Single Sign-On

ClearXP currently supports two industry standard SSO protocols – SAML and OAuth. The different configuration options for these protocols are described below and a Clear customer representative will be able to enable these upon request.

Note that ClearXP supports mixed authentication methods and can be configured to present a selection dialog on-screen to prompt the learner to select their sign-in method prior to entering a username and password.

SAML

ClearXP supports SAML with a variety of nameID formats, although it is recommended that SSO is configured to use a persistent nameID format to ensure consistency in user data over subsequent sessions. Please see the below table for supported SAML configuration options:

Configuration Option

Supported Values

Version

2.0

SAML Binding

POST

NameID Formats

Persistent, Transient, Email, Unspecified

Encrypted Assertions

Supported

Just-in-Time Provisioning

Supported

Steps to enable SAML include the following:

  1. Configure your Identity Provider with a new SAML consumer and import the ClearXP SAML metadata from the following URL: https://org.clearlrs.com/services/saml (where org is your organisation slug)

  2. Contact your Clear customer representative with a request to enable SAML and please supply the following information:

    • The metadata for your Identity Provider to be imported into ClearXP.

    • Whether you would like Just-in-Time Provisioning enabled or not.

    • The attribute mapping for any assertion fields you would like to attach to the user's profile upon successful sign-in.

ClearXP will automatically match SSO accounts with existing accounts in the system based on any unique identifiers found in the attribute mapping (i.e. email address, employee ID, etc.).

If no matching account is found and Just-In-Time Provisioning is enabled, then a new user account will be created in the system for the authenticated user. JIT Provisioning can be disabled to prevent access for users not imported via external means (CSV import or HR integration).

OAuth

ClearXP supports the OAuth 2.0 three-legged authentication flow whereby login requests will be redirected to an external Identity Provider for authentication before being directed back to ClearXP upon successful sign-in.

The following configuration options are available for OAuth:

Option

Description

Required

Authorize URL

The destination URL to redirect the user when attempting to login.

Yes

Token URL

API endpoint for retrieving an access token for authenticated user.

Yes

User Info URL

An optional endpoint for retrieving user information about the authenticated user upon successful sign-in.

No

Logout URL

The destination URL to redirect the user when attempting to logout.

Yes

Client ID

Client ID configured for ClearXP

Yes

Client Secret

Client Secret configured for ClearXP

Yes

Scope

Scope to be specified when requesting authentication on behalf of the user.

No

Attribute Mapping

Optional mapping of fields from the User Info endpoint that will be attached to the user's profile upon successful sign-in.

No

Steps to enable OAuth include the following:

  1. Configure your Identity Provider with a new OAuth consumer for ClearXP.

  2. Contact your Clear customer representative with a request to enable OAuth and please supply all of the details listed in the table above.

Last updated