From ccd3f7566eae1428adeb9b9f87ce953e2d203399 Mon Sep 17 00:00:00 2001 From: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com> Date: Fri, 29 Nov 2024 18:34:27 -0300 Subject: [PATCH 01/23] Add draft for upcoming changes --- .../enterprise-connections/saml/okta.mdx | 4 ++-- docs/manifest.json | 4 ++++ docs/organizations/manage-sso.mdx | 17 +++++++++++++++++ docs/organizations/verified-domains.mdx | 3 +++ 4 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 docs/organizations/manage-sso.mdx diff --git a/docs/authentication/enterprise-connections/saml/okta.mdx b/docs/authentication/enterprise-connections/saml/okta.mdx index e442e44eda..c0b8639273 100644 --- a/docs/authentication/enterprise-connections/saml/okta.mdx +++ b/docs/authentication/enterprise-connections/saml/okta.mdx @@ -28,10 +28,10 @@ description: Learn how to integrate Okta Workforce with Clerk using SAML SSO. To create a SAML connection in Clerk: 1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. - 1. Select **Add connection** and select **For specific domains**. + 1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **SAML**, select **Okta Workforce** as the identity provider. 1. Add the **Name** of the connection. This is the name that will be displayed in the sign-in form. - 1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your application. + 1. Add the **Domain** for which you want to enable this connection. This is the domain of the users you wish to allow to sign in to your application. Optionally, select an **Organization**. 1. Select **Add connection**. You will be redirected to the connection's configuration page. 1. Find the **Service Provider Configuration** section. 1. Save the **Single sign-on URL** and the **Audience URI (SP Entity ID)** values somewhere secure. You'll need these in the [Configure your service provider](#configure-your-service-provider) step. diff --git a/docs/manifest.json b/docs/manifest.json index 89b2f99a8c..cab45f4f82 100644 --- a/docs/manifest.json +++ b/docs/manifest.json @@ -661,6 +661,10 @@ "title": "Verified domains", "href": "/docs/organizations/verified-domains" }, + { + "title": "Manage SSO", + "href": "/docs/organizations/manage-sso" + }, { "title": "Guides", "items": [ diff --git a/docs/organizations/manage-sso.mdx b/docs/organizations/manage-sso.mdx new file mode 100644 index 0000000000..6df18320ca --- /dev/null +++ b/docs/organizations/manage-sso.mdx @@ -0,0 +1,17 @@ +--- +title: Organization-level SSO +--- + +TODO: +- Explain how to add organization-level enterprise connections on the Dashboard +- Include onboarding flows, such as: + - **Organization created first from Clerk Dashboard**: + - App owner creates an organization for their customer via Dashboard + - App owner syncs with their customer’s IT admin to get the necessary info to set up the SSO connection via Dashboard + - App owner invites their customer's users to that organization, which can then perform SSO + - **User Signs Up First with Organization, and SSO connection gets created later**: + 1. End user signs up to try out a Clerk customer’s product for their company. They start with a individual account only. + 2. They decide to go with the product and create an organization for their company. + 3. App owner goes to Clerk Dashboard and configures SSO for that organization + 4. Users can now perform enterprise SSO +- Clarify that SSO is enforced by domain. For instance, you can create a SSO connection for one domain within an organization while adding a verified domain to invite external contributors, such as contractors. diff --git a/docs/organizations/verified-domains.mdx b/docs/organizations/verified-domains.mdx index 1e9813cde2..e4467dd6f6 100644 --- a/docs/organizations/verified-domains.mdx +++ b/docs/organizations/verified-domains.mdx @@ -7,6 +7,9 @@ Verified domains can be used to streamline enrollment into an organization. For A verified domain cannot be a disposable domain or common email provider. For example, you cannot create a verified domain for `@gmail.com`. +> [!NOTE] +> You cannot add a verified domain if it is already in use for the [organization's SSO](./manage-sso.mdx) + ## Enable verified domains Enabling verified domains applies to all organizations and cannot currently be managed on a per-organization basis. From 5081ee57c4c42ead4cbafa9ad10f0b6c71b23c4a Mon Sep 17 00:00:00 2001 From: Mary Zhong Date: Tue, 10 Dec 2024 17:10:32 -0500 Subject: [PATCH 02/23] Add enterprise SSO description to organizations overview Begin to add content to manage SSO page --- docs/organizations/manage-sso.mdx | 21 +++++++++++++++++---- docs/organizations/overview.mdx | 4 ++++ 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/docs/organizations/manage-sso.mdx b/docs/organizations/manage-sso.mdx index 6df18320ca..e3875f5041 100644 --- a/docs/organizations/manage-sso.mdx +++ b/docs/organizations/manage-sso.mdx @@ -1,9 +1,22 @@ --- -title: Organization-level SSO +title: Organization-level Enterprise SSO + --- -TODO: -- Explain how to add organization-level enterprise connections on the Dashboard +Clerk supports adding an enterprise SSO to an organization to allow for sign-in with an IdP and seamless organization onboarding. All types of [enterprise connections](/docs/authentication/enterprise-connections/authentication-flows) are supported. + +When a user signs in or signs up with an organization's enterprise connection, they will also be added as a member of that organization and assigned the [default role](/docs/organizations/roles-permissions#default-roles). + +## Add an organization-level enterprise connection + +1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. +1. TODO + +## Onboarding flows with enterprise SSO + +Using organizations with enterprise SSO can unlock powerful onboarding flows for your enterprise users. + +{/* TODO - Include onboarding flows, such as: - **Organization created first from Clerk Dashboard**: - App owner creates an organization for their customer via Dashboard @@ -14,4 +27,4 @@ TODO: 2. They decide to go with the product and create an organization for their company. 3. App owner goes to Clerk Dashboard and configures SSO for that organization 4. Users can now perform enterprise SSO -- Clarify that SSO is enforced by domain. For instance, you can create a SSO connection for one domain within an organization while adding a verified domain to invite external contributors, such as contractors. +- Clarify that SSO is enforced by domain. For instance, you can create a SSO connection for one domain within an organization while adding a verified domain to invite external contributors, such as contractors. */} \ No newline at end of file diff --git a/docs/organizations/overview.mdx b/docs/organizations/overview.mdx index 0f4474fde2..6eaddda5d4 100644 --- a/docs/organizations/overview.mdx +++ b/docs/organizations/overview.mdx @@ -68,6 +68,10 @@ Once suggestions are enabled for a domain, users with email addresses that match Membership requests are requests from users who want to join an organization. A membership request is created when a user sees a suggestion to join an organization and selects the **Request to join** button. Therefore, membership requests are only available for organizations that have the [**Verified domains** feature enabled](#verified-domains) and the [**Automatic suggestions** feature enabled in both the Dashboard and for the specific domain](#suggestions). +### Enterprise SSO + +An enterprise connection can be configured for an organization. Users can sign in through the configured IdP and be automatically added as a member of the organization. See the [manage SSO](/docs/organizations/manage-sso) documentation for more information. + ## Active organization When a user is a member of an organization, they can switch between their personal workspace and an organization workspace. The organization workspace that a user is currently viewing is called the **active organization**. The active organization determines which organization-specific data the user can access and which role and related permissions they have within the organization. From a188e5097984941f8156e191863505dd83b7620e Mon Sep 17 00:00:00 2001 From: Mary Zhong Date: Tue, 10 Dec 2024 17:14:53 -0500 Subject: [PATCH 03/23] Fix linter --- docs/organizations/verified-domains.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/organizations/verified-domains.mdx b/docs/organizations/verified-domains.mdx index 97c577ebad..db8c4584d4 100644 --- a/docs/organizations/verified-domains.mdx +++ b/docs/organizations/verified-domains.mdx @@ -8,7 +8,7 @@ Verified domains can be used to streamline enrollment into an organization. For A verified domain cannot be a disposable domain or common email provider. For example, you cannot create a verified domain for `@gmail.com`. > [!NOTE] -> You cannot add a verified domain if it is already in use for the [organization's SSO](./manage-sso.mdx) +> You cannot add a verified domain if it is already in use for the [organization's SSO](/docs/organizations/manage-sso) ## Enable verified domains From 