diff --git a/.holo/branches/emergence-site/_emergence-saml2.toml b/.holo/branches/emergence-site/_emergence-saml2.toml
index d19835d..230fc73 100644
--- a/.holo/branches/emergence-site/_emergence-saml2.toml
+++ b/.holo/branches/emergence-site/_emergence-saml2.toml
@@ -1,5 +1,2 @@
 [holomapping]
-files = [
-    "*/**",
-    "!php-config/Git.config.d/"
-]
+files = "**"
\ No newline at end of file
diff --git a/.holo/branches/emergence-site/_skeleton-v2.toml b/.holo/branches/emergence-site/_skeleton-v2.toml
index 8897372..ff2c9cd 100644
--- a/.holo/branches/emergence-site/_skeleton-v2.toml
+++ b/.holo/branches/emergence-site/_skeleton-v2.toml
@@ -1,6 +1,3 @@
 [holomapping]
-files = [
-    "**",
-    "!php-config/Git.config.d/*"
-]
+files = "**"
 before = "*"
diff --git a/.holo/sources/skeleton-v2.toml b/.holo/sources/skeleton-v2.toml
index e5bed2f..9a6d9d6 100644
--- a/.holo/sources/skeleton-v2.toml
+++ b/.holo/sources/skeleton-v2.toml
@@ -1,6 +1,6 @@
 [holosource]
 url = "https://github.com/JarvusInnovations/emergence-skeleton-v2"
-ref = "refs/tags/v2.4.2"
+ref = "refs/tags/v2.4.4"
 
 [holosource.project]
 holobranch = "emergence-skeleton"
diff --git a/event-handlers/Site/beforeScriptExecute/hub-token-session.php b/event-handlers/Site/beforeScriptExecute/hub-token-session.php
index fca8dcf..a95fa89 100644
--- a/event-handlers/Site/beforeScriptExecute/hub-token-session.php
+++ b/event-handlers/Site/beforeScriptExecute/hub-token-session.php
@@ -3,11 +3,11 @@
 use Firebase\JWT\JWT;
 
 use Slate\NetworkHub\School;
+use Slate\NetworkHub\SchoolUser;
 use Slate\NetworkHub\User;
 
-$hubToken = $_REQUEST['hub_token'];
-
-if (!empty($hubToken)) {
+if (!empty($_REQUEST['hub_token'])) {
+    $hubToken = $_REQUEST['hub_token'];
     list($header, $payload, $signature) = explode('.', $hubToken);
     $decodedPayload = json_decode(base64_decode($payload), true);
 
@@ -21,9 +21,16 @@
                 return RequestHandler::throwInvalidRequestError('hub_token is invalid. Please retry the request or contact an administrator if the issue persists.');
             }
 
-            $NetworkUser = User::getByUsername($decodedPayload['user']['PrimaryEmail']);
+            // error out if user can not be found with decoded email
+            if (!$NetworkUser = User::getByField('Email', $decodedPayload['user']['PrimaryEmail'])) {
+                return RequestHandler::throwInvalidRequestError('hub_token is invalid. Please retry the request or contact an administrator if the issue persists.');
+            }
 
-            if (!$NetworkUser || $NetworkUser->SchoolID !== $NetworkSchool->ID) {
+            // error out if user is not associated with network school
+            if (!$SchoolUser = SchoolUser::getByWhere([
+                'PersonID' => $NetworkUser->ID,
+                'SchoolID' => $NetworkSchool->ID
+            ])) {
                 return RequestHandler::throwInvalidRequestError('hub_token is invalid. Please retry the request or contact an administrator if the issue persists.');
             }
 
diff --git a/html-templates/connectors/network-hub/createJob.tpl b/html-templates/connectors/network-hub/createJob.tpl
index 169c286..03d223a 100644
--- a/html-templates/connectors/network-hub/createJob.tpl
+++ b/html-templates/connectors/network-hub/createJob.tpl
@@ -40,6 +40,19 @@
             </p>
         </fieldset>
 
+        <fieldset>
+            <legend>Network Schools</legend>
+            {foreach from=\Slate\NetworkHub\School::getAll() item=School}
+                <p>
+                    <label>
+                        {$School->Handle} ({$School->Domain})
+                        <input type="checkbox" name="schools[{$School->Handle}]" value="true" {refill field=schools[$School->Handle] checked="true" default="false"}>
+                    </label>
+                </p>
+            {/foreach}
+        </fieldset>
+
+
         <fieldset>
             <legend>User Accounts</legend>
             <p>
@@ -54,4 +67,4 @@
 
