diff --git a/docs/authentication/enterprise-connections/oidc/custom-provider.mdx b/docs/authentication/enterprise-connections/oidc/custom-provider.mdx index 6047a93772..fbbdaa9838 100644 --- a/docs/authentication/enterprise-connections/oidc/custom-provider.mdx +++ b/docs/authentication/enterprise-connections/oidc/custom-provider.mdx @@ -54,23 +54,12 @@ To make the setup process easier, it's recommended to keep two browser tabs open ### Configure attribute mapping (optional) - Attribute mapping allows you to map the IdP's claims with Clerk's user properties such as the `email_verified`. OIDC Enterprise connections require the [`email_verified` claim](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims:~:text=Section%C2%A05.7.-,email_verified,-boolean) to verify email ownership. However, some IdPs, such as Microsoft Azure Active Directory, might not return this claim or use a non-standard format. - - To enable attribute mapping: - - 1. In the Clerk Dashboard, navigate to the **Connection** tab of the connection's settings page. - 1. In the **Attribute Mapping** section, under the **Email address verified** field: - - - If the IdPs that provide the value, enter `email_verified`. - - For IdPs that do not provide the value, enter `xms_edov`. - - 1. Set **Default value** to **True**. - 1. Select **Save**. + Clerk expects the claims returned to follow the [OIDC Standard](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims). If your provider returns claims in a non-standard format, use the **Attribute Mapping** section on the connection's configuration page to adjust the mapping of Clerk's user properties to match the IdP's claim attributes. > [!WARNING] - > If the IdP doesn't return this claim, you can either leave the **Email address verified** field blank or set the **Default value** to `True`. This should only be done if you fully trust the IdP, as it can expose your app to [OAuth attacks](https://www.descope.com/blog/post/noauth). + > OIDC Enterprise connections require the [`email_verified`](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims:~:text=Section%C2%A05.7.-,email_verified,-boolean) claim to verify email ownership. However, some IdPs, such as Microsoft Azure Active Directory, might not return this claim or use a non-standard format. > - > For Microsoft Azure Active Directory connections: Use the [`xms_edov`](https://learn.microsoft.com/en-us/entra/identity-platform/migrate-off-email-claim-authorization#using-the-xms_edov-optional-claim-to-determine-email-verification-status-and-migrate-users) claim to verify email ownership, as Microsoft might not return the standard `email_verified` claim. + > If the IdP doesn't return this claim, you can leave the **Email address verified** field blank and set the **Default value** to *True*. This should only be done if you fully trust the IdP, as it can expose your app to [OAuth attacks](https://www.descope.com/blog/post/noauth). ### Allow additional identifiers (optional) @@ -84,8 +73,6 @@ To make the setup process easier, it's recommended to keep two browser tabs open To make the connection available for your users to authenticate with: - To make the connection available for your users to authenticate with: - 1. Navigate back to the Clerk Dashboard where you should still have the connection's configuration page open. If not, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page and select the connection. 1. At the top of the page, toggle on **Enable connection** and select **Save**.