Common Single sign-on (SSO) issues

This article contains the following:
1. Triaging Log in Issues
2. Logging in to IDP
3. Issues Logging in to Clever
4. Issues Logging in to Your Application 

As mentioned in our article on Understanding Single sign-on, single sign-on (SSO) has a lot of moving parts, which means there are a lot of things that can cause log ins to fail. This article will help you navigate these issues and get your users logged in quickly and efficiently!

Triaging Log in Issues

First, we’ll want to narrow down where the issue is.

What are the exact steps the user is taking to log in?

Are they logging in with single sign-on (SSO) or with app-specific credentials (or are they entering credentials for one method into the other’s login page)? This step allows us to check to make sure the user is attempting to use Clever correctly. The correct log in flows are:

Clever Portal

1. Go to the Clever Portal URL for your district (https://clever.com/in/<shortname>)
2. Click the “Log in with <IDP> button”
3. Enter in their IDP credentials
4. They’ll see a “Log in with Clever” screen, followed by the Clever Portal

Instant Login Links

1. Click on the link provided by the district
2. Click the “Log in with <IDP> button”
3. Enter in their IDP credentials
4. They’ll see a “Log in with Clever” screen, followed by your application’s page

Log in with Clever Button

1. Click on the LIWC Button
2. Enter the name of your school in the search
3. Click the “Log in with <IDP> button”
4. Enter in their IDP credentials
5. They’ll see a “Login with Clever” screen, followed by your application’s page

Are they seeing any error messages?

Error messages can help determine at which log in stage the issue is occurring. Clever error messages look like this:

We’ll go into specific error messages below. As part of the troubleshooting process, we recommend providing screenshots as well!

Logging in to IDP

Generally speaking, if a user is having issues logging in to their identity provider, they should reach out to their district support contact. The contact information can be found on their portal login page (see above). You can also see that in their SSO Settings. To see their settings, click on the district in your App Dashboard. The single sign-on info for each district will be available in the Overview page.  Here are some common issues in this category:

Incorrect Portal

Sometimes your Clever users, especially young students using Log in with Clever buttons, will end up at a different district's Portal. These users will not be able to log in to that portal. To make sure they’re using the correct Portal, have them check the name of the district at the top of the page. Does it match their district name? If not, you can provide them with their Portal URL or have them click the “Not your district” button to try their search again.

Invalid Single sign-on (SSO) link

Single sign-on links are great for embedding in district portals or distributing as bookmarks! However, sometimes these URLs are incorrectly added - the correct format is https://clever.com/oauth/instant-login?client_id=<your client id>&district_id=<district id>

“Not successfully authenticated by your identity provider”

This error message is shown when the IDP sends us a code that represents a login failure. This is relatively rare, but we have noticed that most cases are caused by saved/cached passwords in Google Chrome - clearing the browser history usually resolves this issue.

Incorrect Username / Password

If the user isn’t able to log in with their credentials, direct them to their district support contact! The contact should be able to help them get their correct credentials.

Please note: Clever cannot provide users with their credentials or reset passwords for users.

Issues Logging in to Clever

Once the user is logged in to their IDP, the IDP then attempts to send information to Clever and find a matching user. If we can find a match, we’ll log the user in! The two most common login issues are listed below - if you see something else, direct the user to their district support contact! The district support contact will work with Clever to resolve the issue.

Not Authorized

Some identity providers, like Google and Canvas, require the user to allow Clever to receive identifying information such as email addresses. If the user does not grant the access, we cannot log them in. The user will need to log in again, and authorize the data access.

Unable to find Matching User

The vast majority of issues users have with logging in to Clever stem from missing data in Clever - either the user is not yet synced with Clever or their Clever record is missing the identifying information needed to make a match with their IDP data.

This can also happen if the identity provider setup is misconfigured. We recommend directing the user to their district support contact for further investigation.

Issues Logging in to Your Application

If the user is able to log in to their IDP and Clever, but isn’t able to log in to your application, this usually suggests that something has interrupted the OAuth2 flow.

Clever has provided the ability to replicate the login flow from Clever to your application in the Clever Dashboard. To recreate the login error: 

1. Select the district for the user

2. Search for the user reporting the error

3. Verify the user is shared by the district

4. Click on the name of the user to load their Detail View. Next to Debug Instant Login, select Log in as... to test the connection with your app.



If the login to your application fails, this suggests that something has interrupted the OAuth2 flow. Here are the most common issues.  

App Icon Missing / “Ask your administrator to add this app to your Portal”

Users are only allowed to log in to applications if their data is shared with the application. If they aren’t shared, the app icon will not appear in the Portal and they will see the above error message if they attempt to use a single sign-on link or Log in with Clever button.

To resolve the issue, have the user reach out to their district support contact - their district administrators will need to share their data with your application.

Logging in to Incorrect Account

If districts have shared devices, users may find themselves logged in to the account of the user who was previously logged in. If you have a district experiencing this issue, let us know - we have a feature in beta that will ask users to confirm the account they’d like to log in to.

Unable to Log in to Application

If your users are seeing an error message after clicking on your application icon or single sign-on (SSO) link, we recommend the following steps:

1. Confirm the user’s Clever ID is in your app’s database
2. Make sure the record tied to the user’s Clever ID is not deactivated or otherwise prevented from logging in on the application side
3. Please reach out to Clever Support with the Clever ID of the user and a screenshot of the error message! We’re happy to help investigate this log in issue.