Merge branch 'main' into emmanouela/user-751-update-docs-about-export…

…-users
clerk · Oct 22, 2024 · 83671f6 · 83671f6
2 parents fbd9391 + 2b373d4
commit 83671f6
Show file tree

Hide file tree

Showing 67 changed files with 666 additions and 392 deletions.
diff --git a/docs/authentication/configuration/sign-up-sign-in-options.mdx b/docs/authentication/configuration/sign-up-sign-in-options.mdx
@@ -144,7 +144,7 @@ To configure verification methods:
 
 1. Navigate to the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=user-authentication/email-phone-username) and select your application.
 1. In the navigation sidebar, select **User & Authentication > Email, Phone, Username**.
-1. Select the settings cog icon next to the identifier, such as **Email address** or **Phone number**, to open the configuration settings.
+1. Select the settings icon next to the identifier, such as **Email address** or **Phone number**, to open the configuration settings.
 1. Under the **Verification methods** section, toggle on the verification methods you would like to enable.
 1. Select **Continue** to save your changes.
 

diff --git a/docs/authentication/saml/account-linking.mdx b/docs/authentication/saml/account-linking.mdx
@@ -28,7 +28,7 @@ To allow unverified email addresses for your instance:
 
 1. Navigate to the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=user-authentication/email-phone-username)
 1. In the navigation sidebar, select **Email, Phone, Username**.
-1. Next to **Email address**, select the settings cog icon and uncheck the **Verify at sign-up** toggle.
+1. Next to **Email address**, select the settings icon and uncheck the **Verify at sign-up** toggle.
 
 When a user signs into your app using a SAML provider, Clerk links the SAML account to the existing account by also verifying the existing email address and signs the user in. This even applies to password-protected accounts, as the SAML sign-in process automatically bypasses password verification.
 

diff --git a/docs/authentication/saml/authentication-flows.mdx b/docs/authentication/saml/authentication-flows.mdx
@@ -3,63 +3,61 @@ title: SAML SSO authentication flows
 description: Learn about the SAML SSO authentication flows.
 ---
 
-The SAML protocol supports two different methods in order to start an SSO flow: SP-initiated and IdP-initiated. This guide will explore the differences between the two.
+The SAML protocol supports two methods to start an SSO flow: Service Provider-initiated (SP-initiated) and Identity Provider-initiated (IdP-initiated).
 
-## SP-initiated flow (recommended)
+## Service Provider-initiated flow (recommended)
 
 In an SP-initiated flow:
 
-- The user starts the authentication flow from your application (SP), by providing the email address.
-- The user is redirected to the SAML provider (IdP) where they must authenticate themselves.
+- The user starts the authentication process from your application (Service Provider, or SP), by providing their email address.
+- The user is redirected to the SAML provider (Identity Provider, or IdP) where they must authenticate.
 - After successful authentication, the user is redirected back to your application, gaining access to their account.
 
-## IdP-initiated flow
+## Identity Provider-initiated flow
 
 In an IdP-initiated flow:
 
-- The user starts the authentication flow from the SAML provider (IdP), by selecting which application (SP) they would like to access.
+- The user starts the authentication flow from the SAML provider (IdP) by selecting which application (SP) they want to access.
 - The user is redirected to the application of their choice, gaining access to their account.
 
 > [!NOTE]
-> IdP-Initiated flow carries [a security risk](#risks-of-id-p-initiated-flow). We recommend using a SP-Initiated flow whenever possible.
+> IdP-Initiated flow carries a [security risk](#risks-of-id-p-initiated-flow). It is recommended to use an SP-Initiated flow whenever possible.
 
-To allow IdP-initiated flows for your SAML Connection:
+To allow IdP-initiated flows for your SAML connection:
 
-1. Navigate to the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections).
-1. In the top navigation, select **Configure**. Then in the sidebar, select **SSO Connections**.
-1. Select the SAML connection you want to enable IdP-initiated flow for.
+1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
+1. Select **Add connection** and select **For specific domains**.
+1. Select your **Identity Provider**. Complete the fields and select **Add connection**. You'll be redirected to the SAML connection's configuration page.
 1. Select the **Advanced** tab.
-1. Toggle on **Allow IdP-Initiated flow**.
+1. In **Advanced Settings**, enable **Allow IdP-Initiated flow**. A modal will open. Select **Enable** to confirm.
+1. Select **Save**.
 
 ### Risks of IdP-initiated flow
 
-While IdP-initiated flows may offer a layer of convenience for your users, it is also potentially susceptible to MITM (meddler-in-the-middle) attacks in which a bad actor may be able to hijack the IdP response and uses it to gain access to a compromised account.
+While IdP-initiated flows might offer convenience, they are also susceptible to security risks, such as [meddler-in-the-middle (MITM) attacks](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). A bad actor might hijack the IdP response to gain access to a compromised account.
 
