Frequently Asked SSO Questions
Why can't I see the SSO configuration page in Claras?
SSO is enabled as part of our Enterprise Add-on feature, which is additional to our standard plans. Please contact us at support@claras.ai for details.
Do I need to create the user in Claras first?
No. If there's no profile in Claras, we'll create a profile for them the first time they sign in.
Are users notified when they're assigned or provisioned?
No. Users will only be sent an invite email if they are create from the team page.
How can users login?
When SSO is enabled, users can login:
From the normal login page at https://claras.ai/login . After entering their email they'll be directed to your SSO provider, then sent back to Claras once logged in.
By visiting the User access URL generated by your provider. For Microsoft Entra, this is the link on the Office 365 application launcher.
Is MFA still required in Claras if using SSO?
Yes. While your provider will likely already require MFA to login, having an seperate additional authentication factor for Claras provides even stronger security.
What happens if I have existing users in my account?
If assignment is not required, or they have been assigned / provisioned, existing users will be linked to the new SSO authentication method the next time they login. We will match them up using their email. Their existing profile, MFA methods, role, and data will remain the same.
If assignment is required and they haven't been assigned yet, the user will no longer be able to log in to Claras. Their profile will remain untouched.
What happens if a user has signed up and created their own practice?
The next time that user logs in, they will go through the SSO flow and have a separate profile created for your account. This will mean they effectively become locked out of their original account. To have the data from their original account moved across to your account, please reach out to our support team.
If assignment is required in your provider and they haven't been assigned yet, the user will not be able to log in to Claras at all.
How do I add someone with a different role?
Unless you have setup Role Mapping via SCIM group assignments, all new users will automatically be assigned the Adviser role by default. This will be reflected in their permission levels and your billing. There are two ways to manually add users with different roles:
Add them to Claras via the Team page with the desired role first. This is the recommended approach. Then when they are provisioned or login for the first time, we will link them up to that profile and the role will remain unchanged.
Update their role after they've been created, either from signing in for the first time or via provisioning. This will result in a small window of time where they have different permissions and will be billed for the adviser role. Your billing will be pro-rated as soon as the new role is applied. For example, if you change a user's role from Adviser to Assistant 1 hour after they are created, you will only be billed for 1 hour's time on the adviser role, and (1 month - 1 hour) time for the Assistant role.
What happens when a user is removed in my provider?
If you have enabled SCIM, the user will immediately be archived in Claras and their access revoked. Your billing will also be updated immediately (or when the next provisioning cycle runs).
If you don't have SCIM enabled, the user won't be archived in Claras automatically. They may continue to have access until they need to login again - at which point your identity provider will prevent the SSO flow. You will need to manually archive their account in Claras to update your billing.
What happens if I accidentally deprovision a user?
The user will be archived in Claras, but nothing will be deleted. Simply re-assign them to the application and their profile in Claras will become active again when the next provisioning cycle runs.
What SCIM actions are supported?
User is assigned
Users first or last name is updated
Users email is updated
User is unassigned (soft delete)
User is deleted
Group is assigned
Group is unassigned
Group name is updated
Group members are changed
SSO is enabled as part of our Enterprise Add-on feature, which is additional to our standard plans. Please contact us at support@claras.ai for details.
Do I need to create the user in Claras first?
No. If there's no profile in Claras, we'll create a profile for them the first time they sign in.
Are users notified when they're assigned or provisioned?
No. Users will only be sent an invite email if they are create from the team page.
How can users login?
When SSO is enabled, users can login:
From the normal login page at https://claras.ai/login . After entering their email they'll be directed to your SSO provider, then sent back to Claras once logged in.
By visiting the User access URL generated by your provider. For Microsoft Entra, this is the link on the Office 365 application launcher.
Is MFA still required in Claras if using SSO?
Yes. While your provider will likely already require MFA to login, having an seperate additional authentication factor for Claras provides even stronger security.
What happens if I have existing users in my account?
If assignment is not required, or they have been assigned / provisioned, existing users will be linked to the new SSO authentication method the next time they login. We will match them up using their email. Their existing profile, MFA methods, role, and data will remain the same.
If assignment is required and they haven't been assigned yet, the user will no longer be able to log in to Claras. Their profile will remain untouched.
What happens if a user has signed up and created their own practice?
The next time that user logs in, they will go through the SSO flow and have a separate profile created for your account. This will mean they effectively become locked out of their original account. To have the data from their original account moved across to your account, please reach out to our support team.
If assignment is required in your provider and they haven't been assigned yet, the user will not be able to log in to Claras at all.
How do I add someone with a different role?
Unless you have setup Role Mapping via SCIM group assignments, all new users will automatically be assigned the Adviser role by default. This will be reflected in their permission levels and your billing. There are two ways to manually add users with different roles:
Add them to Claras via the Team page with the desired role first. This is the recommended approach. Then when they are provisioned or login for the first time, we will link them up to that profile and the role will remain unchanged.
Update their role after they've been created, either from signing in for the first time or via provisioning. This will result in a small window of time where they have different permissions and will be billed for the adviser role. Your billing will be pro-rated as soon as the new role is applied. For example, if you change a user's role from Adviser to Assistant 1 hour after they are created, you will only be billed for 1 hour's time on the adviser role, and (1 month - 1 hour) time for the Assistant role.
What happens when a user is removed in my provider?
If you have enabled SCIM, the user will immediately be archived in Claras and their access revoked. Your billing will also be updated immediately (or when the next provisioning cycle runs).
If you don't have SCIM enabled, the user won't be archived in Claras automatically. They may continue to have access until they need to login again - at which point your identity provider will prevent the SSO flow. You will need to manually archive their account in Claras to update your billing.
What happens if I accidentally deprovision a user?
The user will be archived in Claras, but nothing will be deleted. Simply re-assign them to the application and their profile in Claras will become active again when the next provisioning cycle runs.
What SCIM actions are supported?
User is assigned
Users first or last name is updated
Users email is updated
User is unassigned (soft delete)
User is deleted
Group is assigned
Group is unassigned
Group name is updated
Group members are changed
Updated on: 13/05/2025
Thank you!