Clever SSO Overview
This page outlines the basic concepts of implementing Single-SIgn-On (SSO) with Clever, including a description of the high-level workflows and the different SSO offerings at Clever.
What is Clever SSO?
Already familiar with SSO?
Please don't skip this section if you are just getting started with Clever SSO! You will need to familiarize yourself with how Clever end-users use SSO and the different types of SSO integrations you can build.
Clever can serve as an identity provider for your application, allowing teachers, students, staff, and district admins to seamlessly log in to your application without needing to manage additional credentials. With Clever SSO, end-users need only log in to Clever in order to access a plethora of learning and education resources.
How does Clever SSO work for end-users?
Clever SSO works through three main workflows. Listed below are high-level descriptions. You can find more detailed implementation notes in later sections.
- SSO through the Clever Portal
The Clever Portal serves as a launchpad for Clever users where they can quickly access their learning/education resources through a collection of icons. If you choose to build an SSO integration, your application would be represented as an icon on the Clever Portal once a connection has been established with a district or user. To learn more about the Clever Portal, check out this Help Center article.
- SSO through an Authorization Link
An Authorization Link can be tied to a "Log in with Clever" (LIWC) button on your application's login page. If users are accustomed to navigating directly to your site to log in, it is helpful to offer a LIWC button the same way you might provide authentication options for Google or other 3rd party social authentication offerings. An example authorization link is:
<https://clever.com/oauth/authorize?response_type=code&redirect_uri=&client_id=>
- SSO through an Instant Login Link
Some districts prefer not to use the Clever Portal, but still want to use SSO to access their applications. To support this, Clever built Instant Login links which are links that can be embedded anywhere and are used to log a district's users in to a specific application through Instant Login. An example Instant Login link is:
<https://clever.com/oauth/instant-login?client_id=&district_id=>
Library and Instant Login Links
Instant Login Links do not work for the Library integration type.
What kind of SSO integrations does Clever offer?
Clever offers two different access tiers for SSO integrations:
District SSO
- This integration is authorized at the district level by district administrators.
- User data includes district ID, user ID, first name, last name, and email address.
- No access to school or section (enrollments) data.
Library SSO
- This integration is authorized at the classroom level by teachers.
- Teacher data includes district ID, user ID, first name, last name, email address, and associated sections
- Student data includes district ID, user ID, first name, last initial, and the enrolled section that was authorized by their teacher.
Field Access by Access Tier
Be sure to check out https://clever.com/schema to see field-level access for each integration type.
What kind of SSO technologies does Clever support?
- OAuth 2.0
- OpenID Connect (OIDC)
- SAML
Both District SSO and Library use OAuth 2.0 authorization code grant flow and/or OIDC to provide user-level data. If you are unfamiliar with these, see OAuth and OIDC Overview before proceeding.
While SAML is not recommended due to more lift for district administrators to set up, it is an alternative approach that can be handy in a pinch. You can learn more about implementing a SAML connection with Clever by reading SAML Overview.
SAML is not supported for Library
Because Clever SAML connections require district-level configuration, the teacher-facing nature of Clever's Library integration is incompatible.
OIDC partially supported for Library
At this time, OIDC is only partially supported for the Library integration. You will need to use the /userinfo endpoint as opposed to the ID token. please reach out to our support team in our Help Center chat for more information.
Updated 2 months ago