How to Set Up SSO With Clema (SAML and OAuth)

The exact steps to configure SAML 2.0 or OAuth 2.0 SSO with your institution identity provider

CRT
Clema Research Team
July 7, 2026
5 mins read
Share:
Table of Contents

Introduction

SSO is the single most common week-two onboarding task for Clema. Most institutions run SAML 2.0 against an enterprise IdP (Microsoft Entra, Okta, Shibboleth, OneLogin) and are live in a day once the metadata is exchanged. This post walks through the exact steps so your IT or identity admin can do it without a back-and-forth.

Before You Start

  • A named admin in Clema with access to the admin panel.
  • Access to your identity provider with permission to create a new SAML or OAuth application.
  • The email domain your institution uses for logins (e.g. @institution.edu).
  • Your institution's BAA on file or in progress. SSO can be configured before the BAA is signed, but production logins require the BAA.

SAML 2.0 Setup

1

Create a new SAML application in your IdP

In Microsoft Entra, Okta, or Shibboleth, create a new SAML 2.0 application. The ACS URL and Entity ID come from the Clema admin panel under SSO configuration. Most IdPs autofill these when you upload the Clema SP metadata.

2

Exchange metadata

Upload the Clema SP metadata into your IdP and the IdP metadata back into the Clema admin panel. Clema supports both URL-based and XML metadata upload. If your IdP only publishes a metadata URL, paste that.

3

Map the nameID and attributes

Set the nameID to the user email and map firstName, lastName, and role attributes. Clema uses these for display and for default role assignment. See the attribute mapping section below for the expected names.

4

Enable MFA at the IdP

Clema defers MFA to your IdP. If your institution enforces MFA on SAML logins, it is enforced on Clema logins automatically. No Clema-side configuration is needed.

OAuth 2.0 / OIDC Setup

1

Create an OAuth or OIDC application

In your IdP, create a new OIDC or OAuth 2.0 application. Copy the client ID and client secret. The redirect URI comes from the Clema admin panel SSO section.

2

Enter credentials in Clema

In the Clema admin panel, paste the client ID, client secret, authorization endpoint, token endpoint, and userinfo endpoint. Clema supports standard OIDC discovery URLs if your IdP publishes them.

3

Map the claims

Map the email, name, and role claims. Clema uses the email claim for the user identity and the role claim for default role assignment. The first user to log in with the admin email becomes the institution admin.

Attribute Mapping

Clema fieldSAML attributeOIDC claimRequired
EmailemailemailYes
First namefirstNamegiven_nameYes
Last namelastNamefamily_nameYes
RoleroleroleNo (defaults to stakeholder)

The Test Login

The setup is done when a test user logs in through your IdP and lands in Clema without entering a Clema-native password. Open an incognito window, navigate to your Clema login URL, and route through your IdP. If MFA is enforced by your IdP it should prompt for the second factor. The user should land on the Clema dashboard with the correct name and role. Email [email protected] if the test login fails; most issues are an attribute name mismatch.

Need help with SSO?

Book a demo and our implementation lead will walk through SSO with your IT team, or start a free trial and configure it in week two.

Book a Demo

Frequently asked questions

Does Clema support SSO?

Yes. Clema supports SAML 2.0, OAuth 2.0, and OpenID Connect. Most institutions run SAML 2.0 against Microsoft Entra, Okta, Shibboleth, or OneLogin and are live in a day once metadata is exchanged. MFA is deferred to your IdP and enforced automatically.

How long does SSO setup take with Clema?

Most IT teams have SSO live in a day once the metadata is exchanged. The slow part is usually scheduling the IT admin and the Clema admin together; the configuration itself is metadata upload and attribute mapping. Plan for week 2 of onboarding.

Does Clema enforce MFA?

Clema defers MFA to your identity provider. If your institution enforces MFA on SAML or OIDC logins, it is enforced on Clema logins automatically. No Clema-side MFA configuration is needed.

Ready to get started?

Reclaim Your Team's Capacity

See how Clema can help your IR team handle routine requests automatically