Single Sign-On
ClearXP currently supports two industry standard SSO protocols – SAML and OAuth. The different configuration options for these protocols are described below and a Clear customer representative will be able to enable these upon request.
Note that ClearXP supports mixed authentication methods and can be configured to present a selection dialog on-screen to prompt the learner to select their sign-in method prior to entering a username and password.

SAML

ClearXP supports SAML with a variety of nameID formats, although it is recommended that SSO is configured to use a persistent nameID format to ensure consistency in user data over subsequent sessions. Please see the below table for supported SAML configuration options:
Configuration Option
Supported Values
Version
2.0
SAML Binding
POST
NameID Formats
Persistent, Transient, Email, Unspecified
Encrypted Assertions
Supported
Just-in-Time Provisioning
Supported
Steps to enable SAML include the following:
  1. 1.
    Configure your Identity Provider with a new SAML consumer and import the ClearXP SAML metadata from the following URL: https://clearlrs.com/services/saml
  2. 2.
    Contact your Clear customer representative with a request to enable SAML and please supply the following information:
    • The metadata for your Identity Provider to be imported into ClearXP.
    • Whether you would like Just-in-Time Provisioning enabled or not.
    • The attribute mapping for any assertion fields you would like to attach to the user's profile upon successful sign-in.
ClearXP will automatically match SSO accounts with existing accounts in the system based on any unique identifiers found in the attribute mapping (i.e. email address, employee ID, etc.).
If no matching account is found and Just-In-Time Provisioning is enabled, then a new user account will be created in the system for the authenticated user. JIT Provisioning can be disabled to prevent access for users not imported via external means (CSV import or HR integration).

OAuth

ClearXP supports the OAuth 2.0 three-legged authentication flow whereby login requests will be redirected to an external Identity Provider for authentication before being directed back to ClearXP upon successful sign-in.
The following configuration options are available for OAuth:
Option
Description
Required
Authorize URL
The destination URL to redirect the user when attempting to login.
Yes
Token URL
API endpoint for retrieving an access token for authenticated user.
Yes
User Info URL
An optional endpoint for retrieving user information about the authenticated user upon successful sign-in.
No
Logout URL
The destination URL to redirect the user when attempting to logout.
Yes
Client ID
Client ID configured for ClearXP
Yes
Client Secret
Client Secret configured for ClearXP
Yes
Scope
Scope to be specified when requesting authentication on behalf of the user.
No
Attribute Mapping
Optional mapping of fields from the User Info endpoint that will be attached to the user's profile upon successful sign-in.
No
Steps to enable OAuth include the following:
  1. 1.
    Configure your Identity Provider with a new OAuth consumer for ClearXP.
  2. 2.
    Contact your Clear customer representative with a request to enable OAuth and please supply all of the details listed in the table above.
Copy link
Contents
SAML
OAuth