the Client ID and Client Secret needed for Step 4.

Learn more in the article, "Creating an OAuth Application: School Workflow." 

Step 4: Provide information to Finalsite Integration specialist

Once your OAuth application is ready, you will provide your specialist with the credentials needed to finalize the OIDC (OpenID Connect) connection.

  1. Client ID: Found on your OAuth app record in Axiom.
  2. Client Secret: Found in Axiom (treat this like a password; do not share it publicly).
  3. School Route: Your unique Veracross identifier.

Configuration endpoints

Finalsite utilizes the OIDC discovery endpoint to verify users. This is the modern path forward for all integrations:

  • OIDC discovery: https://accounts.veracross.com/[SCHOOL_ROUTE]/.well-known/openid-configuration

  • Authorization URL: https://accounts.veracross.com/[SCHOOL_ROUTE]/oauth/authorize

Step 5: Understand the end-user experience

Finalsite utilizes staggered login for Veracross SSO.

  • The entry: A user goes to your Finalsite login page and enters their username.
  • The handshake: Finalsite recognizes the user belongs to a Veracross-authenticated role and redirects them to the branded Veracross login page.
  • The success: Once the user logs into Veracross, they are passed back to their Finalsite portal instantly.

Step 6: Maintenance and troubleshooting

  • Logs: If a user cannot log in, first check if their sub (internal account ID) in Veracross matches their record in Finalsite.
  • Access tokens: These tokens expire every 60 minutes. Finalsite handles the background "refresh" automatically, provided your client secret remains valid.

FAQs

Q: Is OpenID mandatory for my setup? 
A: Yes. OpenID Connect 1.0 is the industry-standard identity layer on top of the OAuth 2.0 protocol. Finalsite requires the openid scope to be enabled to facilitate secure, modern authentication for all clients.

Q: Why does Finalsite need my Client Secret? 
A: Veracross requires the Client Secret for "Server-to-Server" requests. This allows Finalsite to securely verify with Veracross that the user who just logged in is actually who they say they are.

Q: Do we need to configure a "Consent" screen? 
A: No. Because an OAuth_App_Admin at your school approves the scopes in Axiom ahead of time, your users will not be prompted with a separate "Allow access" screen.

Q: Why are we moving to the OAuth version of Veracross authentication? 
A: OAuth is a modern, high-security authentication protocol. It allows Finalsite to verify your identity through Veracross without ever seeing or storing your specific login credentials. This move aligns with current 2026 security standards and ensures a more stable, encrypted connection between the two platforms.

Q: What is the change in user experience after switching to OAuth? 
A: The main change is a "Redirect" workflow. Instead of typing your password directly into the Finalsite website, you will enter your username and be redirected to a secure, branded Veracross page to sign in. Once you successfully authenticate there, Veracross passes you back to your Finalsite portal automatically.

Q: How does the "Staggered Login" work? 
A: Staggered Login simplifies the initial login screen by displaying only the Username field. The system then "checks" that username: 

  • If the user belongs to a role set to use Veracross authentication, they are immediately redirected to the Veracross login page.
  • If the user is a local Finalsite admin, the password field will appear on the next screen instead of redirecting them.

Q: What happens to legacy Single Sign-On (SSO) links after the switch? 
A: Legacy SSO links are not compatible with the OAuth protocol and will no longer be functional. However, because users are now logging in directly via the Veracross Identity Provider, they can typically access protected pages within Veracross more easily, as they already have an active session in that system.

Q: Can we test and configure OAuth without disrupting our users? 
A: Yes. We can set up the OAuth application in the background and perform "handshake" tests between Axiom and Finalsite. This allows your team to verify that the data mapping and authentication are working perfectly before we "flip the switch" and enable the Staggered Login for your entire community.

Q: What if our users currently use Google to sign into Veracross? 
A: You have two paths. We recommend the Veracross Redirect method; this sends the user to the Veracross login page where they can click "Log in with Google." This ensures the user is authenticated in both Finalsite and Veracross at the same time. While a direct Google-to-Finalsite login is possible, it would not automatically sign the user into Veracross.

Q: Who do I contact if a user is unable to log in via OAuth? 
A: First, verify that the user's Internal Account ID (sub) in Veracross matches their record in Finalsite. If the records match but the login fails, please contact Finalsite Support.

Was this article helpful?
3 out of 8 found this helpful

Comments

0 comments

Please Sign in to leave a comment if you don't see the comment box below.