Articles in this section

See more

Single sign-on (SSO): Custom SAML connections

Avatar
Kristina Cruz
Updated
Follow

This article contains the following:
1. Overview
2. Requirements
3. Next Steps

Overview

If you're interested in using an identity provider or login method with Clever that we don't currently have an official connection with, we may be able to set up a custom SAML connection to your identity provider.

Requirements

Here's what your Identity Provider (IDP) must have: 

  1. Support for SP-initiated sign on using a Redirect Binding
  2. Response must be sent to a specified POST Binding (https://clever.com/oauth/saml/assert)
  3. Response must contain an assertion encrypted using Clever's public key (found in the metadata file)
  4. The assertion must be signed with a private key owned by the IDP
  5. The assertion must contain an AuthnStatement with a SessionIndex
  6. The assertion must contain at least one attribute which can uniquely identify a Clever user
  7. Multiple attributes are allowed and only one needs to match a user, but only one user must be matched.
  8. Attributes should be in the form clever.[user type].[field] and contain the field they wish to match on.
    • For example, an attribute with the name clever.student.sis_id with a value of 12345 will attempt to find a student with the SIS ID of 12345. A user type of 'any' may be used to match both students and teachers with the same field. 
  9. A LogoutRequest must be accepted at a Redirect Binding. The LogoutResponse should be sent to to the specified HTTP-Redirect Binding (https://clever.com/oauth/saml/assert)
  10. There cannot be trailing whitespace or a newline at the start and end of the certificate.

Next Steps

If your IDP supports all of the above, they will need to provide us with a Metadata URL. Please find an example SAML metadata file that we support attached at the bottom of this article.

Once you have verified the above requirements, and have either the URL or .xml file, you can navigate to the SSO Settings page in your district dashboard. Click 'Add Login Method' in the top right corner, then select choose the Active Directory Authentication. This will allow for a SAML connection to Clever, even if you are not using Active Directory.

 
 

Related articles