Single Sign-On
ClearXP currently supports two industry standard SSO protocols – SAML and OAuth. The different configuration options for these protocols are described below and a Clear customer representative will be able to enable these upon request.
Note that ClearXP supports mixed authentication methods and can be configured to present a selection dialog on-screen to prompt the learner to select their sign-in method prior to entering a username and password.
SAML
ClearXP supports SAML with a variety of nameID formats, although it is recommended that SSO is configured to use a persistent nameID format to ensure consistency in user data over subsequent sessions. Please see the below table for supported SAML configuration options:
Configuration Option | Supported Values |
Version | 2.0 |
SAML Binding | POST |
NameID Formats | Persistent, Transient, Email, Unspecified |
Encrypted Assertions | Supported |
Just-in-Time Provisioning | Supported |
Steps to enable SAML include the following:
Configure your Identity Provider with a new SAML consumer and import the ClearXP SAML metadata from the following URL: https://clearlrs.com/services/saml
Contact your Clear customer representative with a request to enable SAML and please supply the following information:
The metadata for your Identity Provider to be imported into ClearXP.
Whether you would like Just-in-Time Provisioning enabled or not.
The attribute mapping for any assertion fields you would like to attach to the user's profile upon successful sign-in.
ClearXP will automatically match SSO accounts with existing accounts in the system based on any unique identifiers found in the attribute mapping (i.e. email address, employee ID, etc.).
If no matching account is found and Just-In-Time Provisioning is enabled, then a new user account will be created in the system for the authenticated user. JIT Provisioning can be disabled to prevent access for users not imported via external means (CSV import or HR integration).
OAuth
ClearXP supports the OAuth 2.0 three-legged authentication flow whereby login requests will be redirected to an external Identity Provider for authentication before being directed back to ClearXP upon successful sign-in.
The following configuration options are available for OAuth:
Option | Description | Required |
Authorize URL | The destination URL to redirect the user when attempting to login. | Yes |
Token URL | API endpoint for retrieving an access token for authenticated user. | Yes |
User Info URL | An optional endpoint for retrieving user information about the authenticated user upon successful sign-in. | No |
Logout URL | The destination URL to redirect the user when attempting to logout. | Yes |
Client ID | Client ID configured for ClearXP | Yes |
Client Secret | Client Secret configured for ClearXP | Yes |
Scope | Scope to be specified when requesting authentication on behalf of the user. | No |
Attribute Mapping | Optional mapping of fields from the User Info endpoint that will be attached to the user's profile upon successful sign-in. | No |
Steps to enable OAuth include the following:
Configure your Identity Provider with a new OAuth consumer for ClearXP.
Contact your Clear customer representative with a request to enable OAuth and please supply all of the details listed in the table above.
Last updated