Articles in this section

See more

Single Sign-On (SSO): Active Directory Claims Rules

Avatar
Joi Duncan
Updated
Follow

This article contains the following:
1.  Overview
2. How do I use claims rules?
3. Defining the Field in Clever
4. Applying the claims rules to single sign-on (SSO)

Overview

When users sign in to their Identity Provider to use single sign-on (SSO), the identity provider sends us a piece of data and tells us which field in Clever contains matching data. Using this, we can identify the user and give them access to their applications. 

Claims rules define which attributes are sent to Clever from the identity provider and which fields Clever should use to perform the match. You will need to find a claims rule for each user type (e.g. students, teachers, staff, etc.) that you want to use single sign-on (SSO).

Please note: Claims rules are only necessary for Active Directory, Lenovo Stoneware / webNetwork, LDAPS, and Office 365 / Azure Active Directory.

How do I use claims rules?

Picking the right identity provider attribute

First, look at the data in your Clever account - you can click on a record in the data browser to view all the information that’s currently synced in Clever.

Next, compare the data in Clever to the data attributed to users in your identity provider (IDP). Are there matches? In order for users to be able to log in, the data in the IDP attribute and the data in the field in Clever must match exactly.

Additionally, make sure you’re picking something that’s unique across all users. If a claims rule matches multiple users, Clever won't know which user to match it against and the login attempt will fail.

If you can find a match, great! That’s the attribute you should use for that user type. If not, you’ll want to sync additional data from your SIS in order to be able to create a match.

Defining the Field in Clever

Once you’ve found a match, you’ll want to take note of the field in Clever it matches to. What’s the name of the field in the left column of the user's Detail view? Make a note of it!

The field in Clever is expressed in the claims rule “clever.<user type or any>.<field name>” Here are a few commonly used fields:

Students
  • clever.student.email
  • clever.student.sis_id
  • clever.student.student_number
  • clever.student.credentials.district_username

Teachers
  • clever.teacher.email
  • clever.teacher.sis_id
  • clever.teacher.teacher_number
  • clever.teacher.credentials.district_username

Staff
(Previously: School Admins)
  • clever.staff.email
  • clever.staff.staff_id
  • clever.staff.credentials.district_username
  • clever.school_admin.email (outdated)
  • clever.school_admin.staff_id (outdated)
  • clever.school_admin.credentials.district_username (outdated)

District Clever Admins
  • clever.district_admin.email

 

You’ll notice that users share multiple fields - to match on the same field for multiple user types, you can use ‘any’ in place of the user type to try matching against all user types:

  • clever.any.email
  • clever.any.sis_id
  • clever.any.credentials.district_username

Applying the claims rules to single sign-on (SSO)

Click the link below to jump to Instant Login setup for your identity provider!

Related articles