SSO setup
Configure single sign-on so your district's teachers and students land in Red Stet through your existing identity system. Auth layer: Clerk. Google Workspace and Microsoft 365 ship today as direct OAuth; Clever and ClassLink are scaffolded for K-12 rostering.
Why SSO for Red Stet
Password sign-in works for an individual teacher. A district needs more: IT owns identity for thousands of accounts, compliance needs an answer for FERPA and CIPA, principals want students landing in Red Stet from the same place they land everywhere else.
SSO solves three problems. Security — one source of credentials, central revoke, no student or teacher password in our database. Compliance — your DPA covers the identity layer because the IdP is yours. Rostering — pair SSO with an LMS launch and the roster comes with it.
LMS integration covers a related path: direct LTI 1.3 launch from Canvas, Schoology, or Brightspace. SSO sits one layer below — even an LTI launch resolves "this user in the LMS" to "this account in Red Stet," and SSO makes that resolution durable.
Sign in to Red Stet
Continue with your school account.
Clerk as the identity provider auth.config.ts
Red Stet uses Clerk for every account — student, teacher, admin, verifier. Convex trusts Clerk-issued JWTs and looks up the user via the token's tokenIdentifier claim.
Configuring SSO connects your IdP (Google or Microsoft) to our Clerk tenant — not directly to Red Stet. Clerk handles OIDC, JWKS rotation, and the session cookie. Convex sees a verified identity and binds it to a users row on first sign-in.
You won't log into the Clerk dashboard — we do that during onboarding. Matters for troubleshooting: every failure below traces to "Clerk says X" or "Convex says Y."
- User clicks "Continue with Google"Browser redirects to your IdP's login screen.
- IdP authenticates & redirects to ClerkClerk verifies the OIDC response and mints a JWT.
- Clerk hands the JWT to Red StetThe browser stores a short-lived session cookie.
- Convex verifies the JWTLooks up
tokenIdentifierinusers; creates the row if absent.
Google Workspace setup
The most common K-12 IdP in the US and the simplest configuration. No Google-side provisioning — Clerk has Google as a pre-built OAuth client.
What we need from you
- Your school's primary email domain(s). Usually one (
centralhs.edu); sometimes multiple (a district runningdistrict.k12.usfor staff andstudents.district.k12.usfor students). - One administrator email for the rollout.
What happens next
"Continue with Google" accepts your users immediately — no Google Workspace admin action needed for the basic flow.
For tighter control, your Google admin restricts OAuth consent via Apps > Google Workspace Marketplace > Apps list — the right move for districts that don't want students approving third-party apps on their own.
- Email your IT contactSend the list of domains to your Red Stet rep.
- Test with one teacherSign in via "Continue with Google" to confirm the flow.
- (Optional) Lock MarketplaceApprove Red Stet in Google Workspace Marketplace for SSO-only signup.
Microsoft 365 / Entra ID setup
The common IdP in higher ed and Windows-first K-12 districts. Same shape as Google — Clerk-mediated OAuth — with more knobs on the tenant side.
Multi-tenant vs single-tenant
Clerk's Microsoft connection is multi-tenant by default — any Microsoft account from any tenant can complete the OAuth flow.
If your tenant requires third-party apps to be registered in Entra ID > Enterprise applications before consent, your admin adds Red Stet (the Clerk OAuth app) once. We provide the redirect URIs.
Group claims and roles
Microsoft tokens can carry group memberships and role assignments. Red Stet consumes these for auto-verify (see Provider configuration & auto-verify) — when a user's group claim matches an org's autoVerifyGroups entry, teacherStatus flips to verified.
Provisioning & de-provisioning
Every IT director asks: what happens when a student transfers, a teacher leaves, or an account is disabled in our IdP?
Provisioning
Just-in-time: a user row is created on first sign-in. Until then, the user doesn't exist in our system.
De-provisioning
Disabling a user in your IdP — graduation, transfer, termination — immediately blocks sign-in. The IdP refuses the OAuth flow; Clerk can't mint a token; Convex never sees them.
The Red Stet account row stays. It anchors past submissions, grades, recordings, and the provenance chain on work the student did before leaving.
Deletion on request
FERPA, COPPA, GDPR deletion rights run as a separate operation. See the privacy notice for the retention schedule.
SSO and teacher verification teacherStatus
SSO answers "who is this user." It doesn't answer "is this user a teacher?" — and the teacher / student distinction is load-bearing because teachers create assignments and see other people's writing.
Self-serve teacher signup
A new account from any IdP starts as a student. To become a teacher, they apply via the in-app signup — a school ID photo or credential upload, reviewed within 1–2 business days.
Org admins skip this for known-good groups: see Provider configuration & auto-verify for group-claim and OU-claim auto-verification, and school-account for domain-based auto-verify.
| Account state | Set by |
|---|---|
| Student Default | Just-in-time on first SSO sign-in |
| Teacher Pending | User applied via in-app form |
| Teacher Verified | Admin review |
| Admin Verified | Set manually by us during onboarding |
Troubleshooting sign-in failures
"I can't sign in" is almost always one of three patterns. Walk through them in order before escalating.
1. Wrong account linked
Common with shared family devices — a parent's Google account is the browser default. Symptom: wrong name after sign-in. Fix: sign out of Red Stet, sign out of Google/Microsoft, retry. The IdP's account chooser appears.
2. Pending teacher status
Teacher signed in but lands in student view. Symptom: student view despite a teacher application filed. Fix: verification queue, not sign-in. Check teacherApplications and approve or reject.
3. Stale Clerk session
Infinite redirect loop or "session expired" right after sign-in. Symptom: after a browser update or long idle. Fix: clear cookies for the Red Stet domain, retry. If it persists across browsers, escalate — token-rotation issue on our side.
Provider configuration & auto-verify
The SSO tab on the Organization panel lists connected providers and lets admins connect a new one. Four providers: Google Workspace, Microsoft Entra, Clever, ClassLink. The first two are direct SSO; the latter two are K-12 rostering platforms that also carry identity. The connect form takes an optional domain — when set, both an orgPreApprovedDomains row and the provider's allowedDomains list update so sign-up is locked to that domain.
For Google Workspace and Microsoft Entra, admins configure auto-verify by group claim or OU claim. When a user signs in and their OIDC group claim matches an autoVerifyGroups entry — or their ou claim matches autoVerifyOUs — teacherStatus flips to verified and a row lands in the provisioning log with action='teacher.auto-verified'. No ID upload.
Clever and ClassLink save with the same shape; roster-sync runs daily. Until partnership credentials are provisioned, sync throws CLEVER_NOT_PROVISIONED / CLASSLINK_NOT_PROVISIONED; the daily cron logs the configured-but-pending pair so the operator sees the backlog. See docs/PHASE_9_GO_LIVE.md for env-vars and activation.
Status: provider connect & domain lock are live. Auto-verify on sign-in is live for claim-matching. Roster pull from Clever / ClassLink is scaffold pending credentials. Direct Google Workspace and Entra SSO is configured through Clerk's dashboard; the per-org auto-verify config layered on top is what's managed here.