964d36fc47c1616ee52cf6cd03e486e165d6d19e Mon Sep 17 00:00:00 2001 From: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com> Date: Tue, 10 Dec 2024 19:25:43 -0300 Subject: [PATCH 04/23] Update instructions for each provider guide --- .../enterprise-connections/easie/google.mdx | 8 ++++---- .../enterprise-connections/easie/microsoft.mdx | 8 ++++---- .../enterprise-connections/saml/azure.mdx | 12 ++++++------ .../enterprise-connections/saml/custom-provider.mdx | 4 ++-- .../enterprise-connections/saml/google.mdx | 4 ++-- docs/organizations/manage-sso.mdx | 2 +- 6 files changed, 19 insertions(+), 19 deletions(-) diff --git a/docs/authentication/enterprise-connections/easie/google.mdx b/docs/authentication/enterprise-connections/easie/google.mdx index 4e8ed5048f..6a335b9cb8 100644 --- a/docs/authentication/enterprise-connections/easie/google.mdx +++ b/docs/authentication/enterprise-connections/easie/google.mdx @@ -32,9 +32,9 @@ Enabling EASIE SSO with Google allows your users to sign up and sign in to your For _development instances_, Clerk uses preconfigured shared credentials and redirect URIs—no other configuration is needed. 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. -1. Select **Add connection** and select **For specific domains**. +1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **EASIE**, select **Google** as the identity provider. -1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your app. +1. Add the **Domain** for which you want to enable this connection. This is the domain of the users you wish to allow to sign in to your application. Optionally, select an **Organization**. 1. Select **Add connection**. ## Configure for your production instance @@ -50,9 +50,9 @@ To make the setup process easier, it's recommended to keep two browser tabs open ### Enable Google as an EASIE connection 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. - 1. Select **Add connection** and select **For specific domains**. + 1. Select **Add connection** and select **For specific domains or organizations**. 1. Below EASIE, select **Google** as the identity provider. - 1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your application. + 1. Add the **Domain** for which you want to enable this connection. This is the domain of the users you wish to allow to sign in to your application. Optionally, select an **Organization**. 1. Ensure that **Use custom credentials** is toggled on. 1. Save the **Redirect URI** somewhere secure. Keep this page open. diff --git a/docs/authentication/enterprise-connections/easie/microsoft.mdx b/docs/authentication/enterprise-connections/easie/microsoft.mdx index f0ac052697..f6332d5ff9 100644 --- a/docs/authentication/enterprise-connections/easie/microsoft.mdx +++ b/docs/authentication/enterprise-connections/easie/microsoft.mdx @@ -32,9 +32,9 @@ Enabling EASIE SSO with Microsoft (formerly [Active Directory](https://learn.mic For _development instances_, Clerk uses preconfigured shared credentials and redirect URIs—no other configuration is needed. 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. -1. Select the **Add connection** button, and select **For specific domains**. +1. Select the **Add connection** button, and select **For specific domains or organizations**. 1. Under **EASIE**, select **Microsoft** as the identity provider. -1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your app. +1. Add the **Domain** for which you want to enable this connection. This is the domain of the users you wish to allow to sign in to your application. Optionally, select an **Organization**. 1. Select **Add connection**. ## Configure for your production instance @@ -50,9 +50,9 @@ To make the setup process easier, it's recommended to keep two browser tabs open ### Enable Microsoft as an EASIE connection 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. - 1. Select **Add connection** and select **For specific domains**. + 1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **EASIE**, select **Microsoft** as the identity provider. - 1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your app. + 1. Add the **Domain** for which you want to enable this connection. This is the domain of the users you wish to allow to sign in to your application. Optionally, select an **Organization**. 