diff --git a/docs/authentication/enterprise-connections/oidc/custom-provider.mdx b/docs/authentication/enterprise-connections/oidc/custom-provider.mdx
new file mode 100644
index 0000000000..3ae5b0ce3f
--- /dev/null
+++ b/docs/authentication/enterprise-connections/oidc/custom-provider.mdx
@@ -0,0 +1,88 @@
+---
+title: Add a custom OpenID Connect (OIDC) Provider as an enterprise connection
+description: Learn how to integrate a custom OIDC provider with Clerk for Enterprise SSO.
+---
+
+
+ - Add a custom OIDC provider to authenticate users with Enterprise SSO
+
+
+This guide explains how to use a custom [OpenID Connect (OIDC)](https://openid.net/developers/how-connect-works) provider to authenticate users via Enterprise SSO.
+
+To make the setup process easier, it's recommended to keep two browser tabs open: one for the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) and one for your Identity Provider (IdP).
+
+
+ ### Set up an enterprise connection in Clerk
+
+ 1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
+ 1. Select **Add connection** and select **For specific domains**.
+ 1. Under **Third party**, select **OpenID Connect (OIDC)**.
+ 1. Add the **Name** of the connection.
+ 1. Add the **Key** of the provider. This is the provider's unique identifier (cannot be changed after creation).
+ 1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your app.
+ 1. Select **Add connection**. You will be redirected to the connection's configuration page. Keep this page open.
+
+ ### Configure your IdP
+
+ 1. If necessary, create a new application in your IdP.
+ 1. In the connection's configuration page of the Clerk Dashboard, copy the **Authorized redirect URI**.
+ 1. Add the value to your IdP's whitelisted URLs.
+ 1. Find your application's **Discovery Endpoint**, **Client ID**, and **Client Secret** and copy them.
+
+ ### Set the Discovery Endpoint, Client ID, and Client Secret in Clerk
+
+ 1. In your IdP settings, copy your application's **Discovery Endpoint**, **Client ID**, and **Client Secret**.
+ 1. In the connection's configuration page in the Clerk Dashboard, paste these values in their respective fields.
+ 1. Under **Scopes**, add the minimum required scopes based on the IdP's documentation if needed. Common OIDC scopes include `openid`, `email`, and `profile`.
+ 1. Select **Save**.
+
+ > [!NOTE]
+ > Most IdPs provide a **Discovery Endpoint** to retrieve metadata about an OIDC provider. If your IdP doesn't offer this endpoint or if you need greater control over the setup process, in the connection's configuration page in the Clerk Dashboard, find the **Identity Provider Configuration** section and select **Use Manual Configuration** to manually configure the connection.
+
+ ### Configure attribute mapping (optional)
+
+ Clerk expects the claims returned by your IdP to follow the [OIDC Standard](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims). If your provider returns claims in a non-standard format, use the **Attribute Mapping** section on the connection's configuration page to adjust the mapping of Clerk's user properties to match the IdP's claim attributes.
+
+ > [!WARNING]
+ > OIDC Enterprise connections require the [`email_verified`](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims:~:text=Section%C2%A05.7.-,email_verified,-boolean) claim to verify email ownership. However, some IdPs, such as Microsoft Azure Active Directory, might not return this claim or use a non-standard format.
+ >
+ > If the IdP doesn't return this claim, you can leave the **Email address verified** field blank and set the **Default value** to **True**. This should only be done if you fully trust the IdP, as it can expose your app to [OAuth attacks](https://www.descope.com/blog/post/noauth).
+
+ ### Allow additional identifiers (optional)
+
+ User profile information is sourced from the IdP. To allow users to add new identifiers (e.g., email address or phone number) to their profiles:
+
+ 1. In the connection's configuration page of the Clerk Dashboard, navigate to the **Advanced** tab.
+ 1. Enable **Allow additional identifiers**.
+ 1. Select **Save**.
+
+ ### Enable the connection for Clerk
+
+ To make the connection available for your users to authenticate with:
+
+ 1. Navigate back to the Clerk Dashboard where you should still have the connection's configuration page open. If not, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page and select the connection.
+ 1. At the top of the page, toggle on **Enable connection** and select **Save**.
+
+ ### Test your connection
+
+ The simplest way to test your enterprise connection is to visit your Clerk app's [Account Portal](/docs/customization/account-portal/overview), which is available for all Clerk apps out-of-the-box.
+
+ 1. In the Clerk Dashboard, navigate to the [**Account Portal**](https://dashboard.clerk.com/last-active?path=account-portal) page.
+ 1. Next to the **Sign-in** URL, select **Visit**. The URL should resemble:
+ - **For development** – `https://your-domain.accounts.dev/sign-in`
+ - **For production** – `https://accounts.your-domain.com/sign-in`
+ 1. Sign in with your IdP account.
