Skip to content

Commit

Permalink
Merge branch 'main' into haris/metamask-wallet
Browse files Browse the repository at this point in the history
  • Loading branch information
victoriaxyz authored Dec 19, 2024
2 parents ceefb41 + d43786b commit c7e36b4
Show file tree
Hide file tree
Showing 23 changed files with 209 additions and 82 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: Enterprise SSO authentication flows
description: Learn about the Enterprise SSO authentication flows.
---

There are two types of Enterprise SSO connections: [EASIE](#easie) and [SAML](#saml).
Clerk offers the following types of Enterprise SSO connections: [EASIE](#easie), [SAML](#saml), and [OIDC](#oidc).

## EASIE

Expand Down Expand Up @@ -36,7 +36,7 @@ In an IdP-initiated flow:
To allow IdP-initiated flows for your SAML connection:

1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
1. Select **Add connection** and select **For specific domains**.
1. Select **Add connection** and select **For specific domains or organizations**.
1. Select your **Identity Provider**. Complete the fields and select **Add connection**. You'll be redirected to the SAML connection's configuration page.
1. Select the **Advanced** tab.
1. In **Advanced Settings**, enable **Allow IdP-Initiated flow**. A modal will open. Select **Enable** to confirm.
Expand All @@ -56,3 +56,7 @@ To mitigate the risks associated with IdP-initiated flows, Clerk implements seve
- **Replay detection**: Clerk consumes and remembers each response to prevent re-use. This ensures that bad actors cannot steal and reuse a response to gain access to a user's account.
- **Multi-factor authentication**: Clerk supports [multi-factor authentication (MFA)](/docs/authentication/configuration/sign-up-sign-in-options#multi-factor-authentication) for SAML IdP-initiated flows. MFA requires users to provide two or more forms of verification, which significantly enhances security by reducing the risk of unauthorized access.
- **Use small validation periods**: Each SAML response contains a timestamp indicating when it was issued and when it will expire. Since IdP-initiated flows are expected to be completed within seconds, validation periods must be as small as possible to prevent attacks. Common IdP providers such as Azure, Google, and Okta handle this by default. However, if you're using a custom IdP, you must ensure that the validation periods are set correctly.

## OIDC

Clerk supports Enterprise SSO via the OpenID Connect (OIDC) protocol, either through [EASIE](#easie) or by [integrating with any OIDC-compatible provider](/docs/authentication/enterprise-connections/oidc/custom-provider).
21 changes: 10 additions & 11 deletions docs/authentication/enterprise-connections/easie/google.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -25,16 +25,16 @@ description: Learn how to allow users to sign up and sign in to your Clerk app w
- Use Google to authenticate users with EASIE SSO.
</TutorialHero>

Enabling EASIE SSO with Google allows your users to sign up and sign in to your Clerk application with their Google account.
Enabling [EASIE SSO](/docs/authentication/enterprise-connections/overview#easie) with Google allows your users to sign up and sign in to your Clerk application with their Google account.

## Configure for your development instance

For _development instances_, Clerk uses preconfigured shared credentials and redirect URIs—no other configuration is needed.

1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
1. Select **Add connection** and select **For specific domains**.
1. Under **EASIE**, select **Google** as the identity provider.
1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your app.
1. Select **Add connection** and select **For specific domains or organizations**.
1. Under **EASIE**, select **Google**.
1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**.
1. Select **Add connection**.

## Configure for your production instance
Expand All @@ -50,21 +50,20 @@ To make the setup process easier, it's recommended to keep two browser tabs open
### Enable Google as an EASIE connection

1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
1. Select **Add connection** and select **For specific domains**.
1. Below EASIE, select **Google** as the identity provider.
1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your application.
1. Ensure that **Use custom credentials** is toggled on.
1. Save the **Redirect URI** somewhere secure. Keep this page open.
1. Select **Add connection** and select **For specific domains or organizations**.
1. Under **EASIE**, select **Google**.
1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**.
1. Save the **Redirect URI** somewhere secure. Keep this modal open to enter the OAuth credentials in the following steps.