1. Ensure that **Use custom credentials** is toggled on. 1. Save the **Redirect URI** somewhere secure. Keep this page open. diff --git a/docs/authentication/enterprise-connections/saml/azure.mdx b/docs/authentication/enterprise-connections/saml/azure.mdx index 87a7039fc4..a3ac561c2c 100644 --- a/docs/authentication/enterprise-connections/saml/azure.mdx +++ b/docs/authentication/enterprise-connections/saml/azure.mdx @@ -30,13 +30,13 @@ To make the setup process easier, it's recommended to keep two browser tabs open To create a SAML connection in Clerk: 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. - 1. Select **Add connection** and select **For specific domains**. + 1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **SAML**, select **Microsoft Entra ID (Formerly AD)** as the identity provider. - 1. Add the **Name** of the connection. This is the name that will be displayed on the sign-in form. - 1. Enter the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your app. - 1. Select **Add connection**. You'll be redirected to the connection's configuration page. - 1. Find the **Service Provider Configuration** section. - 1. Save the **Identifier (Entity ID)** and **Reply URL (Assertion Consumer Service URL)** values somewhere secure. You'll need these in the [Configure your service provider](#configure-your-service-provider) step. Leave this page open. + 2. Add the **Name** of the connection. This is the name that will be displayed on the sign-in form. + 3. Add the **Domain** for which you want to enable this connection. This is the domain of the users you wish to allow to sign in to your application. Optionally, select an **Organization**. + 4. Select **Add connection**. You'll be redirected to the connection's configuration page. + 5. Find the **Service Provider Configuration** section. + 6. Save the **Identifier (Entity ID)** and **Reply URL (Assertion Consumer Service URL)** values somewhere secure. You'll need these in the [Configure your service provider](#configure-your-service-provider) step. Leave this page open. ### Create a new enterprise app in Microsoft diff --git a/docs/authentication/enterprise-connections/saml/custom-provider.mdx b/docs/authentication/enterprise-connections/saml/custom-provider.mdx index b717cfa88e..80d2d19d19 100644 --- a/docs/authentication/enterprise-connections/saml/custom-provider.mdx +++ b/docs/authentication/enterprise-connections/saml/custom-provider.mdx @@ -30,10 +30,10 @@ Clerk supports Enterprise SSO via the SAML protocol, enabling you to create auth To create a SAML connection in Clerk: 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. - 1. Select **Add connection** and select **For specific domains**. + 1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **SAML**, select **Custom SAML Provider**. 1. Add the **Name** of the connection. This is the name that will be displayed in the sign-in form. - 1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your application. + 1. Add the **Domain** for which you want to enable this connection. This is the domain of the users you wish to allow to sign in to your application. Optionally, select an **Organization**. 1. Select **Add connection**. You will be redirected to the connection's configuration page. ### Create a new enterprise application in your IdP diff --git a/docs/authentication/enterprise-connections/saml/google.mdx b/docs/authentication/enterprise-connections/saml/google.mdx index 010d286a92..b9b4674c0a 100644 --- a/docs/authentication/enterprise-connections/saml/google.mdx +++ b/docs/authentication/enterprise-connections/saml/google.mdx @@ -28,10 +28,10 @@ description: Learn how to integrate Google Workspace with Clerk using SAML SSO. To create a SAML connection in Clerk: 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. - 1. Select **Add connection** and select **For specific domains**. + 1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **SAML**, select **Google Workspace** as the identity provider. 1. Add the **Name** of the connection. This is the name that will be displayed in the sign-in form. - 1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your application. + 1. Add the **Domain** for which you want to enable this connection. This is the domain of the users you wish to allow to sign in to your application. Optionally, select an **Organization**. 1. Select **Add connection**. You'll be redirected to the connection's configuration page. ### Create a new enterprise application in Google diff --git a/docs/organizations/manage-sso.mdx b/docs/organizations/manage-sso.mdx index e3875f5041..44abe27dc5 100644 --- a/docs/organizations/manage-sso.mdx +++ b/docs/organizations/manage-sso.mdx @@ -27,4 +27,4 @@ Using organizations with enterprise SSO can unlock powerful onboarding flows for 2. They decide to go with the product and create an organization for their company. 