Custom SAML - Single Sign-On

Security Assertion Markup Language (SAML) is a standard of communication between Identity Providers (IDP) and Service Providers (SP) like ClickUp.

ClickUp allows you to use Single Sign-On with any IDP that supports SAML 2.0.

We also have dedicated Single Sign-On integrations available for the following platforms:

Custom SAML is exclusive to the Enterprise Plan. To learn about our different plans, click here.

Enabling Custom SAML

To set up Single Sign-On with a SAML 2.0 Identity Provider (IDP) of your choosing, you must have an Owner or Admin enter the appropriate configuration in your Workspace's Security & Permissions settings.

Step 1

In your Workspace's Security & Permissions page, select SAML in the single sign on options to begin the setup process.

Note: any previous SSO settings that you had configured previously will be overwritten.

Image of the security and permissions page indicating the SAML option

Step 2

Ask your IT team to set up your organization's IDP solution. The exact steps will vary depending on which identity provider solution your organization uses.

Assertion requirements

A unique NameID of any format is required in the assertion sent from your IDP to ClickUp. No other attributes are required.

We recommended that you do not use email as a NameID format as email address changes will require you to re-link users (see Step 4 below).

Configure your IDP solution

Provide your IT team with the following information from your ClickUp Workspace:

  • Audience URI (SP Entity ID)

  • Single Sign On URL (ACS URL)

  • SP Certificate

    • You must copy the entire SP Certificate. Any additions or deletions to what is in the text box in your ClickUp Security & Permissions page will cause the configuration to fail.

This information tells the IDP solution how to communicate securely with ClickUp.

Next, we need to tell ClickUp how to communicate securely with your IDP solution.

Step 3

Once your IT team has configured the IDP, ask them to provide you with the following information:

  • Issuer URI (IDP Entitity ID)

  • Login URL (Single Sign On Service URL)

  • IDP Public Certificate

Note: You do not need to include the certificate header/footers. ClickUp supports signed and encrypted assertions, however, you must use the same certificate key pair for both methods.

Enter the above listed information into ClickUp:

  1. Browse to the Security & Permissions page in your Workspace settings

  2. Enter the information in the appropriate fields

  3. Click on Save Metadata

Upon saving these fields, you'll be prompted to login immediately using the new SSO settings. The first time log in process makes sure everything is working!

Important! The first time log in also creates a link between the ClickUp account you are using to set up SSO for your Workspace and the IDP user account that you are logging in with.

Next, we'll verify that your account was linked successfully.

Step 4

Click on My Settings under your user profile settings and scroll all the way to the bottom of the page.

If the first-time login process was successful, you should see that your ClickUp user profile is now linked to your IDP.

You can use the Unlink and Re-link buttons to change which account from your IDP is associated with your ClickUp account.

Set your Login Policy

Each individual user must link their ClickUp account with their account in the IDP in order to log in using SSO.

Browse to the Security & Permissions tab and you'll see the Login Policy section.

You have three options to choose from:

  • Require SSO for all users

  • Require SSO for all users except Guests

  • Using SSO is optional

Require SSO

You can enable your Workspace to enforce SSO when users log into their ClickUp account.

When this option is enabled, each user will be prompted to link their IDP account with on-screen instructions.

You can choose to require SSO for all users except guests by selecting the second option shown above: All users except guests must use SAML auth

The next time users log in, or when newly invited users accept an invitation to join your Workspace, they will see the following screen:

Screenshot showing the 'Sign in with SAML' popup.
  • Azure AD SSO, now known as Microsoft Entra ID, has limited automatic provisioning including user creation and removal. Roles, Custom Roles, and Teams cannot be assigned.
  • Okta SCIM SSO has full automatic provisioning.
  • For all other custom SSOs using SAML:
    • If a newly invited user is creating a brand new ClickUp account, they will set a password for their ClickUp account before accepting the Workspace invitation and setting up SSO using SAML.

    • Once the user completes the sign-in with SAML, their ClickUp account will be linked with their user account from your IDP.

Manual Link

If you do not require SSO to login to your organization's Workspace, select the third option: Using SAML auth is optional

Each user will have the option to manually link their account in order to use SSO to log in.

Instructions for users:

  1. Click your account avatar.

  2. Click My Settings.

  3. Scroll to the bottom of the My Settings page.

  4. Click Link next the SAML provider listed under Single Sign On.

  5. Sign in to your IDP user account as prompted.

You can now use SSO to sign into ClickUp! Your Workspace and users can now use SSO with your IDP solution.

Was this article helpful?