-By enabling an IdP-Initiated flow, it's possible for Clerk to receive unsolicited authentication requests and neither the Service Provider nor the Identity Provider will be able to verify that the flow was initiated by the specified user.
+When enabling an IdP-initiated flow, it is possible for Clerk to receive unsolicited authentication requests, which neither the SP nor IdP can verify were initiated by the specified user. Additionally, a bad actor could intercept the IdP response and replace it, performing a CSRF attack to sign in as the attacker.
 
-A bad actor could also can intercept the IdP response and replace it with another to make the target user sign in as the attacker, performing a Login CSRF attack.
+### Clerk's security measures
 
-To this end, Clerk recommends using the [SP-initiated flow](#sp-initiated-flow-recommended).
-
-That said, in order to protect and offer the best possible security for your application and users, Clerk mitigates these risks by implementing several security measures:
+To mitigate the risks associated with IdP-initiated flows, Clerk implements several security measures:
 
 #### Unsolicited `InResponseTo` attribute
 
-In accordance with the [SAML 2.0 profiles specification](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf), Clerk ensures that an unsolicited response does not contain an `InResponseTo` attribute.
-
-This prevents bad actors from stealing a response used in an SP-initiated flow and using it in an IdP-initiated flow.
+Clerk ensures that unsolicited responses don't contain an `InResponseTo` attribute, in accordance with the [SAML 2.0 profiles specification](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf). This prevents bad actors from stealing a response used in an SP-initiated flow and using it in an IdP-initiated flow.
 
 #### Replay detection
 
-Clerk prevents responses from being re-used by consuming them and remembering which have already been used.
-This prevents bad actors from stealing and reusing a response to gain access to a user's account.
+Clerk consumes and remembers each response to prevent re-use. This ensures that bad actors cannot steal and reuse a response to gain access to a user's account.
 
 #### Multi-factor authentication
 
-Multi-factor authentication (MFA) is a security mechanism that requires users to provide two or more forms of verification before gaining access to their account. By enforcing two different types of verifications, you can drastically improve your user's security.
-
-Clerk supports MFA for a SAML IdP-initiated flow.
+Clerk supports [multi-factor authentication (MFA)](/docs/authentication/configuration/sign-up-sign-in-options#multi-factor-authentication) for SAML IdP-initiated flows. MFA requires users to provide two or more forms of verification, which significantly enhances security by reducing the risk of unauthorized access.
 
 #### Use small validation periods
 
-Each SAML response defines when they were issued and when they will expire. As an IdP-initiated flow is expected to be completed within a time frame of seconds, you must ensure that these validation periods are as small as possible to prevent attacks. Common providers, such as Azure, Google, and Okta, handle this. However, if you are using a custom IdP, you must ensure that the validation periods are set correctly.
+Each SAML response contains a timestamp indicating when it was issued and when it will expire. Since IdP-initiated flows are expected to be completed within seconds, validation periods must be as small as possible to prevent attacks. Common IdP providers such as Azure, Google, and Okta handle this by default. However, if you are using a custom IdP, you must ensure that the validation periods are set correctly.
+
+### Conclusion
+
+For the best security practices, Clerk recommends using the SP-initiated flow wherever possible. If you decide to enable IdP-initiated flows, ensure that proper security measures—such as MFA, replay detection, and short validation periods—are in place to mitigate the associated risks.
diff --git a/docs/authentication/saml/custom-provider.mdx b/docs/authentication/saml/custom-provider.mdx
@@ -81,7 +81,7 @@ Clerk supports Enterprise SSO via the SAML protocol, enabling you to create auth
   1. In your IdP dashboard, paste the values in the appropriate fields.
 
   > [!TIP]
-  > If you closed your connection's configuration page in the Clerk Dashboard, you can find it by navigating to the [SSO Connections](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page and selecting the settings cog icon next to the connection you want to configure.
+  > If you closed your connection's configuration page in the Clerk Dashboard, you can find it by navigating to the [SSO Connections](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page and selecting the settings icon next to the connection you want to configure.
 
   ### Map your IdP's claims to Clerk fields
 

diff --git a/docs/authentication/saml/overview.mdx b/docs/authentication/saml/overview.mdx
@@ -40,7 +40,7 @@ The users will not be deleted, so your application will not break. However, they
 
 ### Does Clerk support IdP-initiated SSO?
 
-Yes, Clerk supports both SP-initiated and IdP-initiated SSO flows.
+Yes, Clerk supports both Service Provider-initiated (SP-initiated) and Identity Provider-initiated (IdP-initiated) SSO flows. [Learn more](/docs/authentication/saml/authentication-flows).
 