3. App owner goes to Clerk Dashboard and configures SSO for that organization 4. Users can now perform enterprise SSO -- Clarify that SSO is enforced by domain. For instance, you can create a SSO connection for one domain within an organization while adding a verified domain to invite external contributors, such as contractors. */} \ No newline at end of file +- Clarify that SSO is enforced by domain. For instance, you can create a SSO connection for one domain within an organization while adding a verified domain to invite external contributors, such as contractors. */} From 6b4f61879be7f222dba9846d3d3ed0289dcaddaa Mon Sep 17 00:00:00 2001 From: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com> Date: Tue, 10 Dec 2024 19:41:04 -0300 Subject: [PATCH 05/23] Add onboarding flows --- docs/organizations/manage-sso.mdx | 44 ++++++++++++++++++++----------- 1 file changed, 29 insertions(+), 15 deletions(-) diff --git a/docs/organizations/manage-sso.mdx b/docs/organizations/manage-sso.mdx index 44abe27dc5..0cae1a7305 100644 --- a/docs/organizations/manage-sso.mdx +++ b/docs/organizations/manage-sso.mdx @@ -10,21 +10,35 @@ When a user signs in or signs up with an organization's enterprise connection, t ## Add an organization-level enterprise connection 1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. -1. TODO +1. Select **Add connection** and select **For specific domains or organizations**. +1. Select a Identity Provider. +2. Add the **Domain** for which you want to enable this connection and select an **Organization**. ## Onboarding flows with enterprise SSO -Using organizations with enterprise SSO can unlock powerful onboarding flows for your enterprise users. - -{/* TODO -- Include onboarding flows, such as: - - **Organization created first from Clerk Dashboard**: - - App owner creates an organization for their customer via Dashboard - - App owner syncs with their customer’s IT admin to get the necessary info to set up the SSO connection via Dashboard - - App owner invites their customer's users to that organization, which can then perform SSO - - **User Signs Up First with Organization, and SSO connection gets created later**: - 1. End user signs up to try out a Clerk customer’s product for their company. They start with a individual account only. - 2. They decide to go with the product and create an organization for their company. - 3. App owner goes to Clerk Dashboard and configures SSO for that organization - 4. Users can now perform enterprise SSO -- Clarify that SSO is enforced by domain. For instance, you can create a SSO connection for one domain within an organization while adding a verified domain to invite external contributors, such as contractors. */} +Using organizations with enterprise SSO can unlock powerful onboarding flows for your enterprise users. Here are two common scenarios: + +### Organization created first (Top-down approach) + +1. You create an organization for your customer through the Clerk Dashboard +2. Collaborate with the customer's IT administrator to obtain the necessary SSO configuration details +3. Configure the SSO connection for the organization via the Dashboard +4. Invite users to the organization, who can sign in using SSO + +This flow is common for enterprise sales where the relationship is established before users start accessing the application. + +### User-initiated setup (Bottom-up approach) + +1. End user signs up to evaluate your application, starting with an individual account +2. After deciding to adopt the application, they create an organization for their company +3. Configure SSO for the organization through the Clerk Dashboard +4. All subsequent users from that organization can now sign in using enterprise SSO + +This flow is common when individual users try the product before company-wide adoption. + +### Domain-based SSO enforcement + +SSO connections are enforced on a per-domain basis within organizations. This allows for flexible access management: + +- You can configure SSO for your primary domain (e.g., `company.com`) to enforce SSO authentication for employees +- Simultaneously, you can add verified domains without SSO for external collaborators (like contractors or consultants) From fe400f4f1a5ed8d313e5bd55ba1baab322388477 Mon Sep 17 00:00:00 2001 From: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com> Date: Tue, 10 Dec 2024 19:44:33 -0300 Subject: [PATCH 06/23] Rename from "Manage SSO" to "Enterprise SSO" --- docs/manifest.json | 