Configure custom SAML single sign-on

Security Assertion Markup Language (SAML) is a standard of communication between Identity Providers (IDP) and Service Providers (SP) like ClickUp.

You can create a custom single sign-on with any IDP that supports SAML 2.0.

We also have single sign-on integrations available for the following platforms:

What you'll need

Enable custom SAML

Configuring SAML requires the use of SSO. Each person in your Workspace must link their ClickUp account with their account in the IDP to log in using SSO. 

Step 1

Enabling SAML overwrites any previous SSO settings. 

To enable SAML:

  1. Click your Workspace avatar, Settings, then Security & Permissions.
  2. In the Single sign-on (SSO) section, select SAML.
Image of the security and permissions page indicating the SAML option

Step 2

To configure your organization's solution ask your IT team to refer to the IDP's documentation.

Assertion requirements

A unique NameID in any format is required in the assertion sent from your IDP to ClickUp. No other attributes are required.

We recommend that you do not use an email as a NameID. Email address changes require relinking users.

Configure your IDP solution

  1. From the Configure SAML Single Sign On section, give your IT team the following info:
    • Audience URI (SP Entity ID)
    • Single sign on URL (ACS URL)
    • The SP Certificate is only required when using the Windows Active Directory Federation Services (AD FS) on-premises certificate trust deployment model.

This information tells the IDP solution how to communicate securely with ClickUp.

Next, you'll tell ClickUp how to communicate securely with your IDP solution.

Step 3

Once your IT team has configured the IDP, ask them for the following info:

  • Login URL (Single Sign On Service URL)
  • IDP Public Certificate

You can let your IT team know:

  • The Issuer URI (IDP Entity ID) is not required.
  • The certificate must be signed and encrypted.
  1. From the Configure SAML Single Sign On section, enter the following info:
    • Login URL (Single Sign On Service URL)
    • IDP Public Certificate
      You must copy the entire IDP Public Certificate. If your certificate has them, you don't need to include the BEGIN CERTIFICATE header and END CERTIFICATE footer.
      You can paste the certificate into a text editor. For example, Visual Studio Code or Text Edit.
  2. Click Save Metadata.

After saving, you're prompted to log in using the new SSO settings. 

The first-time login creates a link between this ClickUp account and the IDP user account that you log in with.

Next, you'll verify that your account was linked successfully.

Step 4

To verify your account is successfully linked:

  1. In the upper-right corner, click your account avatar. 
  2. Select My Settings.
  3. Scroll to the bottom of the page.
  4. If the link is successful, you'll see a Single Sign On section showing your provider and ClickUp Workspace. 

You can click the Re-link button to change which account from your IDP is associated with your ClickUp account.

There is also an Unlink button. If SAML is enabled, SSO is required in your Workspace. Only an owner or an admin with the Workspace Permissions custom role permission can unlink your account.

Download and use your IDP public certificate

To use your IDP public certificate:

  1. After generating a current certificate, download it.
  2. Open your Downloads folder and right-click on the file. 
  3. Select Open with.
  4. Click Other or Another app to select an app that's not listed.
  5. Find an app that will open the file as plain text. For example, Visual Studio Code or Text Edit.
  6. Follow the instructions in steps 3 and 4, above.

Update the ClickUp SP certificate

Before the certificate expires, Workspace owners receive an email letting them know to update the certificate.

To update your ClickUp SP certificate:

  1. In the upper-left corner, click your Workspace avatar.
  2. Select Settings, then Security & Permissions.
  3. In the Configure SAML Single Sign On section, click Regenerate

Require SSO

Each person in your Workspace must link their ClickUp account with their account in the IDP to log in using SSO. Configuring SAML requires the use of SSO.

This requirement is enforced in the following way:

  • After SAML is enabled, the next time Workspace members and guests log in there is a link to sign in with SAML.
Screenshot showing the 'Sign in with SAML' popup.
  • When someone is invited to join your Workspace, they will set a password for their ClickUp account before accepting the Workspace invitation. Once they complete the sign-in with SAML, their ClickUp account will be linked with their user account from your IDP.

SCIM and Custom SAML

  • Azure AD SSO, now known as Microsoft Entra ID, has limited automatic provisioning including user creation and removal. Roles, Custom Roles, and Teams cannot be assigned.
  • Okta SCIM SSO has full automatic provisioning.
  • To configure SCIM for a supported IDP, the SCIM Base URL and SCIM API Token will be presented after successfully integrating SSO with Custom SAML. The steps for inputting the Base URL and API Token into your IDP vary by provider.

Was this article helpful?