Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions docs/single-sign-on.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,18 @@ The typical setup process:

**Note:** The email domain used for SSO authentication is configured on Clay's side. If you receive an error during the WorkOS setup stating that your domain is not recognized or not allowed, contact Clay support — only the support team can update the allowed domain setting.

### SAML configuration details (Entity ID and ACS URL)

Clay's SAML Entity ID and ACS URL are **unique per organization** — there are no universal, shared values across all Clay customers. These org-specific details are generated by WorkOS for your workspace and are available inside the WorkOS setup portal from the configuration link Clay support sends in step 2.

In the WorkOS setup portal, look for the **Service Provider Details** section, which displays:

- **ACS URL** (Assertion Consumer Service URL) — the endpoint where your identity provider sends SAML responses to Clay
- **SP Entity ID** — the unique identifier for your Clay organization in SAML communications
- **SP Metadata URL** — an optional metadata file URL for automated IdP configuration

**Required SAML attribute:** The user's email address is the only required attribute. The optional attributes are `firstName` and `lastName` — these are not required for authentication to work.

## What happens when SSO is enabled

- All users whose email address is on your verified domain are redirected to sign in through SSO when they type their email on the Clay login page. **Note:** This redirect is handled in the browser — users who have an existing email + password Clay account can still log in using their password directly, which bypasses the SSO redirect. Clay does not block password-based login at the backend for SSO-configured domains.
Expand Down