         <input type="submit" value="Synchronize">
     </form>
-{/block}
\ No newline at end of file
+{/block}
diff --git a/html-templates/login/login.tpl b/html-templates/login/login.tpl
index daa19bd..83681ee 100644
--- a/html-templates/login/login.tpl
+++ b/html-templates/login/login.tpl
@@ -1,7 +1,7 @@
 {extends "designs/site.tpl"}
 
 {block "content"}
-    <h2>Log in to {Slate::$schoolName}</h2>
+    <h2>Log in to {$.Site.title|escape}</h2>
     {if $authException}
         <div class="notify error">
             <strong>Sorry!</strong> {$authException->getMessage()}
@@ -18,7 +18,7 @@
     {if $localLoginFlow}
         {$formAttribs = ''}
     {else}
-        {$formAttribs = cat('action="/connectors/network-hub/login"', $returnUrl)}
+        {$formAttribs = 'action="/connectors/network-hub/login"'}
     {/if}
 
     <form method="POST" class="login-form" {$formAttribs}>
@@ -39,7 +39,23 @@
                 {loginField}
                 {passwordField}
             {else}
-                {field inputName=email label="Email Address" required=true attribs='autofocus autocapitalize="none" autocorrect="off" spellcheck="false"' hint='Log in with your SLATE email address.'}
+                {field
+                    inputName=email
+                    label="Email Address"
+                    required=true
+                    attribs='autofocus autocapitalize="none" autocorrect="off" spellcheck="false"'
+                    hint='Log in with your SLATE email address.'
+                    default=$.request.email
+                }
+
+                {if !empty($Schools)}
+                    <select name="SchoolHandle">
+                        <option value="">Select One</option>
+                        {foreach from=$Schools item=School}
+                            <option value="{$School->Handle}">{$School->Domain}</option>
+                        {/foreach}
+                    </select>
+                {/if}
             {/if}
 
             <div class="submit-area">
diff --git a/php-classes/Slate/NetworkHub/Connector.php b/php-classes/Slate/NetworkHub/Connector.php
index 17cc473..b431fc1 100644
--- a/php-classes/Slate/NetworkHub/Connector.php
+++ b/php-classes/Slate/NetworkHub/Connector.php
@@ -10,20 +10,20 @@
 use Emergence\Connectors\Exceptions\SyncException;
 use Emergence\Connectors\SyncResult;
 use Emergence\KeyedDiff;
-use Emergence\People\ContactPoint\Email;
-use Emergence\Util\Data as DataUtil;
-
-use Firebase\JWT\JWT;
+use Emergence\People\IUser;
+use Emergence\Util\Url as UrlUtil;
 
 use Psr\Log\LoggerInterface;
 
-use Slate\NetworkHub\User as NetworkUser;
-
 class Connector extends AbstractConnector implements ISynchronize
 {
     public static $title = 'Slate Network Hub';
     public static $connectorId = 'network-hub';
 
+    public static $apiEndpoints = [
+        'users' => '/network-api/users'
+    ];
+
     public static function handleRequest($action = null)
     {
         switch ($action ? $action : $action = static::shiftPath()) {
@@ -31,69 +31,124 @@ public static function handleRequest($action = null)
                 return static::handleNetworkLoginRequest();
 
             default:
-                return static::handleRequest($action);
+                return parent::handleRequest($action);
         }
     }
 
