Single sign-on (SSO) allows students and teachers to log in to your application through Clever. This means you support every Identity Provider (IdP) that Clever supports!
How it Works
While users may see logging in to your application to Clever as one quick step, behind the scenes, single sign-on (SSO) is actually three logins:
- Log in to the IdP
- Log in to Clever
- Log in to your application
Logging in to the IdP
When users access the Clever Portal or an Instant Login Link, they’ll be taken to their district’s login page. When they click on one of the “Log in with <IdP>” buttons, they’ll be redirected to their identity provider to log in.
What if users are already logged in to their IdP?
For most IdPs, users will not need to log in again - they’ll skip right to the “Logging in with Clever” step.
Cases where users will need to log in again:
- If a user is authenticated to Active Directory locally, and their district’s identity provider is LDAPS, they will need to enter in their Active Directory credentials to log in to Clever. This is a limitation of the LDAP protocol.
For districts with shared devices, we have a feature in beta that will ask users to confirm whether they are logged in as the correct user. If you have a district that would benefit from this feature, let us know!
Can users skip the 'Log in with IdP' page?
Users can skip this page by appending ‘?skip’ to the end of the Clever Portal or Instant Login Link URL (ex. https://clever.com/in/<shortname>?skip).
Please note: the above is for districts with a single IdP. If a district has multiple IdPs, they should contact Clever Support.
Logging into Clever
Once the user is logged into their IdP, it will securely send a piece of identifying information to Clever and tells us what that data should match in our records. This is generally non-PII information such as student number, sis id, or email. More information on this can be found in our article on Claims Rules.
Please note: The identifying information that we receive is never the users' IdP credentials.
Logging into Your App
The user can then log in to your application by clicking on the icon in their Clever Portal (or if they’re using Instant Login links, they’ll automatically start the login process).
Instant Login uses the OAuth2, an open standard for securely accessing information. Here’s how it works:
- Clever redirects the user to a special URL for your application, along with a code.
- Your application automatically uses the code to ask Clever for a token that grants additional access to our API.
- Clever checks the code and the application credentials to make sure they are valid before returning an API token.
- Your application uses the API token to get basic information about the user - at the very least, it will get the district id, user Clever id, and user type.
- Depending on your implementation, your app may then search for the user in your existing database and/or provision an account for the user.
While it looks simple to the end user, there’s definitely a lot of moving parts! For help with login issues, check out our Troubleshooting Resources.