 ### How much does it cost?
 

diff --git a/docs/authentication/social-connections/account-linking.mdx b/docs/authentication/social-connections/account-linking.mdx
@@ -25,7 +25,7 @@ In this scenario, when a user with a verified email address at Clerk signs in us
 
 For instances that allow account creation without email verification at sign-up, there is a possibility that an account may be created using an unverified email address, either through OAuth or other methods like username/password.
 
-To allow unverified email addresses for your instance, navigate to the [Email, Phone, Username](https://dashboard.clerk.com/last-active?path=user-authentication/email-phone-username) page in the Clerk Dashboard. Click on the settings cog icon next to "Email address" and uncheck the "Verify at sign-up" toggle.
+To allow unverified email addresses for your instance, navigate to the [Email, Phone, Username](https://dashboard.clerk.com/last-active?path=user-authentication/email-phone-username) page in the Clerk Dashboard. Click on the settings icon next to "Email address" and uncheck the "Verify at sign-up" toggle.
 
 ![Verify at sign-up toggle in the Clerk Dashboard](/docs/images/authentication/account-linking-verify-at-sign-up.webp)
 

diff --git a/docs/authentication/social-connections/atlassian.mdx b/docs/authentication/social-connections/atlassian.mdx
@@ -7,7 +7,7 @@ How to set up social connection with Atlassian
 
 ## Overview
 
-Adding social connection with Atlassian to your app with Clerk is done in a few steps - you will need to populate the **Client ID**, **Client Secret** and **Authorized redirect URI** in your instance settings.
+Adding social connection with Atlassian to your app with Clerk is done in a few steps - you will need to populate the **Client ID**, **Client Secret** and **Redirect URI** in your instance settings.
 
 To make the development flow as smooth as possible, Clerk uses  preconfigured shared OAuth credentials and redirect URIs for development instances - no other configuration is needed.
 
@@ -49,7 +49,7 @@ This is done by navigating to the Authorization section and clicking on Add.
 
 ![Atlassian OAuth 2.0 Authorization page](/docs/images/authentication-providers/atlassian/3d60a54bb48c03257afbf769f1f50cf45f18871c-3456x1730.png)
 
-In this section, you will need to paste the Authorized redirect URI that Clerk has provided for you.
+In this section, you will need to paste the Redirect URI that Clerk has provided for you.
 
 ![Atlassian OAuth 2.0 App callback URL settings](/docs/images/authentication-providers/atlassian/a6dc9bd0902359cad9c94de1bdcbd4c9112bff1d-3456x1730.png)
 

diff --git a/docs/authentication/social-connections/bitbucket.mdx b/docs/authentication/social-connections/bitbucket.mdx
@@ -7,7 +7,7 @@ How to set up social connection with Bitbucket
 
 ## Overview
 
-Adding social connection with Bitbucket to your app with Clerk is done in a few steps - you will need to populate the **Client ID**, **Client Secret** and **Authorized redirect URI** in your instance settings.
+Adding social connection with Bitbucket to your app with Clerk is done in a few steps - you will need to populate the **Client ID**, **Client Secret** and **Redirect URI** in your instance settings.
 
 To make the development flow as smooth as possible, Clerk uses  preconfigured shared OAuth credentials and redirect URIs for development instances - no other configuration is needed.
 
@@ -37,7 +37,7 @@ From there, click on the desired existing workspace or create a new one, then na
 
 You will need to create a consumer if you don't have one already.
 
-The first important setting for the connection to work is the **Callback URL**. Paste the **Authorized redirect URI** from your Clerk Bitbucket settings in this field:
+The first important setting for the connection to work is the **Callback URL**. Paste the **Redirect URI** from your Clerk Bitbucket settings in this field:
 
 ![OAuth consumer creation](/docs/images/authentication-providers/bitbucket/3c3f5f49188f740839a9e0f348ffe4d34a5300c3-3360x1782.png)
 

diff --git a/docs/authentication/social-connections/box.mdx b/docs/authentication/social-connections/box.mdx
@@ -7,7 +7,7 @@ How to set up social connection with Box
 
 ## Overview
 
-Adding social connection with Box to your app with Clerk is done in a few steps - you only need to set the **Client ID**, **Client Secret** and **Authorized redirect URI** in your instance settings.
+Adding social connection with Box to your app with Clerk is done in a few steps - you only need to set the **Client ID**, **Client Secret** and **Redirect URI** in your instance settings.
 
 To make the development flow as smooth as possible, Clerk uses preconfigured shared OAuth credentials and redirect URIs for development instances - no other configuration is needed.
 

diff --git a/docs/authentication/social-connections/coinbase.mdx b/docs/authentication/social-connections/coinbase.mdx
@@ -7,7 +7,7 @@ How to set up social connection with Coinbase
 
 ## Overview
 
-Adding social connection with Coinbase to your app with Clerk is done in a few steps - you only need to set the **Client ID**, **Client Secret** and **Authorized redirect URI** in your instance settings.
+Adding social connection with Coinbase to your app with Clerk is done in a few steps - you only need to set the **Client ID**, **Client Secret** and **Redirect URI** in your instance settings.
 