     public static function handleNetworkLoginRequest($returnUrl = false)
     {
 
-        // redirect to original route
-        if ($jwtPayload = $_SESSION['hub_token_payload'] && $_SESSION['network_login_return']) {
-            Site::redirect($_SESSION['network_login_return']);
-        }
-
         // redirect to school login
         if (!empty($_REQUEST['email'])) {
-            // try to redirect user network school's login
-            $EmailContactPoint = Email::getByWhere([
-                'Data' => $_REQUEST['email']
-            ]);
-
-            $NetworkUser = NetworkUser::getByID($EmailContactPoint->PersonID);
-
+            // try to redirect user to network school's login
+            $NetworkUser = User::getByField('Email', $_REQUEST['email']);
+            $NetworkSchools = [];
+
+            if ($NetworkUser) {
+                $NetworkSchools = School::getAllByWhere([
+                    'ID' => [
+                        'operator' => 'IN',
+                        'values' => [
+                            array_keys(SchoolUser::getAllByWhere([
+                                'PersonID' => $NetworkUser->ID
+                            ], [
+                                'indexField' => 'SchoolID'
+                            ]))
+                        ]
+                    ]
+                ],[
+                    'indexField' => 'Handle'
+                ]);
+            }
+            // error out if...
             if (
-                !$EmailContactPoint ||
-                !$NetworkUser ||
-                !$NetworkUser->School
+                !$NetworkUser || // ...user not found
+                ( // ...user is not associated with any schools and is NOT an Admin
+                    empty($NetworkSchools) &&
+                    $NetworkUser->hasAccountLevel('Administrator')
+                ) ||
+                ( // ...selected school handle can not be found for some reason
+                    !empty($_REQUEST['SchoolHandle']) &&
+                    !array_key_exists($_REQUEST['SchoolHandle'], $NetworkSchools)
+                )
             ) {
                 return static::throwInvalidRequestError('Unable to find the user within the network. Please contact an admininstrator for support.');
+            } elseif (count($NetworkSchools) > 1) {
+
+                if (empty($_REQUEST['SchoolHandle'])) {
+                    return static::respond('login/login', [
+                        '_LOGIN' => [
+                            'return' => $returnUrl,
+                            'username' => $_REQUEST['email']
+                        ],
+                        'Schools' => $NetworkSchools
+                    ]);
+                }
+
+                $NetworkSchool = $NetworkSchools[$_REQUEST['SchoolHandle']];
+            } elseif (count($NetworkSchools) === 1) {
+                $NetworkSchool = reset($NetworkSchools);
             }
 
-            $hostname = 'vm.nafis.me:88'; // Site::getConfig('primary_hostname');
             $queryParameters = http_build_query([
-                'username' => $EmailContactPoint->toString(),
-                // TODO: replace with generated URL
-                'redirectUrl' => 'http://' . $hostname . $_REQUEST['_LOGIN']['return']
+                'username' => $NetworkUser->Email,
+                'redirectUrl' => UrlUtil::buildAbsolute($_REQUEST['_LOGIN']['return'])
             ]);
 
-            $networkSiteLoginUrl = 'http://' . $NetworkUser->School->Domain.'/network-api/login?'.$queryParameters;
+            $networkSiteLoginUrl = $NetworkSchool->Protocol . $NetworkSchool->Domain . '/network-api/login?' . $queryParameters;
 
-            header('Location: '.$networkSiteLoginUrl);
+            header('Location: ' . $networkSiteLoginUrl);
         }
 
         // show network login screen
-        return static::respond('connectors/network-hub/network-login', [
+        return static::respond('login/login', [
             '_LOGIN' => [
                 'return' => $returnUrl
             ]
         ]);
     }
 
+
+    // workflow implementations
+    protected static function _getJobConfig(array $requestData)
+    {
+        $config = parent::_getJobConfig($requestData);
+
+        $config['pullUsers'] = !empty($requestData['pullUsers']);
+        $config['schools'] = !empty($requestData['schools']) ? $requestData['schools'] : [];
+
+        return $config;
+    }
+
+
     public static function synchronize(IJob $Job, $pretend = true)
     {
         $results = [
             'created' => [
                 'total' => 0
-            ]
+            ],
+            'skipped' => [
+                'total' => 0
+            ],
+            'updated' => [
+                'total' => 0
+            ],
+            'verified' => [
+                'total' => 0
+            ],
         ];
 
-        $NetworkHubSchools = School::getAll();
+        foreach (School::getAll() as $networkSchool) {
+            if (array_key_exists($networkSchool->Handle, $Job->Config['schools'])) {
+                $NetworkHubSchools[] = $networkSchool;
+            }
+        }
+
         if (empty($NetworkHubSchools)) {
             $Job->error(
-                'No network schools found. Please ensure they have been added.',
+                'No network schools selected. Please ensure at least one school is selected.',
                 [
-                    'query_results' => $NetworkHubSchools
+                    'query_results' => $Job->Config['schools']
                 ]
             );
             return false;
@@ -111,6 +166,9 @@ public static function synchronize(IJob $Job, $pretend = true)
 
