Registering Your SP
Sign in to the SP Portal
Go to portal.clickid.eu and click Sign in. If you do not have an account, click Register on the sign-in page. You will need to verify your email address before you can register SPs.
If running locally, the SP Portal is at http://localhost:3000. Use the admin credentials printed by ./scripts/setup-sp-portal-admin.sh.
Register a new SP
- From the dashboard, click Register SP in the top-right corner.
- Fill in the registration form:
Display name
A human-readable name for your service (e.g. "Acme HR Portal"). This is shown in the ClickID admin interface — it does not appear to end users.
Entity ID
Your SP's SAML entity ID. This is typically a URI (does not need to be reachable). Examples:
https://yourapp.example.com/saml/metadata
urn:yourorg:yourapp:saml
The entity ID must be unique across all SPs registered with ClickID.
SAML metadata
Provide your SP's SAML metadata using one of two methods:
XML tab (recommended for local development)
Paste the full SAML metadata XML generated by your SP library. It should look like this:
<?xml version="1.0"?>
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://yourapp.example.com/saml/metadata">
<md:SPSSODescriptor
AuthnRequestsSigned="false"
WantAssertionsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://yourapp.example.com/saml/acs"
index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
URL tab (requires a publicly reachable endpoint)
If your SP's metadata URL is publicly reachable, paste the URL here and ClickID will fetch and parse it. Metadata URLs must return application/samlmetadata+xml or application/xml.
During local development your SP is typically at localhost and not reachable from the ClickID servers. Use the XML tab and paste the metadata directly. In production, the URL tab is more convenient because it allows automatic key rollover.
What ClickID configures automatically
When you register an SP, the portal automatically configures the following in Keycloak:
| Setting | Value | Notes |
|---|---|---|
| NameID format | persistent | urn:oasis:names:tc:SAML:2.0:nameid-format:persistent |
| NameID mapper | Sector-ID Mapper SPI | Derives pseudonymous 24-char ID |
| Response signing | RSA-SHA256 | Keycloak signs the Response element |
| Assertion signing | Off | Response-level signing is sufficient |
| Assertion encryption | Off | Encrypt transport layer (TLS) instead |
| ACS binding | HTTP-POST | |
| AuthnRequest binding | HTTP-Redirect | |
| Allowed clock skew | 30 seconds |
You do not need to configure any of this yourself.
After registration
Once registration succeeds, you will see your SP listed under Sandbox SPs with the status Active. The panel shows:
- Sandbox IdP metadata URL — use this URL in your SP configuration for testing:
https://auth.clickid.eu/realms/clickid-sandbox/protocol/saml/descriptor - Entity ID — confirms the entity ID Keycloak has registered
- Go live button — available once you have tested the sandbox integration
Update your SP to use the sandbox IdP metadata URL and test the login flow. See Demo Flow Walkthrough for a step-by-step test guide.
Updating your SP registration
If your SP metadata changes (e.g. you rotate your SP signing certificate or change your ACS URL), return to the SP Portal, find your SP in the dashboard, and click Update Metadata. Paste or re-fetch the updated metadata XML.
If you change your ACS URL, your users' sessions will be invalidated at the IdP side on next login (the browser will be redirected to the new ACS URL). Plan ACS URL changes carefully in production.