 To make the development flow as smooth as possible, Clerk uses preconfigured shared OAuth credentials and redirect URIs for development instances - no other configuration is needed.
 
@@ -29,7 +29,7 @@ You need to set all the required fields and the corresponding **Permitted Redire
 
 ![Creating application](/docs/images/authentication-providers/coinbase/creating-application.jpg)
 
-Navigate to the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections). In the top navigation, select **Configure**. Then in the sidebar, select **SSO Connections**. Select the **Add connection** button, and select **For all users**. In the **Choose provider** dropdown, select **Coinbase**. Toggle on **Use custom credentials** and copy **Authorized redirect URI**. Make sure the value matches the **Redirect URIs**, as shown below.
+Navigate to the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections). In the top navigation, select **Configure**. Then in the sidebar, select **SSO Connections**. Select the **Add connection** button, and select **For all users**. In the **Choose provider** dropdown, select **Coinbase**. Toggle on **Use custom credentials** and copy **Redirect URI**. Make sure the value matches the **Redirect URIs**, as shown below.
 
 ![Copying the Client ID and Client Secret from the Box dashboard](/docs/images/authentication-providers/coinbase/copying-values-from-box-dashboard.jpg)
 

diff --git a/docs/authentication/social-connections/discord.mdx b/docs/authentication/social-connections/discord.mdx
@@ -44,15 +44,15 @@ To make the setup process easier, it's recommended to keep two browser tabs open
   1. Select **Add connection** and select **For all users**.
   1. In the **Choose provider** dropdown, select **Discord**.
   1. Ensure that both **Enable for sign-up and sign-in** and **Use custom credentials** are toggled on.
-  1. Save the **Authorized redirect URI** somewhere secure. Keep the modal and page open.
+  1. Save the **Redirect URI** somewhere secure. Keep the modal and page open.
 
   ### Create a Discord Developer app
 
   1. On a separate page, go to the [Discord Developers Portal](https://discord.com/developers/applications) and sign in.
   1. In the top-right, select **New Application**.
   1. Complete the required fields and select **Create**. You'll be redirected to the **General Information** page.
   1. In the sidebar, select **OAuth2**.
-  1. Under **Redirects**, select **Add Redirect**. Paste the **Authorized Redirect URI** you saved from the Clerk Dashboard.
+  1. Under **Redirects**, select **Add Redirect**. Paste the **Redirect URI** you saved from the Clerk Dashboard.
   1. Select **Save Changes**. You may need to tap anywhere on the screen for the button to show. Keep this page open.
 
   ### Set the Client ID and Client Secret in your Clerk Dashboard

diff --git a/docs/authentication/social-connections/dropbox.mdx b/docs/authentication/social-connections/dropbox.mdx
@@ -7,7 +7,7 @@ How to set up social connection with Dropbox
 
 ## Overview
 
-Adding social connection with Dropbox to your app with Clerk is done in a few steps - you only need to set the **Client ID**, **Client Secret** and **Authorized redirect URI** in your instance settings.
+Adding social connection with Dropbox to your app with Clerk is done in a few steps - you only need to set the **Client ID**, **Client Secret** and **Redirect URI** in your instance settings.
 
 To make the development flow as smooth as possible, Clerk uses preconfigured shared OAuth credentials and redirect URIs for development instances - no other configuration is needed.
 
@@ -29,7 +29,7 @@ First, you need to register a new OAuth Dropbox app at the [Dropbox App Console]
 
 First you need to choose the API type, the App's type of access and to set a name for your new application. You also need to add the **OAuth Redirect URLs.**
 
-Navigate to the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections). In the top navigation, select **Configure**. Then in the sidebar, select **SSO Connections**. Select the **Add connection** button, and select **For all users**. In the **Choose provider** dropdown, select **Dropbox**. Toggle on **Use custom credentials** and copy **Authorized redirect URI**. Paste the value into the **OAuth Redirect URIs** input and click create.
+Navigate to the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections). In the top navigation, select **Configure**. Then in the sidebar, select **SSO Connections**. Select the **Add connection** button, and select **For all users**. In the **Choose provider** dropdown, select **Dropbox**. Toggle on **Use custom credentials** and copy **Redirect URI**. Paste the value into the **OAuth Redirect URIs** input and click create.
 
 Once all the above are complete, copy the **Client ID** and **Client Secret.** Go back to the Clerk Dashboard and paste them into the respective fields.