                 $results['updated'][$NetworkHubSchool->Domain] = $syncResults['updated'];
                 $results['updated']['total'] += $syncResults['updated'];
+
+                $results['verified'][$NetworkHubSchool->Domain] = $syncResults['verified'];
+                $results['verified']['total'] += $syncResults['verified'];
             } catch (SyncException $e) {
                 $Job->logException($e);
             }
@@ -137,7 +195,7 @@ public static function pullNetworkUsers(IJob $Job, School $NetworkSchool, $prete
             'skippedUsers' => []
         ];
         try {
-            $networkUsers = $NetworkSchool->getNetworkUsers();
+            $networkUsers = $NetworkSchool->fetchNetworkUsers();
             foreach ($networkUsers as $networkUser) {
                 try {
                     $syncResults = static::syncNetworkUser($NetworkSchool, $networkUser, $Job, $pretend);
@@ -167,6 +225,7 @@ public static function syncNetworkUser(School $NetworkSchool, array $networkUser
     {
         $logger = static::getLogger($logger);
 
+        // skip slate users
         if (empty($networkUserRecord['PrimaryEmail']['Data'])) {
             return new SyncResult(
                 SyncResult::STATUS_SKIPPED,
@@ -176,34 +235,58 @@ public static function syncNetworkUser(School $NetworkSchool, array $networkUser
                     'slateDomain' => $NetworkSchool->Domain
                 ]
             );
+        } elseif (empty($networkUserRecord['Username'])) {
+            return new SyncResult(
+                SyncResult::STATUS_SKIPPED,
+                'Skipped {slateUsername} @ {slateDomain} due to missing Slate username',
+                [
+                    'slateUsername' => $networkUserRecord['PrimaryEmail']['Data'],
+                    'slateDomain' => $NetworkSchool->Domain
+                ]
+            );
+        } elseif (empty($networkUserRecord['AccountLevel']) || $networkUserRecord['AccountLevel'] === 'Disabled') {
+            return new SyncResult(
+                SyncResult::STATUS_SKIPPED,
+                'Skipped {slateUsername} @ {slateDomain} due to AccountLevel = Disabled',
+                [
+                    'slateUsername' => $networkUserRecord['PrimaryEmail']['Data'],
+                    'slateDomain' => $NetworkSchool->Domain
+                ]
+            );
         }
 
         $networkUserConditions = [
-            'SchoolID' => $NetworkSchool->ID,
-            'SchoolUsername' => $networkUserRecord['Username']
+            'Email' => $networkUserRecord['PrimaryEmail']['Data']
         ];
 
+        $NetworkUser = Person::getByWhere($networkUserConditions);
+
+        // skip disabled hub users
+        if ($NetworkUser->AccountLevel === 'Disabled') {
+            return new SyncResult(
+                SyncResult::STATUS_SKIPPED,
+                'Skipped updating {slateUsername} @ {slateDomain} due to AccountLevel = Disabled',
+                [
+                    'slateUsername' => $networkUserRecord['PrimaryEmail']['Data'],
+                    'slateDomain' => $NetworkSchool->Domain
+                ]
+            );
+        }
+
         // create a new network user if it does not exist
-        if (!$NetworkUser = NetworkUser::getByWhere($networkUserConditions)) {
-            $NetworkUser = NetworkUser::create([
+        if (!$NetworkUser) {
+            $NetworkUser = User::create([
                 'FirstName' => $networkUserRecord['FirstName'],
                 'LastName' => $networkUserRecord['LastName'],
-                'UserClass' => $networkUserRecord['Class'],
-                'AccountLevel' => $networkUserRecord['AccountLevel'],
+                'Email' => $networkUserRecord['PrimaryEmail']['Data'],
                 'StudentNumber' => $networkUserRecord['StudentNumber'],
-                'SchoolUsername' => $networkUserRecord['Username'],
-                'SchoolID' => $NetworkSchool->ID
             ]);
 
-            $NetworkUser->PrimaryEmail = $NetworkUserPrimaryEmail = Email::fromString(
-                $networkUserRecord['PrimaryEmail']['Data'],
-                $NetworkUser
-            );
-
             if (!$NetworkUser->validate(true)) {
                 $logger->error(
-                    'Unable to create network user -- invalid record {validationErrors}',
+                    'Unable to create network user {slatePrimaryEmail} -- invalid record {validationErrors}',
                     [
+                        'slatePrimaryEmail' => $NetworkUser->Email,
                         'networkUserRecord' => $networkUserRecord,
                         'validationErrors' => $NetworkUser->getValidationErrors()
                     ]
@@ -227,10 +310,15 @@ public static function syncNetworkUser(School $NetworkSchool, array $networkUser
             $logger->notice(
                 'Created network user for {slatePrimaryEmail}',
                 [
-                    'slatePrimaryEmail' => $NetworkUserPrimaryEmail->Data
+                    'slatePrimaryEmail' => $NetworkUser->Email
+                    // UPDATED because we no longer extend SLATE
+                    // $NetworkUserPrimaryEmail->Data
                 ]
             );
 
