To use Single sign-on (SSO) with Azure AD/Office 365, you'll need to make sure you have:
- Active SIS sync with Clever
- Azure Active Directory Premium OR Azure Active Directory and PowerShell Proficiency
Not sure if you have Azure Active Directory? If you have a paid subscription to Office 365 for your organization, you have a free subscription to Azure Active Directory.
Preparing for Setup with Clever
If you haven't finished signing up for a Clever account yet, you can choose Google to start. Once you have access to the Clever Admin Dashboard, take the following steps:
- Under Portal in your Clever dashboard menu, click Portal > Login Settings.
- Choose "Add Login Method".
- Choose Active Directory Authentification
- Enter your metadata URL (you can find out how to obtain your metadata URL below)
- Check the box for "Allow unencrypted SAML assertions"
- Click Save
- Add the contact information for whom students and teachers should reach out to if they have trouble with logging in to Clever - this should be someone who can help them reset their Azure credentials and/or make sure they are shared with the application they're trying to access through Clever.
- Next, navigate to Portal > Portal Settings and choose your district's portal URL. The URL will be www.clever.com/in/<shortname>. Remember to use something that your students and teachers will remember easily.
Setup In Azure AD
You'll need to configure Azure Active Directory to connect with Clever single sign-on (SSO). In order to do that, you'll need to:
- Add the Clever app to Azure Active Directory
- Set up SSO to the Clever App
- Set up Claims Rules to allow Clever to match Azure users to Clever records
- Assign users to the Clever App in Azure AD
Adding the Clever App to Azure AD
To add Clever from the gallery, perform the following steps:
In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
Navigate to Enterprise applications. Then go to All applications.
To add new application, click New application button on the top of dialog.
In the search box, type Clever, select Clever from result panel then click Add button to add the application.
Setting up Azure SSO to Clever
For single sign-on to work, Azure AD needs to know what the counterpart user in Clever is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Clever needs to be established.
In Clever, assign the value of the user name in Azure AD as the value of the Username to establish the link relationship.
Configure Azure AD single sign-on
In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Clever application.
To configure Azure AD single sign-on with Clever, perform the following steps:
In the Azure portal, on the Clever application integration page, click Single sign-on.
On the Single sign-on dialog, select Mode as SAML-based Sign-on to enable single sign-on.
On the Clever Domain and URLs section, perform the following steps:
a. In the Sign-on URL textbox, type a URL using the following pattern:
b. In the Identifier textbox, type a URL using the following pattern: https://clever.com/oauth/saml/metadata.xml
Note: This Sign-On URL value is not real. Update this values with your district specific actual Sign-On URL which can be found here: https://schools.clever.com/portal
On the SAML Signing Certificate section, click Metadata XML and then save the metadata file on your computer.
- Under User Attributes, enter the User Identifier that the district would like to be used in the SAML token and confirm view and edit all other user attributes is checked.
The Clever application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML Token Attributes configuration.
The following screenshot shows an example of this.
In the User Attributes section on the Single sign-on dialog, configure SAML token attribute as shown in the image above and perform the following steps.
The first four rules in the example should be there by default and should not be changed. The last two are an example of what a claims rule should look like.
Claims rules are used to allow Clever to determine which student or teacher is logging in. To do this, we match Azure AD attributes to data in Clever. In order for users to be able to log in, there needs to be an attribute for each user type that exactly matches data in a field in Clever.
Once you have that, you can click the green "Add User Attribute" button to add a new claims rule.
The "Attribute Name" should be name of the field in Clever. It always follows the format clever.<user type OR 'any'>.<field name>. You can see which fields are available for each user type by browsing your Clever data. If you click on a record, the detail view will show you the name of the fields. Some common Clever fields are:
- clever.any.email (will match against email addresses for students, teachers, and admins)
If you have any questions about claims rules, please feel free to reach out to our support team - we'd be happy to help you find the right rules!
To add attributes, complete the following steps:
a. Click Add attribute to open the Add Attribute dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. From the Value list, type the attribute value shown for that row.
d. Leave the Namespace textbox blank.
d. Click Ok.
Click Save button.
To generate the Metadata url, perform the following steps:
a. Click App registrations.
b. Click Endpoints to open Endpoints dialog box.
c. Click the copy button to copy FEDERATION METADATA DOCUMENT url and paste it into notepad.
d. Now go to the property page of Clever and copy the Application Id using Copy button and paste it into notepad.
e. Generate the Metadata URL using the following pattern:
<FEDERATION METADATA DOCUMENT url>?appid=<application id>
In a different web browser window, log in to your Clever dashboard as an administrator.
From the left navigation, click Portal > SSO Settings.
On the SSO Settings page, perform the following steps:
a. Select Add Login Method.
b. Select Active Directory Authentication.
c. Enter the Metadata URL in the Metadata URL text box.
d. Click Save.
Grant users access to Clever
In this section, you enable students and teachers to use Azure single sign-on by granting access to Clever.
To assign users to Clever, perform the following steps:
In the Azure portal, open the applications view, and then navigate to the directory view and go to Enterprise applications then click All applications.
In the applications list, select Clever.
In the menu on the left, click Users and groups.
Click Add button. Then select Users and groups on Add Assignment dialog.
On Users and groups dialog, select the appropriate users from the Users list.
Click Select button on Users and groups dialog.
Click Assign button on Add Assignment dialog.