# Setting up SSO

{% hint style="info" %}
By default, Cleric uses Third Party Sign In with Google. If your organization uses Google Workspace, no additional configuration is needed.
{% endhint %}

Cleric supports Single Sign-On via SAML or OIDC with most major Identity Providers, including:

* Okta
* Entra ID (formerly Azure AD)
* Google Workspace
* OneLogin
* JumpCloud
* PingOne / PingFederate

## Setup Process

1. We'll provide you with the **ACS URL** and **Entity ID** values for your organization.
2. Create a new SAML or OIDC application in your IdP's admin dashboard using the values we provided.
3. [Configure attribute mapping](#configure-attribute-mapping) in your IdP.
4. [Assign users and groups](#role-assignment) to the application in your IdP.
5. Share the **metadata** object (or metadata URL) from your IdP configuration back to us.
6. Once we receive your metadata, we'll finalize the SSO setup and confirm when it's ready.

Don't see your Identity Provider listed? Cleric supports [many additional integrations](https://workos.com/docs/integrations).

## Configure Attribute Mapping

Your Identity Provider must send the following four attributes in the SAML assertion. All four are required for Cleric to authenticate and identify users.

| Attribute Name | Required | Description                                   |
| -------------- | -------- | --------------------------------------------- |
| `email`        | Yes      | The user's email address                      |
| `firstName`    | Yes      | The user's first name                         |
| `lastName`     | Yes      | The user's last name                          |
| `idpId`        | Yes      | A unique, stable user identifier from the IdP |

How you configure these depends on your Identity Provider:

{% tabs %}
{% tab title="Okta" %}
In the **Attribute Statements** section of your SAML application:

1. Add each attribute name exactly as shown in the table above (e.g., `email`, `firstName`).
2. Set the corresponding value to the appropriate Okta user profile field (e.g., `user.email`, `user.firstName`, `user.lastName`).
3. For `idpId`, map it to a stable unique identifier such as `user.id`.
4. Preview the SAML Assertion to confirm all four attributes are present before saving.
   {% endtab %}

{% tab title="Entra ID" %}
In your Enterprise Application's **Single sign-on** settings, under **Attributes & Claims**:

1. Edit the existing claims or add new ones so that each of the four attribute names above is present.
2. Map each claim to the corresponding Entra ID user attribute (e.g., `user.mail`, `user.givenname`, `user.surname`).
3. For `idpId`, map it to a stable unique identifier such as `user.objectid`.
4. If your IdP requires a namespace, ensure the claim name still resolves to the attribute names listed above.
   {% endtab %}

{% tab title="Google Workspace" %}
In the **Attribute Mapping** section of your SAML app configuration:

1. Add each attribute name exactly as shown in the table above.
2. Map them to the corresponding Google directory attributes (e.g., `Primary email`, `First name`, `Last name`).
3. For `idpId`, map it to a stable unique identifier. Note that Google SAML does not provide a built-in option to map a user's `id` attribute claim. Contact us if you need guidance on choosing the right value.
   {% endtab %}

{% tab title="Other IdPs" %}
Refer to your IdP's documentation for configuring SAML attribute statements. Ensure the four attribute names above are included in the assertion with the correct user profile mappings.
{% endtab %}
{% endtabs %}

## Role Assignment

Assign users and groups in your Identity Provider so that the right people can access Cleric. At minimum, ensure that the engineering teams using Cleric are assigned to the application.

{% tabs %}
{% tab title="Okta" %}

1. In your SAML application, go to the **Assignments** tab.
2. Select **Assign to People** or **Assign to Groups**.
3. Find the relevant engineering teams or individual users and click **Assign** next to each.
4. Click **Done** when finished.
   {% endtab %}

{% tab title="Entra ID" %}

1. In your Enterprise Application, go to **Users and groups**.
2. Click **Add user/group**.
3. Select the engineering teams or security groups that should have access to Cleric.
4. Click **Assign** to confirm.
   {% endtab %}

{% tab title="Google Workspace" %}

1. In your SAML app settings, go to **User access**.
2. Enable the service for the relevant organizational units (OUs) that include your engineering teams.
3. Click **Save**.
   {% endtab %}

{% tab title="Other IdPs" %}
Refer to your IdP's documentation for assigning users or groups to a SAML application. Ensure the teams that will use Cleric are included.
{% endtab %}
{% endtabs %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cleric.ai/setup/setting-up-sso.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.