+            // add user to school if they do not exist yet
+            static::addUserToSchool($NetworkUser, $NetworkSchool, $networkUserRecord);
+
             return new SyncResult(
                 SyncResult::STATUS_CREATED,
                 'Created new network user for {FirstName} {LastName} ({slatePrimaryEmail} @ {slateDomain})',
@@ -238,14 +326,13 @@ public static function syncNetworkUser(School $NetworkSchool, array $networkUser
                     'FirstName' => $NetworkUser->FirstName,
                     'LastName' => $NetworkUser->LastName,
                     'Username' => $NetworkUser->Username,
-                    'slatePrimaryEmail' => $NetworkUserPrimaryEmail->Data,
+                    'slatePrimaryEmail' => $NetworkUser->Email,
                     'slateDomain' => $NetworkSchool->Domain
                 ]
             );
 
         } else {
             $userChanges = new KeyedDiff();
-            $emailChanges = new KeyedDiff();
 
             if ($NetworkUser->FirstName != $networkUserRecord['FirstName']) {
                 $userChanges->addChange('FirstName', $networkUserRecord['FirstName'], $NetworkUser->FirstName);
@@ -255,40 +342,31 @@ public static function syncNetworkUser(School $NetworkSchool, array $networkUser
                 $userChanges->addChange('LastName', $networkUserRecord['LastName'], $NetworkUser->LastName);
             }
 
-            if ($NetworkUser->PrimaryEmail->toString() != $networkUserRecord['PrimaryEmail']['Data']) {
-                $emailChanges->addChange('Data', $networkUserRecord['PrimaryEmail']['Data'], $NetworkUser->PrimaryEmail->toString());
+            if ($NetworkUser->StudentNumber != $networkUserRecord['StudentNumber']) {
+                $userChanges->addChange('StudentNumber', $networkUserRecord['StudentNumber'], $NetworkUser->StudentNumber);
             }
 
+            // todo: remove because we are using email as primary key
+            // if ($NetworkUser->Email != $networkUserRecord['PrimaryEmail']['Data']) {
+            //     $userChanges->addChange('Email', $networkUserRecord['PrimaryEmail']['Data'], $NetworkUser->Email);
+            // }
+
             if (
-                $userChanges->hasChanges() ||
-                $emailChanges->hasChanges()
+                $userChanges->hasChanges()
             ) {
 
                 if ($userChanges->hasChanges()) {
                     $NetworkUser->setFields($userChanges->getNewValues());
                     $logger->debug(
-                        'Updating Network User {schoolUsername} @ {schoolDomain}',
+                        'Updating Network User {schoolEmail}',
                         [
-                            'schoolUsername' => $NetworkUser->SchoolUsername,
-                            'schoolDomain' => $NetworkUser->School->Domain,
+                            'schoolEmail' => $NetworkUser->Email,
                             'changes' => $userChanges
                         ]
                     );
                 }
 
-                if ($emailChanges->hasChanges()) {
-                    $NetworkUser->PrimaryEmail->setFields($emailChanges->getNewValues());
-
-                    $logger->debug(
-                        'Updating Network User {schoolUsername} @ {schoolDomain} primary email: {slatePrimaryEmail}',
-                        [
-                            'schoolUsername' => $NetworkUser->SchoolUsername,
-                            'schoolDomain' => $NetworkUser->School->Domain,
-                            'slatePrimaryEmail' => $NetworkUser->PrimaryEmail->toString(),
-                            'changes' => $emailChanges
-                        ]
-                    );
-                }
+                static::addUserToSchool($NetworkUser, $NetworkSchool, $networkUserRecord);
 
