1. What’s required for setup?
2. How does single sign-on (SSO) work with Active Directory?
3. Configuring Active Directory Federation Services
4. Configuring Clever for single sign-on (SSO) with ADFS

Clever’s single sign-on (SSO) allows students and teachers to safely access education applications with a single username and password. Single sign-on (SSO) supports common user management systems like Active Directory Federation Services (ADFS).

What’s required for setup?

In addition to the basic single sign-on (SSO) requirements, you’ll need the following:

• Active Directory Federation Services 2.x or 3.x
• Metadata file accessible over HTTPS with a certificate signed by a valid certificate authority
• Make sure the following IP addresses are whitelisted in your firewall:
• 54.241.134.131
• 50.18.217.135
• 54.241.154.41
• At least one real account to use to test the connection: In order to test the connection after set-up, you’ll need the credentials of a student or teacher. You won’t be able to test with other admin credentials; it needs to be someone whose information is also in Clever. If this is problematic, we recommend creating a test teacher or student in your SIS, syncing with Clever, and using that account instead of a real one to test the connection.

How does single sign-on (SSO) work with Active Directory?

1. When you set up Active Directory, you define usernames and passwords for your users.
2. When users access the Clever Portal or a single sign-on (SSO) link, they’ll be prompted to log in to Clever using these credentials through clicking 'Log in with Active Directory'
3. Once they click this button, they will be redirected to your Active Directory Federation Services (ADFS) login page.
4. After users successfully log in to your Active Directory server, your ADFS instance will use claims rules to tell us which user is logging in.

Please note: Because the credentials are entered only on the Active Directory login page, Clever will never know the usernames and passwords for your users.

Configuring Active Directory Federation Services

You'll need to configure Active Directory to connect with Clever single sign-on (SSO). You'll need to update two areas:

• Relying Party Trusts
• Claim Rules

Relying Party Trust

1. In ADFS Management, open Trust Relationships > Relying Party Trusts.
2. Click 'Add Relying Party Trusts' and input https://clever.com/oauth/saml/metadata.xml where it asks for Federation Metadata address
   
3. On the next page, you can leave the default display name (Clever.com) or change it to any display name you choose.
   
4. On the next page, select 'Permit all users to access this relying party'
   
5. Review your choices and Finish.

Clever should now be listed as a Relying Party Trust.

Claim Rules
Clever.com will now appear in the list of Relying Party Trusts. Right-click the display name and select 'Edit Claims Rules'. These rules will ensure that Clever matches students and teachers appropriately when they log in.

1. Select 'Add Rule' - the default on the first page should be 'Send LDAP Attributes as Claims'
   
   
2. On the next page, you can set the Claim Rule Name to anything you’d like.
3. Select Active Directory as the attributes store - there will be two adjacent drop-down menus.
4. For the first attribute, select 'SAM-Account-Name' for the left and 'Name ID' on the right.
   
   Two new drop-downs should appear
5. Use the new row of drop-downs to define a claims rule - a field in your Clever SIS sync that contains the same unique identifier as a field in Active Directory.

• The left drop-down will contain the attribute you’d like to send
• The right drop-down will contain the Clever field that we will match that data with. A list of supported entries for Outgoing Claim Type, as well as more information on Claims Rules can be found in our article: Understanding Claims Rules.

Here’s an example of fully set up claims rules:

In the above sample:

• SAM-Account-Name matches to sis_id for students in Clever
• E-Mail-Addresses matches to emails for teachers in Clever.

This is what our systems will use to authenticate the user logging in and give them access to the correct applications through Clever.

IMPORTANT! You will need to personalize the LDAP attribute and Outgoing Claim Type based on the data available in Active Directory and Clever for your district. 

Regardless of the personalized claims rules for your district, you must have the first claims rule pictured above (SAM-Account-Name -> Name ID).

6. Select 'Finish' to finalize setup in ADFS! 

Configuring Clever for single sign-on (SSO) with ADFS

1. Find your Metadata URL - in your ADFS Management Console, browse to Service > Endpoints > Metadata > Type: Federation Metadata. It should take the format: https://<ADFS server name>/federationmetadata/2007-06/FederationMetadata.xml
2. Make sure your certificates are set up correctly - to do so, put your Metadata URL into SSL Checker. This tool will let you know if there are any issues that might prevent us from accepting your Metadata URL.

Inputting your Metadata URL

Take the following steps in the Clever Admin Dashboard:

1. Under your Clever district dashboard > Portal > Portal Settings page, choose the shortname for your SSO portal URL. The URL will be www.clever.com/in/<shortname>. Remember to use something that your students and teachers will remember easily.
   
   
2. Under district dashboard > Portal > SSO Settings page, click 'Add Login Method' and select Active Directory Authentication. Input your metadata URL in the text box and select Save.
   
   
3. To finish the setup process, add the contact details for the person that students and teachers should reach out to if they have trouble with logging in to Clever; this should be someone who can help them reset their Active Directory credentials and/or make sure they are shared with the application they’re trying to access through Clever.
   
   

You should now be set up - try a few logins and see if you run into any issues! If you have questions about this process, please submit a request.