+
diff --git a/docs/authentication/enterprise-connections/overview.mdx b/docs/authentication/enterprise-connections/overview.mdx
index 6961a7c90f..5a8df7cb68 100644
--- a/docs/authentication/enterprise-connections/overview.mdx
+++ b/docs/authentication/enterprise-connections/overview.mdx
@@ -1,15 +1,15 @@
---
-title: Enterprise SSO
+title: Enterprise Single Sign-On (SSO)
description: Clerk provides Enterprise SSO to authenticate users via federated Identity Providers such such as Azure AD, Okta, Google Workspace and more.
---
-With Enterprise SSO, users can sign in seamlessly using their Identity Provider's (IdP) credentials and have their user data synchronized with Clerk. You can learn more about the process in the guides on [authentication flows](/docs/authentication/enterprise-connections/authentication-flows) and [account linking](/docs/authentication/enterprise-connections/account-linking).
+Enterprise Single Sign-On (SSO) allows users to sign in seamlessly using their Identity Provider (IdP) credentials (e.g.,Azure AD, Okta, or Google Workspace) and have their user data synchronized with Clerk. Clerk supports multiple protocols for implementing Enterprise SSO, including SAML and OIDC. Learn more about the process in the guides on [authentication flows](/docs/authentication/enterprise-connections/authentication-flows) and [account linking](/docs/authentication/enterprise-connections/account-linking).
## SAML
Clerk supports Enterprise SSO via the SAML protocol, enabling you to create authentication strategies for an IdP. The following IdPs are supported: [Microsoft Azure AD](/docs/authentication/enterprise-connections/saml/azure), [Google Workspace](/docs/authentication/enterprise-connections/saml/google), and [Okta Workforce](/docs/authentication/enterprise-connections/saml/okta). However, you can also [integrate with any other IdP](/docs/authentication/enterprise-connections/saml/custom-provider) that supports the SAML protocol.
-### Allow subdomains
+#### Allow subdomains
Authenticating via SAML SSO requires the user's email address domain to match the exact domain the SAML connection has been configured with. By default, subdomains are not supported. For example, a user with the email address `john@sales.example.com` wouldn't be able to use a SAML connection with the `example.com` domain to authenticate.
@@ -24,7 +24,11 @@ To configure subdomains for a SAML connection:
> [!NOTE]
> To enable the **Allow subdomains** option, your SAML connection domain must be an [eTLD+1](https://developer.mozilla.org/en-US/docs/Glossary/eTLD).
-## EASIE
+## OIDC
+
+Clerk supports Enterprise SSO via the OpenID Connect (OIDC) protocol, either through [EASIE](#easie) or by [integrating with any OIDC-compatible provider](/docs/authentication/enterprise-connections/oidc/custom-provider).
+
+### EASIE
[EASIE](https://easie.dev) SSO is a way for applications to provide enterprise-grade SSO through a multi-tenant OpenID provider. It is designed to be an easier alternative to SAML SSO.
@@ -33,7 +37,7 @@ The following IdPs are supported: Google Workspace and Microsoft Entra ID. For _
- [Google](/docs/authentication/social-connections/google)
- [Microsoft](/docs/authentication/social-connections/microsoft)
-### Automatic deprovisioning
+#### Automatic deprovisioning
Clerk prevents users linked to deprovisioned accounts in the OpenID provider from accessing the app.
@@ -41,7 +45,7 @@ Within 10 minutes of a user being removed from the OpenID provider (e.g. [suspen
It is ultimately the app's responsibility to handle this unauthenticated state and display something appropriate to the user. For example, Next.js apps using [`auth.protect()`](/docs/references/nextjs/auth#auth-protect) will automatically redirect the user to the sign-in page.
-## SAML vs. EASIE
+### SAML vs. EASIE
The primary security difference between EASIE SSO and SAML SSO is that EASIE depends on a multi-tenant identity provider, while SAML depends on a single-tenant identity provider. Relying on a multi-tenant provider **increases** the risk that a user from one tenant will mistakenly be granted access to the resources of another tenant. While Clerk implements [measures to address this risk](https://easie.dev/#mitigating-tenant-crossover-vulnerabilities), apps that require single-tenant IdPs should opt for SAML.
diff --git a/docs/manifest.json b/docs/manifest.json
index 1952a20efe..03b98411fd 100644
--- a/docs/manifest.json
+++ b/docs/manifest.json
@@ -579,6 +579,17 @@
}
]
]
+ },
+ {
+ "title": "OIDC",
+ "items": [
+ [
+ {
+ "title": "Custom provider",
+ "href": "/docs/authentication/enterprise-connections/oidc/custom-provider"
+ }
+ ]
+ ]
}
]
]