                 if (!$pretend) {
                     $NetworkUser->save(true);
@@ -298,7 +376,7 @@ public static function syncNetworkUser(School $NetworkSchool, array $networkUser
                     SyncResult::STATUS_UPDATED,
                     'Updated network user {slatePrimaryEmail} @ {slateDomain}',
                     [
-                        'slatePrimaryEmail' => $NetworkUser->PrimaryEmail->toString(),
+                        'slatePrimaryEmail' => $NetworkUser->Email,
                         'slateDomain' => $NetworkSchool->Domain
                     ]
                 );
@@ -309,9 +387,41 @@ public static function syncNetworkUser(School $NetworkSchool, array $networkUser
             SyncResult::STATUS_VERIFIED,
             'Network user {slatePrimaryEmail} @ {slateDomain} found and verified',
             [
-                'slatePrimaryEmail' => $NetworkUser->PrimaryEmail->toString(),
+                'slatePrimaryEmail' => $NetworkUser->Email,
                 'slateDomain' => $NetworkSchool->Domain
             ]
         );
     }
+
+    protected static function addUserToSchool(IUser $User, School $School, array $networkUserData = [])
+    {
+        $conditions = [
+            'SchoolID' => $School->ID,
+            'PersonID' => $User->ID,
+        ];
+
+        // set account type
+        if (!empty($networkUserData)) {
+            $accountTypeValues = SchoolUser::getFieldOptions('AccountType')['values'];
+
+            if ($networkUserData['Class'] === 'Slate\\People\\Student') {
+                $accountType = 'Student';
+            } elseif (in_array($networkUserData['AccountLevel'], $accountTypeValues)) {
+                $accountType = $networkUserData['AccountLevel'];
+            }
+        }
+
+        $SchoolUser = SchoolUser::getByWhere($conditions);
+        if (!$SchoolUser) {
+            // create school-user
+            $SchoolUser = SchoolUser::create($conditions);
+        }
+
+        $SchoolUser->setFields([
+            'AccountType' => $accountType,
+            'Username' => $networkUserData['Username']
+        ]);
+
+        $SchoolUser->save(true);
+    }
 }
diff --git a/php-classes/Slate/NetworkHub/School.php b/php-classes/Slate/NetworkHub/School.php
index c2dbfea..06d852a 100644
--- a/php-classes/Slate/NetworkHub/School.php
+++ b/php-classes/Slate/NetworkHub/School.php
@@ -4,21 +4,32 @@
 
 use ActiveRecord;
 use Emergence\Logger;
+use Emergence\People\Person;
 
 class School extends ActiveRecord
 {
     public static $tableName = 'slate_network_schools';
-    public static $networkApiEndpoints = [
-        'users' => '/network-api/users'
-    ];
 
     public static $fields = [
+        'Protocol' => [
+            'default' => 'http://'
+        ],
         'Domain',
         'APIKey',
         'Handle'
     ];
 
-    public function getNetworkUsers()
+    public static $relationships = [
+        'Users' => [
+            'type' => 'many-many',
+            'class' => Person::class,
+            'linkClass' => UserSchool::class,
+            'linkLocal' => 'SchoolID',
+            'linkForeign' => 'PersonID'
+        ]
+    ];
+
+    public function fetchNetworkUsers($params = [])
     {
         if (!$this->Domain) {
             throw new \Exception('Domain must be configured to retrieve network users.');
@@ -28,14 +39,14 @@ public function getNetworkUsers()
             throw new \Exception('APIKey must be configured to retrieve network users.');
         }
 
-        $queryParameters = http_build_query([
+        $queryParameters = http_build_query(array_merge([
             'apiKey' => $this->APIKey,
             'limit' => 0,
-            'include' => 'Mapping,PrimaryEmail',
+            'include' => 'PrimaryEmail',
             'format' => 'json'
-        ]);
+        ], $params));
 
-        $curlUrl = $this->Domain . static::$networkApiEndpoints['users'] . '?' . $queryParameters;
+        $curlUrl = $this->Protocol . $this->Domain . Connector::$apiEndpoints['users'] . '?' . $queryParameters;
         $ch = curl_init($curlUrl);
         curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
 
