GuidesClever App DashboardAPI Postman CollectionClever AcademySupportStatus
Guides

Building a SAML App

Suggest Edits

❗️

Clever Complete Agreement Required

This feature is included with a Clever Complete subscription. Sign up here or email your Application Success Manager to learn more.

📘

Before you get started

Familiarize yourself with SAML terminology:

Identity Provider: In this case, Clever. This entity provides authentication, in other words, confirming the identity of a user

Service Provider: In this case, your application. This entity requests authentication and is where the user will end up after being authenticated.

Assertions/Claims: The attributes that are used to verify the identity of the user. If the assertions match the values that belong to the user, the user will be authenticated.

Table of Contents

SAML Integrations Overview
Setting Up Your Account
Getting Access
Configuration and Testing
Launching Your Connection

SAML Integrations Overview

Clever offers the ability to connect with your application as a SAML identity provider. This connection type requires more configuration steps for districts but can be quick to set up within Clever!

As SAML does not offer authorization and scoping, we consider it to be less secure. In general, we recommend that you build out an OAuth or OIDC integration (see 1. OAuth and OIDC Overview). However, if you need a quick way to get a connection established and help teachers and students start logging in as soon as possible, then a SAML connector can be a useful tool.

Once your SAML connector is set up with Clever, you can choose to make it publicly available in the Clever application search. For the most part, you will manage this SAML Connector through a Clever dashboard just as you would manage any other integration type with Clever. The one difference will be the need to manage customer-specific configuration values.

🚧

SAML Support

While Clever does support SAML connections, it does not work out-of-the-box like other parts of the Clever product, so there are some configuration steps that will require working with our Partner Engineering team. Please reach out to [email protected] if you are interested in creating a SAML connector.

❗️

Working with districts

It's worth mentioning again that relying on a SAML connection can require more work from district administrators during setup than an OAuth integration would. Please be sure to consider this before proceeding.

📘

Want Clever Secure Sync or Clever Single Sign-On as well?

If you think you will want rostering data, or if you expect to upgrade to use OAuth with a Clever Single Sign-On integration in the future, please be aware that those scopes cannot be added to a SAML app. You will instead be provided with a separate app that supports those scopes.

Setting Up Your Account

To get started with a SAML connector, please reach out to [email protected] so that we can issue you an account to access your SAML connector dashboard.

Please have the following information ready:

  • Your name
  • Your email address
  • The name of your application
  • A 200x200 png file for your application's icon
  • If all of your customers will use the same ACS URL, Entity ID, Login URL, or Name ID Format, please provide those values. If these values are consistent across customers, we can save them a step by hardcoding the values and removing the need for these configuration steps on the district side of things.
  • If possible, please provide a metadata file

By default, we will assume the following. If any of these will not be true for your SAML connection, please notify the Partner Engineering team in your email.

  • Assertions will not be encrypted
  • The hash algorithm used will be SHA-1
  • Assertions will be signed
  • Responses will not be signed
  • A signing certificate will not be included in a response
  • You will use a unique Entity ID

Finally, please let us know how you are planning to map the attributes for your SAML assertions.

Getting Access

Given this information, Clever Partner Engineering will get the following set up for you:

  • A developer dashboard

    • You'll be able to access all relevant SAML IdP information from this dashboard.

  • A sandbox demo district with test users

  • An established connection between your developer dashboard and the sandbox district with SAML configurations according to your specifications

Configuration and Testing

If all the information you provided was correct and the configuration steps have been completed on the Service Provider's end, you can already begin testing! You will want to ensure that your Service Provider app has provisioned accounts that can be accessed using claims on attributes belonging to your sandbox district users.

For example, if your SAML connection will be making assertions on email address, please ensure that there is a user account in your app that has the same email address as a user in your sandbox district.

You can test the connection from your Service Provider dashboard if you have one. Otherwise, please refer to Testing Logins for more information on testing.

Launching your Connection

Once testing is complete, our Partner Engineering team will work with you to move your SAML connector to the production environment in Clever so that you can get started connecting with districts and end users!

🚧

OAuth Integrations and SAML

If you are building an OAuth integration, you cannot use the same developer dashboard to manage your SAML connector. Be sure to ask for an additional developer account if you plan on starting an OAuth integration.

Updated 8 days ago