# Single Sign-On

**ClearXP** currently supports two industry standard SSO protocols – **SAML** and **OAuth**. The different configuration options for these protocols are described below and a Clear customer representative will be able to enable these upon request.

Note that **ClearXP** supports mixed authentication methods and can be configured to present a selection dialog on-screen to prompt the learner to select their sign-in method prior to entering a username and password.

## SAML

**ClearXP** supports **SAML** with a variety of *nameID* formats, although it is recommended that SSO is configured to use a persistent nameID format to ensure consistency in user data over subsequent sessions. Please see the below table for supported SAML configuration options:

| Configuration Option          | Supported Values                          |
| ----------------------------- | ----------------------------------------- |
| **Version**                   | 2.0                                       |
| **SAML Binding**              | POST                                      |
| **NameID Formats**            | Persistent, Transient, Email, Unspecified |
| **Encrypted Assertions**      | Supported                                 |
| **Just-in-Time Provisioning** | Supported                                 |

Steps to enable **SAML** include the following:

1. Configure your **Identity Provider** with a new SAML consumer and import the **ClearXP** SAML metadata from the following URL: `https://org.clearlrs.com/services/saml` (where `org` is your organisation slug)<br>
2. &#x20;Contact your Clear customer representative with a request to enable SAML and please supply the following information:
   * The metadata for your **Identity Provider** to be imported into **ClearXP**.
   * Whether you would like **Just-in-Time Provisioning** enabled or not.
   * The *attribute mapping* for any assertion fields you would like to attach to the user's profile upon successful sign-in.

{% hint style="info" %}
**ClearXP** will automatically match SSO accounts with existing accounts in the system based on any unique identifiers found in the attribute mapping (i.e. email address, employee ID, etc.).

If no matching account is found and **Just-In-Time Provisioning** is enabled, then a new user account will be created in the system for the authenticated user. **JIT Provisioning** can be disabled to prevent access for users not imported via external means (CSV import or HR integration).
{% endhint %}

## OAuth

**ClearXP** supports the **OAuth 2.0** three-legged authentication flow whereby login requests will be redirected to an external **Identity Provider** for authentication before being directed back to **ClearXP** upon successful sign-in.

The following configuration options are available for OAuth:

| Option                | Description                                                                                                                 | Required |
| --------------------- | --------------------------------------------------------------------------------------------------------------------------- | -------- |
| **Authorize URL**     | The destination URL to redirect the user when attempting to login.                                                          | Yes      |
| **Token URL**         | API endpoint for retrieving an access token for authenticated user.                                                         | Yes      |
| **User Info URL**     | An optional endpoint for retrieving user information about the authenticated user upon successful sign-in.                  | No       |
| **Logout URL**        | The destination URL to redirect the user when attempting to logout.                                                         | Yes      |
| **Client ID**         | Client ID configured for ClearXP                                                                                            | Yes      |
| **Client Secret**     | Client Secret configured for ClearXP                                                                                        | Yes      |
| **Scope**             | Scope to be specified when requesting authentication on behalf of the user.                                                 | No       |
| **Attribute Mapping** | Optional mapping of fields from the User Info endpoint that will be attached to the user's profile upon successful sign-in. | No       |

Steps to enable **OAuth** include the following:

1. Configure your **Identity Provider** with a new OAuth consumer for ClearXP.<br>
2. Contact your Clear customer representative with a request to enable OAuth and please supply all of the details listed in the table above.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev.clearxp.com/getting-started/single-sign-on.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.