🔑Security Settings

Enforce Sign In Methods and configure SAML SSO

Security settings in ClearFeed allow admins to enforce a sign-in method and configure SAML SSO.

These are available at an account level on this page -> https://web.clearfeed.app/settings/security.

Note: All settings related to security and authentication can be modified by an Admin only. Learn more about user roles in ClearFeed here.

Enforcing Sign In Options

Users from an organization can log in to ClearFeed via multiple methods: Google Sign-in, Microsoft Sign-in, or a login link (magic link).

By default, users are allowed to sign in via all options. Enforcing sign-in allows admins to limit the sign-in option to only Google or Microsoft login.

You can configure the sign-in settings by following the steps below:

  1. Toggle on Google Authentication or Microsoft Authentication

  2. This will log out all users who did not log in via the selected authentication method.

  3. These users would then need to log in again using the enforced sign-in option.

SAML Authentication

ClearFeed provides the option to integrate Single Sign-On (SSO) using the Security Assertion Markup Language (SAML) protocol, allowing users to authenticate with their identity providers (IdPs) to access ClearFeed.

Note: This feature is currently enabled for users via ClearFeed. If you'd like to enable SAML authentication, please reach out to us at support@clearfeed.ai or via Slack.



Before configuring SAML SSO in ClearFeed, ensure the following:

  • Login and create an account in ClearFeed using any of the existing Authentication Methods (Google/Microsoft/Magic Link)

  • Contact ClearFeed support via Slack or email at support@clearfeed.ai to enable the SAML SSO feature for your ClearFeed account. This feature is not automatically available and requires activation by the support team.

  • Ensure you have administrative access to both ClearFeed and your identity provider.

  • If you are using multiple accounts in ClearFeed, ensure you are logged in to the Parent Account.

  • You have the SAML identity provider setup screen and documentation open.

SAML can be configured by visiting this link and clicking on the configure button.

Create SAML Configuration

Identity Provider Entity ID

Obtain the Entity ID from your identity provider.

  • This is a unique identifier that the SAML protocol uses to exchange data between the identity provider and ClearFeed.


Provide the SAML SSO URL from your identity provider.

  • This URL is where SAML authentication requests are sent and must be a valid URL.

X.509 Certificates

Supply one or more X.509 certificates provided by your identity provider.

  • These certificates must include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers and are used for validating SAML responses.

Company ID

Unique identifier for your company within ClearFeed.

  • It is necessary for users to log in via SAML SSO.

  • Note: This ID cannot be changed once set up.

Additional Information Required by your IdP

  • Audience/Service Provider Entity ID: This is a predefined value shown on the screen, which must be entered on your identity provider's configuration page.

  • Callback URL: The Assertion Consumer Service (ACS) URL is also predefined, and provided in the SAML configuration modal. This URL is where the SAML response is sent after authentication. You'll need to register this URL with the SAML identity provider.

SAML Assertion

The SAML Assertion from your identity provider must include the following for successful authentication:

<saml:Subject> and <saml:NameID> elements must be present, and the<NameID> element must contain the user's email in the following format:

  <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">

SAML authentication will not function without the presence of the above elements in the SAML Assertion.

User Attributes

ClearFeed also searches for the following attributes in the SAML assertion payload to enhance the user experience within the ClearFeed Web App. While these attributes are not mandatory for authentication, having them present can improve usability:

  • fullName, name, displayName for the user's name.

  • photoURL, avatar, picture for the user's avatar.

User Login Flow

Currently, we don't support the Identity Provider initiated flow, which means that every time the user wants to log in to ClearFeed via SAML SSO, the user will have to first navigate to https://web.clearfeed.app/login and click on Continue with SAML SSO

Once SAML SSO is enforced, alternative authentication methods (such as Google, Microsoft, or Magic Link) cannot be used to log in to ClearFeed. Administrators of the parent account can still log in using the alternative authentication methods. This ensures they do not get locked out in the event of any issues with the SAML configuration.

Note: It is essential to consult your identity provider's documentation to obtain the correct values for the entity ID, SSO URL, and X.509 certificates. Additionally, regularly check for any updates or rotation of certificates to maintain SAML SSO functionality.


1. If I have multiple ClearFeed accounts, does enforcing sign-in work for all accounts?

Ans: No, enforcing sign-in is an individual account-level setting. If you have multiple accounts, users can still log in to other accounts using any of the login methods.

2. What happens if a user tries to log in via a method other than the enforced one?

Ans: Users are shown an error message if they try to log in via another method. E.g. If an account has Google Sign-in enforced - and if a user tries to log in via the magic link. Upon clicking on the generated sign-in link in their email - they would see an error as shown below:

Last updated