### Create a Google Developer project

1. Navigate to the [Google Cloud Console](https://console.cloud.google.com/).
1. Select a project or [create a new one](https://console.cloud.google.com/projectcreate).
1. If the **APIs & Services** page isn't already open, open the menu on the left and select **APIs & Services**.
1. In the menu on the left, select **Credentials**.
1. In the left sidebar, select **Credentials**.
1. Select **Create Credentials**. Then, select **OAuth client ID.** You may need to [configure your OAuth consent screen](https://support.google.com/cloud/answer/6158849?hl=en#userconsent\&zippy=%2Cuser-consent).
1. Select the appropriate application type for your project. Most likely, you will choose **Web application**.
1. In the **Authorized redirect URIs** setting, paste the **Redirect URI** value you saved from the Clerk Dashboard.
1. In the **Authorized redirect URIs** section, select **Add URI** and paste the **Redirect URI** value you saved from the Clerk Dashboard.
1. Select **Create**.

### Set the Client ID and Client Secret in the Clerk Dashboard
Expand Down
36 changes: 17 additions & 19 deletions docs/authentication/enterprise-connections/easie/microsoft.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -25,16 +25,16 @@ description: Learn how to allow users to sign up and sign in to your Clerk app w
- Use Microsoft to authenticate users with EASIE SSO.
</TutorialHero>

Enabling EASIE SSO with Microsoft (formerly [Active Directory](https://learn.microsoft.com/en-us/entra/fundamentals/new-name)) allows your users to sign up and sign in to your Clerk application with their Microsoft account.
Enabling [EASIE SSO](/docs/authentication/enterprise-connections/overview#easie) with Microsoft (formerly [Active Directory](https://learn.microsoft.com/en-us/entra/fundamentals/new-name)) allows your users to sign up and sign in to your Clerk application with their Microsoft account.

## Configure for your development instance

For _development instances_, Clerk uses preconfigured shared credentials and redirect URIs—no other configuration is needed.

1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
1. Select the **Add connection** button, and select **For specific domains**.
1. Under **EASIE**, select **Microsoft** as the identity provider.
1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your app.
1. Select **Add connection** and select **For specific domains or organizations**.
1. Under **EASIE**, select **Microsoft**.
1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**.
1. Select **Add connection**.

## Configure for your production instance
Expand All @@ -50,23 +50,22 @@ To make the setup process easier, it's recommended to keep two browser tabs open
### Enable Microsoft as an EASIE connection

1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
1. Select **Add connection** and select **For specific domains**.
1. Under **EASIE**, select **Microsoft** as the identity provider.
1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your app.
1. Ensure that **Use custom credentials** is toggled on.
1. Save the **Redirect URI** somewhere secure. Keep this page open.
1. Select **Add connection** and select **For specific domains or organizations**.
1. Under **EASIE**, select **Microsoft**.
1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**.
1. Save the **Redirect URI** somewhere secure. Keep this modal open to enter the OAuth credentials in the following steps.

### Create a Microsoft Entra ID app

> [!TIP]
> If you already have a Microsoft Entra ID app you'd like to connect to Clerk, select your app from the [Microsoft Azure portal](https://portal.azure.com/#home) and skip to [the next step in this tutorial](#get-your-client-id-and-client-secret).
1. On the homepage of the [Microsoft Azure portal](https://portal.azure.com/#home), in the **Azure services** section, select **[Microsoft Entra ID](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview)**.
1. In the sidebar, open the **Manage** dropdown and select **[App registrations](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps)**.
1. In the left sidebar, in the **Manage** dropdown, select **[App registrations](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps)**.
1. Select **New Registration**. You'll be redirected to the **Register an application** page.
1. Complete the form as follows:
1. Under **Name**, enter your app name.
1. Under **Supported account types**, select **Accounts in any organizational directory (Any Microsoft Entra ID tenant Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**.
1. Under **Supported account types**, select **Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**.
1. Under **Redirect URI (Optional)**, select **Web**.
1. Select **Register** to submit the form.

