Instant Login with Active Directory Federation Services

1. What’s required for setup?
2. How does Instant Login Work with Active Directory?
3. Configuring Active Directory Federation Services
4. Configuring Clever for Instant Login with ADFS

Clever’s Instant Login allows students and teachers to safely access education apps with a single username and password. Instant Login supports common user management systems like Active Directory Federation Services.

What’s required for setup?

In addition to the basic Instant Login requirements, you’ll need the following:

• Active Directory Federation Services 2.x or 3.x
• Metadata file accessible over HTTPS with a certificate signed by a valid certificate authority
• Make sure the following IP addresses are whitelisted in your firewall:
• 54.241.134.131
• 50.18.217.135
• 54.241.154.41
• At least one real account to use to test the connection: In order to test the connection after set-up, you’ll need the credentials of a student or teacher. You won’t be able to test with other admin credentials; it needs to be someone whose information is also in Clever. If this is problematic, we recommend creating a test teacher or student in your SIS, syncing with Clever, and using that account instead of a real one to test the connection.

How does Instant Login Work with Active Directory?

1. When you set up Active Directory, you define usernames and passwords for your users.
2. When users access the Clever Portal or an Instant Login Link, they’ll be prompted to log in to Clever using these credentials through clicking "Log in with Active Directory.:
3. Once they click this button, they will be redirected to your Active Directory Federation Services login page.
4. After users successfully log in to your Active Directory server, your ADFS instance will use claims rules to tell us which user is logging in.

Please note: Because the credentials are entered only on the Active Directory login page, Clever will never know the usernames and passwords of your users.

Configuring Active Directory Federation Services

You'll need to configure Active Directory to connect with Clever Instant Login. You'll need to update two areas:

• Relying Party Trusts
• Claim Rules

Relying Party Trust

1. In ADFS Management, open Trust Relationships > Relying Party Trusts.
2. Click “Add Relying Party Trusts” and input: https://clever.com/oauth/saml/metadata.xml where it asks for Federation Metadata address
   
3. On the next page, you can leave the default display name (Clever.com) or change it to any display name you choose.
   
4. On the next page, select “Permit all users to access this relying party”
   
5. Review your choices and Finish.

Clever should now be listed as a Relying Party Trust.

Claim Rules
Clever.com will now appear in the list of Relying Party Trusts. Right-click the display name and select “Edit Claims Rules.” These rules will ensure that Clever matches students and teachers appropriately when they log in.

1. Select “Add Rule” - the default on the first page should be “Send LDAP Attributes as Claims.”
   
   
2. On the next page, you can set the Claim Rule Name to anything you’d like.
3. Select Active Directory as the attributes store - there will be two adjacent drop-down menus.
4. For the first, select “SAM-Account-Name” for the left and “Name ID” on the right.
   Two new drop-downs should appear
5. Use the new row of drop-downs to define a claims rule - a field in your Clever SIS sync that contains the same unique identifier as a field in Active Directory.
   The left drop-down will contain the attribute you’d like to send; the right will contain the Clever field that we will match that data with. For more information on claims rules, including the correct format for the Outgoing Claim Type, please see Understanding Claims Rules.

Here’s an example of fully set up claims rules:

In this case, SAM-Account-Name matches to sis_id for students in Clever, and EMail-Addresses matches to emails for teachers in Clever. This is what our systems will use to authenticate the user logging in and give them access to the correct applications through Clever.

Note: Regardless of the personalized claims rules for your district, you must have the first claims rule pictured above (SAM-Account-Name -> Name ID).

Hit “Finish” to finalize setup in ADFS!

Configuring Clever for Instant Login with ADFS

1. Find your Metadata URL - in your ADFS Management Console, browse to Service > Endpoints > Metadata > Type: Federation Metadata. It should take the format: https://<ADFS server name>/federationmetadata/2007-06/FederationMetadata.xml
2. Make sure your certificates are set up correctly - to do so, put your Metadata URL into SSL Checker. This tool will let you know if there are any issues that might prevent us from accepting your Metadata URL.

Inputting your Metadata URL
If you haven’t finished signing up for a Clever account yet, you can choose “Active Directory” from the options on the “Set up Accounts” page. It will prompt you to enter in your Metadata URL to continue.

Take the following steps in the Clever Admin Dashboard:

1. Under Instant Login in your Clever dashboard menu, click ‘Settings'
   
2. Choose the shortname for your Instant Login portal URL. The URL will be www.clever.com/in/<shortname>. Remember to use something that your students and teachers will remember easily.
3. Under Instant Login, click 'Setup.' Select “ADFS” from the Identity System options and put your metadata URL in the text box
4. Add the contact information for whom students and teachers should reach out to if they have trouble with logging in to Clever - this should be someone who can help them reset their Active Directory credentials and/or make sure they are shared with the application they’re trying to access through Clever.
5. Hit Save

You should now be set up - try a few logins and see if you run into any issues! If you have questions about this process, please submit a request.