Skip to content

Commit

Permalink
Update attribute mapping section
Browse files Browse the repository at this point in the history
  • Loading branch information
Nikpolik committed Dec 10, 2024
1 parent aa8da0c commit 8eb549a
Showing 1 changed file with 3 additions and 16 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -54,23 +54,12 @@ To make the setup process easier, it's recommended to keep two browser tabs open

### Configure attribute mapping (optional)

Attribute mapping allows you to map the IdP's claims with Clerk's user properties such as the `email_verified`. OIDC Enterprise connections require the [`email_verified` claim](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims:~:text=Section%C2%A05.7.-,email_verified,-boolean) to verify email ownership. However, some IdPs, such as Microsoft Azure Active Directory, might not return this claim or use a non-standard format.

To enable attribute mapping:

1. In the Clerk Dashboard, navigate to the **Connection** tab of the connection's settings page.
1. In the **Attribute Mapping** section, under the **Email address verified** field:

- If the IdPs that provide the value, enter `email_verified`.
- For IdPs that do not provide the value, enter `xms_edov`.

1. Set **Default value** to **True**.
1. Select **Save**.
Clerk expects the claims returned to follow the [OIDC Standard](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims). If your provider returns claims in a non-standard format, use the **Attribute Mapping** section on the connection's configuration page to adjust the mapping of Clerk's user properties to match the IdP's claim attributes.

> [!WARNING]
> If the IdP doesn't return this claim, you can either leave the **Email address verified** field blank or set the **Default value** to `True`. This should only be done if you fully trust the IdP, as it can expose your app to [OAuth attacks](https://www.descope.com/blog/post/noauth).
> OIDC Enterprise connections require the [`email_verified`](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims:~:text=Section%C2%A05.7.-,email_verified,-boolean) claim to verify email ownership. However, some IdPs, such as Microsoft Azure Active Directory, might not return this claim or use a non-standard format.
>
> For Microsoft Azure Active Directory connections: Use the [`xms_edov`](https://learn.microsoft.com/en-us/entra/identity-platform/migrate-off-email-claim-authorization#using-the-xms_edov-optional-claim-to-determine-email-verification-status-and-migrate-users) claim to verify email ownership, as Microsoft might not return the standard `email_verified` claim.
> If the IdP doesn't return this claim, you can leave the **Email address verified** field blank and set the **Default value** to `True`. This should only be done if you fully trust the IdP, as it can expose your app to [OAuth attacks](https://www.descope.com/blog/post/noauth).
### Allow additional identifiers (optional)

Expand All @@ -84,8 +73,6 @@ To make the setup process easier, it's recommended to keep two browser tabs open

To make the connection available for your users to authenticate with:

To make the connection available for your users to authenticate with:

1. Navigate back to the Clerk Dashboard where you should still have the connection's configuration page open. If not, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page and select the connection.
1. At the top of the page, toggle on **Enable connection** and select **Save**.

Expand Down

0 comments on commit 8eb549a

Please sign in to comment.