Expand All @@ -79,24 +78,23 @@ To make the setup process easier, it's recommended to keep two browser tabs open
This claim is mandatory for applications backing EASIE connections. To enable it, you must:

1. In the Microsoft Azure portal, navigate to your app.
1. In the sidebar, select **Token configuration**.
1. In the left sidebar, in the **Manage** dropdown, select **Token configuration**.
1. Select **Add optional claim**.
1. For the **Token type**, select **ID**. Then, in the table that opens, enable the `email` and `xms_pdl` claims.
1. At the bottom of the modal, select **Add**. A new modal will prompt you to turn on the Microsoft Graph email permission. Enable it, then select **Add** to complete the form.
1. Repeat the previous steps for **Token type**, but select **Access** instead of **ID**. The **Optional claims** list should now show two claims for `email` and two for `xms_pdl`: one each for **ID** and **Access**.
1. In the sidebar, go to **Manifest**.
1. Repeat the previous steps but for **Token type**, select **Access** instead of **ID**. The **Optional claims** list should now show two claims for `email` and two for `xms_pdl`: one each for **ID** and **Access**.
1. In the left sidebar, in the **Manage** dropdown, select **Manifest**.
1. In the text editor, search for `"acceptMappedClaims"` and set its value from `null` to `true`.
1. Search for `"optionalClaims"`, where you'll find the `idToken` and `accessToken` arrays. Each array has an object with the name `xms_pdl`. Change the name to `xms_edov`.
1. At the top of the page, select **Save**.
1. In the sidebar, navigate back to **Token configuration** and confirm that the **Optional claims** list includes two claims for `email` and two for `xms_edov`: one each for **ID** and **Access**.
1. In the left sidebar, in the **Manage** dropdown, select **Token configuration** to confirm that the **Optional claims** list includes two claims for `email` and two for `xms_edov`: one each for **ID** and **Access**.

With these steps complete, Microsoft will send the `xms_edov` claim in the token, which Clerk will use to determine whether the email is verified, even when used with Microsoft Entra ID.

### Get your client ID and client secret

Once your Microsoft Entra ID app is created, or once you select your app from the Microsoft Azure portal, you'll be redirected to its **Overview**.

1. From your app's overview, save the **Application (client) ID** somewhere secure. You'll need it to connect your Microsoft Entra ID app to your Clerk app.
1. In the left sidebar, select **Overview**.
1. Save the **Application (client) ID** somewhere secure. You'll need it to connect your Microsoft Entra ID app to your Clerk app.
1. Under **Client credentials**, select **Add a certificate or secret** to generate a **Client Secret**. You'll be redirected to the **Certificate & secrets** page.
1. Select **New client secret**. In the modal that opens, enter a description and set an expiration time for your secret.
> [!IMPORTANT]
Expand All @@ -112,7 +110,7 @@ To make the setup process easier, it's recommended to keep two browser tabs open
To connect your Clerk app to your Microsoft app, set the **Redirect URI** in your Microsoft Azure portal.

1. Navigate back to the Microsoft Azure portal.
1. In the sidebar, open the **Manage** dropdown and select **Authentication**.
1. In the left sidebar, in the **Manage** dropdown, select **Authentication**.
1. Select **Add a platform**.
1. Select **Web**.
1. In the **Redirect URIs** field and the **Front-channel logout URL** field, paste the **Redirect URI** you copied from the Clerk Dashboard.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,11 +28,11 @@ To make the setup process easier, it's recommended to keep two browser tabs open
## Set up an enterprise connection in Clerk

1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
1. Select **Add connection** and select **For specific domains**.
1. Under **Third party**, select **OpenID Connect (OIDC)**.
1. Select **Add connection** and select **For specific domains or organizations**.
1. Under **OpenID Connect (OIDC)**, select **Custom OIDC Provider**.
1. Add the **Name** of the connection.
1. Add the **Key** of the provider. This is the provider's unique identifier (cannot be changed after creation).
1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your app.
1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**.
1. Select **Add connection**. You will be redirected to the connection's configuration page. Keep this page open.

