Single sign-on (SSO) allows students and teachers to log in to your application through Clever. This means that as an application partner, you support every Identity Provider (IdP) that Clever supports!
How does single sign-on (SSO) work?
While users may see logging in to your application to Clever as one quick step, behind the scenes, single sign-on (SSO) actually consists of three separate logins:
- A user logs in to the IdP
- Through the IdP, a user is authenticated into Clever
- A user clicks on your application and is automatically logged in!
How do users log into the IdP?
When users access the Clever Portal or an Instant Login Link, they’ll be taken to their district’s login page. When they click on one of the “Log in with <IdP>” buttons, they’ll be redirected to their identity provider to log in.
If users are already logged into their IdP, they will not need to log in again - they’ll skip right to the “Logging in with Clever” step.
Cases where users will need to log in again:
- If a user is authenticated to Active Directory locally, and their district’s identity provider is LDAPS, they will need to enter in their Active Directory credentials to log in to Clever. This is a limitation of the LDAP protocol.
Can users skip the 'Log in with IdP' page?
Users can skip this page by appending
to the end of the Clever Portal or Instant Login Link URL (ex. https://clever.com/in/<shortname>?skip).
Logging in to Clever
Once the user is logged into their IdP, it will securely send a piece of identifying information to Clever and tells us what that data should match in our records. This is generally non-PII information such as student number, sis id, or email. More information on this can be found in our article on Claims Rules.
Logging in to your App
The user can then log in to your application by clicking on the icon in their Clever Portal (or if they’re using Instant Login links, they’ll automatically start the login process).
Instant Login uses the OAuth2, an open standard for securely accessing information. Here’s how it works:
- Clever redirects the user to a special URL for your application, along with a code.
- Your application automatically uses the code to ask Clever for a token that grants additional access to our API.
- Clever checks the code and the application credentials to make sure they are valid before returning an API token.
- Your application uses the API token to get basic information about the user - at the very least, it will get the district id, user Clever id, and user type.
- Depending on your implementation, your app may then search for the user in your existing database and/or provision an account for the user.
While it looks simple to the end user, there’s definitely a lot of moving parts! For help with login issues, check out our Troubleshooting Resources.