Single Sign On
ClearXP currently supports two industry standard SSO protocols – SAML and OAuth. The different configuration options for these protocols are described below and a Clear customer representative will be able to enable these upon request.
Note that ClearXP supports mixed authentication methods and can be configured to present a selection dialog on-screen to prompt the learner to select their sign-in method prior to entering a username and password.
ClearXP supports SAML with a variety of nameID formats, although it is recommended that SSO is configured to use a persistent nameID format to ensure consistency in user data over subsequent sessions. Please see the below table for supported SAML configuration options:
| Configuration Option | Supported Values |
|---|---|
| Version | 2.0 |
| SAML Binding | POST |
| NameID Formats | Persistent, Transient, Email, Unspecified |
| Encrypted Assertions | Supported |
| Just-in-Time Provisioning | Supported |
Steps to enable SAML include the following:
- Configure your Identity Provider with a new SAML consumer and import the ClearXP SAML metadata from the following URL:
https://org.clearlrs.com/services/saml(whereorgis your organisation slug) - Contact your Clear customer representative with a request to enable SAML and please supply the following information:
- The metadata for your Identity Provider to be imported into ClearXP.
- Whether you would like Just-in-Time Provisioning enabled or not.
- The attribute mapping for any assertion fields you would like to attach to the user’s profile upon successful sign-in.
ClearXP supports the OAuth 2.0 three-legged authentication flow whereby login requests will be redirected to an external Identity Provider for authentication before being directed back to ClearXP upon successful sign-in.
The following configuration options are available for OAuth:
| Option | Description | Required |
|---|---|---|
| Authorize URL | The destination URL to redirect the user when attempting to login. | Yes |
| Token URL | API endpoint for retrieving an access token for authenticated user. | Yes |
| User Info URL | An optional endpoint for retrieving user information about the authenticated user upon successful sign-in. | No |
| Logout URL | The destination URL to redirect the user when attempting to logout. | Yes |
| Client ID | Client ID configured for ClearXP | Yes |
| Client Secret | Client Secret configured for ClearXP | Yes |
| Scope | Scope to be specified when requesting authentication on behalf of the user. | No |
| Attribute Mapping | Optional mapping of fields from the User Info endpoint that will be attached to the user’s profile upon successful sign-in. | No |
Steps to enable OAuth include the following:
- Configure your Identity Provider with a new OAuth consumer for ClearXP.
- Contact your Clear customer representative with a request to enable OAuth and please supply all of the details listed in the table above.