## Configure your IdP
Expand Down
12 changes: 6 additions & 6 deletions docs/authentication/enterprise-connections/saml/azure.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,13 @@ To make the setup process easier, it's recommended to keep two browser tabs open
To create a SAML connection in Clerk:

1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
1. Select **Add connection** and select **For specific domains**.
1. Under **SAML**, select **Microsoft Entra ID (Formerly AD)** as the identity provider.
1. Add the **Name** of the connection. This is the name that will be displayed on the sign-in form.
1. Enter the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your app.
1. Select **Add connection** and select **For specific domains or organizations**.
1. Under **SAML**, select **Microsoft Entra ID (Formerly AD)**.
1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**.
1. Enter the **Name**. This will be displayed on the sign-in form.
1. Select **Add connection**. You'll be redirected to the connection's configuration page.
1. Find the **Service Provider Configuration** section.
1. Save the **Identifier (Entity ID)** and **Reply URL (Assertion Consumer Service URL)** values somewhere secure. You'll need these in the [Configure your service provider](#configure-your-service-provider) step. Leave this page open.
1. In the **Service Provider Configuration** section, save the **Reply URL (Assertion Consumer Service URL)** and **Identifier (Entity ID)** values somewhere secure. You'll need these in the [Configure your service provider](#configure-your-service-provider) step.
1. Keep this page open.

## Create a new enterprise app in Microsoft

Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
title: Add a custom Identity Provider as a SAML connection
description: Learn how to integrate an Identity Provider with Clerk using SAML SSO.
title: Add a custom Identity Provider (IdP) as a SAML connection
description: Learn how to integrate an Identity Provider (IdP) with Clerk using SAML SSO.
---

<TutorialHero
Expand All @@ -20,19 +20,21 @@ description: Learn how to integrate an Identity Provider with Clerk using SAML S
- Use a custom IdP to enable single sign-on (SSO) via SAML for your Clerk application.
</TutorialHero>

Clerk supports Enterprise SSO via the SAML protocol, enabling you to create authentication strategies for an Identity Provider (IdP). Currently, Clerk offers direct integrations with [Microsoft Azure AD](/docs/authentication/enterprise-connections/saml/azure), [Google Workspace](/docs/authentication/enterprise-connections/saml/google), and [Okta Workforce](/docs/authentication/enterprise-connections/saml/okta) as IdPs. However, you can also integrate with any other IdP that supports the SAML protocol. This guide will show you how to set up a SAML connection with a custom IdP in Clerk.
Clerk supports Enterprise SSO via the SAML protocol, enabling you to create authentication strategies for an Identity Provider (IdP). Currently, Clerk offers direct integrations with the following IdPs: [Microsoft Azure AD](/docs/authentication/enterprise-connections/saml/azure), [Google Workspace](/docs/authentication/enterprise-connections/saml/google), and [Okta Workforce](/docs/authentication/enterprise-connections/saml/okta). However, you can also integrate with any other IdPs that supports the SAML protocol.

This guide shows you how to set up a SAML connection with a custom IdP in Clerk.

<Steps>
## Set up an enterprise connection in Clerk

To create a SAML connection in Clerk:

1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
1. Select **Add connection** and select **For specific domains**.
1. Select **Add connection** and select **For specific domains or organizations**.
1. Under **SAML**, select **Custom SAML Provider**.
1. Add the **Name** of the connection. This is the name that will be displayed in the sign-in form.
1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your application.
1. Select **Add connection**. You will be redirected to the connection's configuration page.
1. Add the **Domain** for which you want to enable this connection. This is the domain of the users you wish to allow to sign in to your application. Optionally, select an **Organization**.
1. Enter the **Name**. This will be displayed on the sign-in form.
1. Select **Add connection**. You'll be redirected to the connection's configuration page.

## Create a new enterprise application in your IdP

Expand Down
Loading

0 comments on commit c7e36b4

Please sign in to comment.