Introduction
SSO is the single most common week-two onboarding task for Clema. Most institutions run SAML 2.0 against an enterprise IdP (Microsoft Entra, Okta, Shibboleth, OneLogin) and are live in a day once the metadata is exchanged. This post walks through the exact steps so your IT or identity admin can do it without a back-and-forth.
Before You Start
- A named admin in Clema with access to the admin panel.
- Access to your identity provider with permission to create a new SAML or OAuth application.
- The email domain your institution uses for logins (e.g. @institution.edu).
- Your institution's BAA on file or in progress. SSO can be configured before the BAA is signed, but production logins require the BAA.
SAML 2.0 Setup
Create a new SAML application in your IdP
In Microsoft Entra, Okta, or Shibboleth, create a new SAML 2.0 application. The ACS URL and Entity ID come from the Clema admin panel under SSO configuration. Most IdPs autofill these when you upload the Clema SP metadata.
Exchange metadata
Upload the Clema SP metadata into your IdP and the IdP metadata back into the Clema admin panel. Clema supports both URL-based and XML metadata upload. If your IdP only publishes a metadata URL, paste that.
Map the nameID and attributes
Set the nameID to the user email and map firstName, lastName, and role attributes. Clema uses these for display and for default role assignment. See the attribute mapping section below for the expected names.
Enable MFA at the IdP
Clema defers MFA to your IdP. If your institution enforces MFA on SAML logins, it is enforced on Clema logins automatically. No Clema-side configuration is needed.
OAuth 2.0 / OIDC Setup
Create an OAuth or OIDC application
In your IdP, create a new OIDC or OAuth 2.0 application. Copy the client ID and client secret. The redirect URI comes from the Clema admin panel SSO section.
Enter credentials in Clema
In the Clema admin panel, paste the client ID, client secret, authorization endpoint, token endpoint, and userinfo endpoint. Clema supports standard OIDC discovery URLs if your IdP publishes them.
Map the claims
Map the email, name, and role claims. Clema uses the email claim for the user identity and the role claim for default role assignment. The first user to log in with the admin email becomes the institution admin.
Attribute Mapping
| Clema field | SAML attribute | OIDC claim | Required |
|---|---|---|---|
| Yes | |||
| First name | firstName | given_name | Yes |
| Last name | lastName | family_name | Yes |
| Role | role | role | No (defaults to stakeholder) |
The Test Login
The setup is done when a test user logs in through your IdP and lands in Clema without entering a Clema-native password. Open an incognito window, navigate to your Clema login URL, and route through your IdP. If MFA is enforced by your IdP it should prompt for the second factor. The user should land on the Clema dashboard with the correct name and role. Email [email protected] if the test login fails; most issues are an attribute name mismatch.
Need help with SSO?
Book a demo and our implementation lead will walk through SSO with your IT team, or start a free trial and configure it in week two.
Book a Demo