How Clearbit's SSO SAML authentication works

Clearbit supports Single-Sign On (SSO) through SAML 2.0 authentication, increasing security, simplifying the login process, and reducing the risk of lost or forgotten login information.

This article explains how SAML authentication works once the feature is enabled.

Review the articles below for instructions on how to set up SAML authentication with your identity provider.

SAML setup instructions by identity provider

• Okta SAML auth setup
• Google SSO SAML auth setup
• JumpCloud SAML auth setup
• Custom SAML auth setup

Don't see your provider? The SAML 2.0 integration is designed to be vendor agnostic, meaning it is compatible with any identity provider (IdP) that supports a standard SAML configuration. If you do not see your identity provider in the list above, use the general setup instructions or reach out to our team and we will help you assess whether or not the SAML 2.0 integration is compatible.

How SAML authentication works

Logging into Clearbit applications

Once SAML authentication is enabled, users can log into Clearbit in two ways:

• Through your SAML application - Users will be directed to Clearbit and automatically signed into our applications.

Through the Clearbit login flow - Users who attempt to use the standard login flow will be redirected to your SSO URL. If they are not currently logged into your IdP, they will be prompted to do so before being authenticated and logged in.

Enforcing SAML authentication (user-level enforcement based on designated email domain)

When SAML authentication is enabled, it is enforced for all applicable users.

Clearbit enforces SAML at the user-level based on the email domain provided during configuration. In other words, all users with the email domain that matches the pattern provided will be required to log in via your SAML application in order to access any and all Clearbit applications.

Users that do not share the designated email domain will not be asked to authenticate through your SAML application, meaning they will have to log in using their standard username and password.

To increase security for users outside of your organization, you can also choose to enable multi-factor authentication (MFA). When MFA is enabled, any users with SAML authentication enforced will bypass MFA.

Just-in-time (JIT) provisioning

The SAML integration provides just-in-time (JIT) provisioning by default.

Just in Time (JIT) Provisioning is a SAML protocol based method that is used to create users the first time they log in to an application via an identity provider. This eliminates the need to provision users within Clearbit manually.

This means that after you add a new user to your custom SAML application, Clearbit will automatically create that user in your account when they first attempt to log in.

Offboarding users

To edit permission sets or remove user access, a user with admin permissions should log into the Clearbit dashboard and navigate to Manage Team > Users and click Remove User.