Single Sign-On

ClearXP currently supports two industry standard SSO protocols – SAML and OAuth. The different configuration options for these protocols are described below and a Clear customer representative will be able to enable these upon request.

Note that ClearXP supports mixed authentication methods and can be configured to present a selection dialog on-screen to prompt the learner to select their sign-in method prior to entering a username and password.

SAML

ClearXP supports SAML with a variety of nameID formats, although it is recommended that SSO is configured to use a persistent nameID format to ensure consistency in user data over subsequent sessions. Please see the below table for supported SAML configuration options:

Steps to enable SAML include the following:

  1. Configure your Identity Provider with a new SAML consumer and import the ClearXP SAML metadata from the following URL: https://clearlrs.com/services/saml

  2. Contact your Clear customer representative with a request to enable SAML and please supply the following information:

    • The metadata for your Identity Provider to be imported into ClearXP.

    • Whether you would like Just-in-Time Provisioning enabled or not.

    • The attribute mapping for any assertion fields you would like to attach to the user's profile upon successful sign-in.

ClearXP will automatically match SSO accounts with existing accounts in the system based on any unique identifiers found in the attribute mapping (i.e. email address, employee ID, etc.).

If no matching account is found and Just-In-Time Provisioning is enabled, then a new user account will be created in the system for the authenticated user. JIT Provisioning can be disabled to prevent access for users not imported via external means (CSV import or HR integration).

OAuth

ClearXP supports the OAuth 2.0 three-legged authentication flow whereby login requests will be redirected to an external Identity Provider for authentication before being directed back to ClearXP upon successful sign-in.

The following configuration options are available for OAuth:

Steps to enable OAuth include the following:

  1. Configure your Identity Provider with a new OAuth consumer for ClearXP.

  2. Contact your Clear customer representative with a request to enable OAuth and please supply all of the details listed in the table above.

Last updated