To use single sign-on (SSO) with Azure AD/Office 365, you'll need to make sure you have:
- Active SIS sync with Clever
- Azure Active Directory Premium OR Azure Active Directory and PowerShell Proficiency
Not sure if you have Azure Active Directory? If you have a paid subscription to Office 365 for your organization, you have a free subscription to Azure Active Directory.
Preparing for Setup with Clever
If you haven't finished signing up for a Clever account yet, you can choose Google to start. Once you have access to the Clever district dashboard, take the following steps:
- From your Clever district dashboard menu, click Portal > SSO Settings.
- Choose 'Add Login Method'.
- Choose Active Directory Authentification
- Enter your metadata URL (you can find out how to obtain your metadata URL below)
- Check the box for 'Allow unencrypted SAML assertions'
- Click Save
- Add the contact information for whom students and teachers should reach out to if they have trouble with logging in to Clever - this should be someone who can help them reset their Azure credentials and/or make sure they are shared with the application they're trying to access through Clever.
- Next, navigate to Portal > Portal Settings and choose your district's portal URL. The URL will be www.clever.com/in/<shortname>. Remember to use something that your students and teachers will remember easily.
Setup In Azure AD
You'll need to configure Azure Active Directory to connect with Clever single sign-on (SSO). In order to do that, you'll need to:
- Add the Clever app to Azure Active Directory
- Set up SSO to the Clever App
- Set up Claims Rules to allow Clever to match Azure users to Clever records
- Assign users to the Clever App in Azure AD
Adding the Clever App to Azure AD
To add Clever from the gallery, perform the following steps:
In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
Navigate to Enterprise applications. Then go to All applications.
To add new application, click the New application button on the top of the dialog.
In the search box, type Clever and then select Clever from the result panel. Next, click the Add button to add the application.
Setting up Azure SSO to Clever
For single sign-on to work, Azure AD needs to know what the counterpart user in Clever is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Clever needs to be established.
In Clever, assign the value of the user name in Azure AD as the value of the Username to establish the link relationship.
Configure Azure AD single sign-on
In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Clever application.
To configure Azure AD single sign-on with Clever, perform the following steps:
In the Azure portal, on the Clever application integration page, click Single sign-on.
On the Single sign-on dialog, select Mode as SAML-based Sign-on to enable single sign-on.
On the Clever Domain and URLs section, perform the following steps:
a. In the Sign-on URL textbox, type a URL using the following pattern:
Note: This Sign-On URL value is not real. Update this values with your district specific actual Sign-On URL which can be found here: https://schools.clever.com/portal
b. In the Identifier textbox, type a URL using the following pattern: https://clever.com/oauth/saml/metadata.xml
On the SAML Signing Certificate section, click Metadata XML and then save the metadata file on your computer.
- Under User Attributes, enter the User Identifier that the district would like to be used in the SAML token and confirm view and edit all other user attributes is checked.
The Clever application expects the SAML assertions to be in a specific format, which requires you to add custom attribute mappings to your SAML Token Attributes configuration.
The following screenshot shows an example of this.
In the User Attributes section on the Single sign-on dialog, configure SAML token attribute as shown in the image above and perform the following steps.
The first four rules in the example should be there by default and should not be changed. The last two are an example of what a claims rule should look like.
Claims rules are used to allow Clever to determine which student or teacher is logging in. To do this, we match Azure AD attributes to data in Clever. In order for users to be able to log in, there needs to be an attribute for each user type that exactly matches data in a field in Clever.
Once you have that, you can click the green 'Add User Attribute' button to add a new claims rule.
The 'Attribute Name' should be the name of the field in Clever. It always follows the format clever.<user type OR 'any'>.<field name>. You can see which fields are available for each user type by browsing your Clever data. If you click on a record, the detail view will show you the name of the fields. Some common Clever fields are:
- clever.any.email (will match against email addresses for students, teachers, and admins)
If you have any questions about claims rules, please feel free to reach out to our support team - we'd be happy to help you find the right rules!
To add attributes, complete the following steps:
a. Click Add attribute to open the Add Attribute dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. From the Value list, type the attribute value shown for that row.
d. Leave the Namespace textbox blank.
d. Click Ok.
Click Save button.
To generate the Metadata url, perform the following steps:
a. Click App registrations.
b. Click Endpoints to open the Endpoints dialog box.
c. Click the copy button to copy FEDERATION METADATA DOCUMENT URL and paste it into notepad.
d. Now go to the property page of Clever and copy the Application Id using the Copy button and paste it into notepad.
e. Generate the Metadata URL using the following pattern:
<FEDERATION METADATA DOCUMENT url>?appid=<application id>
In a different web browser window, log in to your Clever district dashboard as an administrator.
From the left navigation, click Portal > SSO Settings.
On the SSO Settings page, perform the following steps:
a. Select Add Login Method.
b. Select Active Directory Authentication.
c. Enter the Metadata URL in the Metadata URL text box.
d. Click Save.
Grant users access to Clever
In this section, you will enable students and teachers to use Azure single sign-on by granting access to Clever.
To assign users to Clever, perform the following steps:
In the Azure portal, open the applications view, and then navigate to the directory view and go to Enterprise applications then click All applications.
In the applications list, select Clever.
In the menu on the left, click Users and groups.
Click the Add button. Then select Users and groups on Add Assignment dialog.
On the Users and groups dialog, select the appropriate users from the Users list.
Click Select button on the Users and groups dialog.
Click Assign button on the Add Assignment dialog.