Configure Clever SSO SAML Integration
Please first read how to Configure a Service Provider for SAML SSO to understand how to use these application-specific settings.
Include SAML2 Attribute Statement | Checked |
SAML2 SSO Assertion Lifetime | 500000 ms (5 minutes) |
Sign SAML2 SSO Responses | Conditional |
Sign SAML2 SSO Assertions | Never |
Encrypt SAML2 SSO Assertions | Never |
Encrypt SAML2 SSO Name IDs | Never |
Signature Algorithm | SHA-256 |
Skip Endpoint Validation when Signed | Unchecked |
Enable ECP Settings | Unchecked |
Required Attribute
LDAP Attribute | SAML Name | Friendly Name | Name Format Friendly Name | Name Format Value |
|---|---|---|---|---|
clever.any.email | clever.any.email | URI Reference |
|
Attribute Mappings
PERMIT Attributes
Name |
|---|
clever.any.email |
DENY Attributes
Name |
|---|
[INTERNAL] SAML Transient ID |
SAML for Clever
SAML for Clever is fairly straightforward from the Identity Automation Identity Provider.
Clever has posted an article outlining their requirements: https://support.clever.com/hc/s/articles/218050687?language=en_US
As always, there's a metadata/certificate exchange needed so that both ends have the proper encryption/decryption available. Please remove the validUntil entry if present.
Note
Clever requires a Single-Logout URL to be provided in our metadata and metadata supplied via live URL. Since Identity Automation does not support either of these, they added the logout URL entry to our metadata anyway, and hosted the metadata on a separate site. Additionally, since they expect metadata to be exchanged via Live URL, their metadata includes an XML entry validUntil which, as mentioned above, must be manually removed from the metadata prior to import into RapidIdentity Federation.
Clever may accept a static copy of the metadata. If they will accept this, a pair of logout lines can be manually added to the metadata before sending it to them. Those lines would look like this:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location "https://%ENTER_CUSTOMER_URL_HERE%/idp/logout"/>
And
<SingleLogoutServe Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://%ENTER_CUSTOMER_URL_HERE%/idp./logout"/>
The actual location can be worked out with Clever.
Note
If the customer's IDP is used here, it will log a user out of all IDP-authenticated sessions when they log out of Clever.
Important
Please ensure not to add any extra characters, line spaces, or spaces at any point to the metadata.
Clever Metadata URL: https://clever.com/oauth/saml/metadata.xml