@@ -54,4 +65,4 @@ public function getNetworkUsers()
             throw new \Exception("Error reading ($curlUrl) response: [$httpStatus] $response");
         }
     }
-}
\ No newline at end of file
+}
diff --git a/php-classes/Slate/NetworkHub/SchoolUser.php b/php-classes/Slate/NetworkHub/SchoolUser.php
new file mode 100644
index 0000000..00430e0
--- /dev/null
+++ b/php-classes/Slate/NetworkHub/SchoolUser.php
@@ -0,0 +1,96 @@
+<?php
+
+namespace Slate\NetworkHub;
+
+use ActiveRecord;
+use Emergence\People\Person;
+
+class SchoolUser extends ActiveRecord
+{
+    public static $tableName = 'slate_network_school_users';
+
+    public static $fields = [
+        'PersonID' => [
+            'type' => 'integer',
+            'unsigned' => true,
+            'index' => true
+        ],
+        'SchoolID' => [
+            'type' => 'integer',
+            'unsigned' => true,
+            'index' => true
+        ],
+        'Username',
+        'AccountType' => [
+            'type' => 'enum',
+            'notnull' => true,
+            'values' => [
+                'Student',
+                'Staff',
+                'Teacher',
+                'Administrator',
+                'Developer'
+            ]
+        ]
+    ];
+
+    public static $validators = [
+        'SchoolID' => [
+            'validator' => 'require-relationship'
+        ],
+        'PersonID' => [
+            'validator' => 'require-relationship'
+        ]
+    ];
+
+    public static $indexes = [
+        'SchoolUser' => [
+            'fields' => ['SchoolID', 'PersonID'],
+            'unique' => true
+        ]
+    ];
+
+    public static $relationships = [
+        'Person' => [
+            'type' => 'one-one',
+            'class' => Person::class
+        ],
+        'School' => [
+            'type' => 'one-one',
+            'class' => School::class
+        ]
+    ];
+
+    public function validate($deep = true)
+    {
+        // call parent
+        parent::validate($deep);
+
+        // disallow 'system' username
+        if ($this->isFieldDirty('Username') && strtolower($this->Username) === 'system') {
+            $this->_validator->addError('Username', "Username 'system' is forbidden");
+        }
+
+        // check username uniqueness
+        if ($this->isDirty && !$this->_validator->hasErrors('Username') && $this->Username) {
+            $ExistingUser = static::getByWhere([
+                'Username' => $this->Username,
+                'SchoolID' => $this->SchoolID
+            ]);
+
+            if ($ExistingUser && ($ExistingUser->ID != $this->ID)) {
+                $this->_validator->addError('Username', 'Username already registered for school.');
+            }
+        }
+
+        $this->_validator->validate(array(
+            'field' => 'AccountType',
+            'validator' => 'selection',
+            'choices' => self::$fields['AccountType']['values'],
+            'required' => true
+        ));
+
+        // save results
+        return $this->finishValidation();
+    }
+}
diff --git a/php-classes/Slate/NetworkHub/User.php b/php-classes/Slate/NetworkHub/User.php
index 9e63f61..ea91e94 100644
--- a/php-classes/Slate/NetworkHub/User.php
+++ b/php-classes/Slate/NetworkHub/User.php
@@ -2,33 +2,19 @@
 
 namespace Slate\NetworkHub;
 
-use ActiveRecord;
-
-use Emergence\Connectors\Mapping;
-
 class User extends \Emergence\People\User
 {
     public static $fields = [
-        'SchoolID' => 'uint',
-        'SchoolUsername',
-        'UserClass'
+        'SchoolNumber'
     ];
 
     public static $relationships = [
-        'School' => [
+        'Schools' => [
             'class' => School::class,
-            'type' => 'one-one'
-        ]
-    ];
-
-    public static $validators = [
-        'Username' => null,
-        'StudentNumber' => null,
-        'School' => 'require-relationship',
-        'SchoolUsername' => [
-            'validator' => 'handle',
-            'required' => true,
-            'errorMessage' => 'SchoolUsername can only contain letters, numbers, hyphens, and underscores.'
+            'type' => 'one-many',
+            'linkClass' => SchoolUser::class,
+            'linkLocal' => 'PersonID',
+            'linkForeign' => 'SchoolID'
         ]
     ];
-}
\ No newline at end of file
+}
diff --git a/php-migrations/20200421_network-user-fields.php b/php-migrations/20200421_network-user-fields.php
index fbda7d8..56f90bd 100644
--- a/php-migrations/20200421_network-user-fields.php
+++ b/php-migrations/20200421_network-user-fields.php
@@ -8,9 +8,7 @@
 $tableName = User::$tableName;
 $historyTableName = User::getHistoryTableName();
 $columnNames = [
-    'SchoolID',
-    'SchoolUsername',
-    'UserClass'
+    'SchoolNumber',
 ];
 
 if (!static::tableExists($tableName)) {