Admin SSO - draft spec and request for feedback

59 views
Skip to first unread message

Nick Grandy

unread,
Mar 24, 2015, 4:32:11 PM3/24/15
to clever-de...@googlegroups.com


Hi Clever Developers,


We've heard clear feedback that developers and districts would like Clever to support administrator single-sign on, and we’re now working on this.  We would love your feedback on this draft spec. You can also reach out to me directly at nick....@clever.com. Thanks!

Nick



Clever Admin SSO - Developer Overview - DRAFT


Today, Clever supports account provisioning & single-sign on for two user types: teachers and students. Most applications have additional user types - with the most common types being “school administrator” and “district administrator.” Supporting administrator roles entails:

  1. Admin Provisioning: Clever will provide a method for schools to create “school administrator” and “district administrator” accounts, and a method for applications to query these accounts.

  2. Admin SSO: “School administrators” and “district administrators” should be able to log into apps using their Clever identities.


This is how we’re thinking of supporting admin logins.


  1. Admin Provisioning


Clever will create a new user role, “admin”.  These will initially be defined within the Clever admin interface, and subsequently by a bulk upload. Admins will be identified as a district or school admin, and may be associated with one or more schools.


Field

Format

Validation

Values

id

ObjectId

required and unique

Clever ID of the user

admin_scope

String

required

“district”, “school”

first_name

String

required


last_name

String

required


email

String

required and unique


title

String

optional


schools

Array

optional

Array of Clever school ids, applying to school admin type only.


Question: Is it useful for school admins to be associated with multiple schools, or is just one sufficient?


Clever will make admin users available in the Clever API in the following ways.  Using its district token, an application can access the admins for a district:

  • /admins

    • all district admins in the district

    • all school admins who are visible to the app.  An app can see school admins for any schools shared with the app

  • /admins/[id]

    • profile of a specified admin

Sample response for a district admin:


{

“id”:”abc123”,

“first_name”:”John”,

“last_name:”:”Smith”,

“admin_scope”:”district”,

“email”:”john.smith@xyzdistrict.edu”,

“title”:”ICT Coordinator”,

“schools”:[]

}


Sample response for a school admin:

{

“id”:”abc123”,

“first_name”:”John”,

“last_name:”:”Smith”,

“admin_scope”:”school”,

“email”:”john.smith@xyzdistrict.edu”,

“title”:”ICT Coordinator”,

“schools”:[“abc123”, “abc234”]

}


2) Admin SSO


Clever currently supports teacher and student SSO, and admin SSO will work similarly.  The token for an admin user will return basic identifying fields from the /me endpoint:


{

“id”: “abc123”,

“type”: “admin”,

“district_id”: “abc123”

}


In addition, an admin user’s token can access

  • /admins/[id] - the profile of the admin user


Matching

When matching an admin user with existing records, we suggest matching fields in the following order:

  • id - the Clever ID of the user

  • email


If no fields match, a new user account should be created for the admin.  If the user matches on the ID or email field, then the user should be logged in as the matching user in the application.


Questions for Developers

  • Is the division of admin roles into school admins and district admins sufficient for your app?  What other level of permissions is important?

  • School admins may be associated with multiple schools. Is that useful, or is an association with a single school sufficient?

  • Are there other fields that should be part of the admins resource?


sail...@gmail.com

unread,
Mar 24, 2015, 4:45:27 PM3/24/15
to clever-de...@googlegroups.com
I think this is a very sound idea. I wonder about the following though:
  • Could an administrator of 'school' scope be allowed to administer more than one school or must he/she be a "district" scope?
  • For "school" scoped admins, who administers which schools that school admin can administer?
  • Is an "District" scoped administrator given access to all schools? If not, how are the schools distributed in large districts that ofter have administrators moving between a subset of the schools in the district?
  • For a "District" scoped admin, does an empty array of schools indicate all schools in the district or none?
  • It would be interesting to be able to wildcard the school names or by school type (primary, elementary, etc.)
  • Any thoughts on allowing administration per grade level?
  • Is there a super admin scope? 
Reply all
Reply to author
Forward
0 new messages