4 ++-- docs/organizations/{manage-sso.mdx => enterprise-sso.mdx} | 0 2 files changed, 2 insertions(+), 2 deletions(-) rename docs/organizations/{manage-sso.mdx => enterprise-sso.mdx} (100%) diff --git a/docs/manifest.json b/docs/manifest.json index 18e36629d4..606d4b23b6 100644 --- a/docs/manifest.json +++ b/docs/manifest.json @@ -658,8 +658,8 @@ "href": "/docs/organizations/verified-domains" }, { - "title": "Manage SSO", - "href": "/docs/organizations/manage-sso" + "title": "Enterprise SSO", + "href": "/docs/organizations/enterprise-sso" }, { "title": "Guides", diff --git a/docs/organizations/manage-sso.mdx b/docs/organizations/enterprise-sso.mdx similarity index 100% rename from docs/organizations/manage-sso.mdx rename to docs/organizations/enterprise-sso.mdx From e3519c697427a7635b71d2c201aa585607df0cae Mon Sep 17 00:00:00 2001 From: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com> Date: Tue, 10 Dec 2024 19:47:25 -0300 Subject: [PATCH 07/23] Update link to "Enterprise SSO" --- docs/organizations/enterprise-sso.mdx | 2 +- docs/organizations/overview.mdx | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/organizations/enterprise-sso.mdx b/docs/organizations/enterprise-sso.mdx index 0cae1a7305..a0a9886ae1 100644 --- a/docs/organizations/enterprise-sso.mdx +++ b/docs/organizations/enterprise-sso.mdx @@ -7,7 +7,7 @@ Clerk supports adding an enterprise SSO to an organization to allow for sign-in When a user signs in or signs up with an organization's enterprise connection, they will also be added as a member of that organization and assigned the [default role](/docs/organizations/roles-permissions#default-roles). -## Add an organization-level enterprise connection +## Add an organization-level enterprise SSO connection 1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. 1. Select **Add connection** and select **For specific domains or organizations**. diff --git a/docs/organizations/overview.mdx b/docs/organizations/overview.mdx index 2687593af5..e9b27d90ae 100644 --- a/docs/organizations/overview.mdx +++ b/docs/organizations/overview.mdx @@ -66,9 +66,9 @@ Once suggestions are enabled for a domain, users with email addresses that match Membership requests are requests from users who want to join an organization. A membership request is created when a user sees a suggestion to join an organization and selects the **Request to join** button. Therefore, membership requests are only available for organizations that have the [**Verified domains** feature enabled](#verified-domains) and the [**Automatic suggestions** feature enabled in both the Dashboard and for the specific domain](#suggestions). -### Enterprise SSO +#### Enterprise SSO -An enterprise connection can be configured for an organization. Users can sign in through the configured IdP and be automatically added as a member of the organization. See the [manage SSO](/docs/organizations/manage-sso) documentation for more information. +An enterprise connection can be configured for an organization. Users can sign in through the configured IdP and be automatically added as a member of the organization. See the [manage enterprise SSO](/docs/organizations/enterprise-sso) documentation for more information. ## Active organization From 1262217552edb6bc268de6b9dadf478d750fe154 Mon Sep 17 00:00:00 2001 From: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com> Date: Tue, 10 Dec 2024 19:48:52 -0300 Subject: [PATCH 08/23] Refactor "Enterprise SSO" as a separate H2 section --- docs/organizations/overview.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/organizations/overview.mdx b/docs/organizations/overview.mdx index e9b27d90ae..7a4ceda3bb 100644 --- a/docs/organizations/overview.mdx +++ b/docs/organizations/overview.mdx @@ -66,10 +66,6 @@ Once suggestions are enabled for a domain, users with email addresses that match Membership requests are requests from users who want to join an organization. A membership request is created when a user sees a suggestion to join an organization and selects the **Request to join** button. Therefore, membership requests are only available for organizations that have the [**Verified domains** feature enabled](#verified-domains) and the [**Automatic suggestions** feature enabled in both the Dashboard and for the specific domain](#suggestions). -#### Enterprise SSO - -An enterprise connection can be configured for an organization. Users can sign in through the configured IdP and be automatically added as a member of the organization. See the [manage enterprise SSO](/docs/organizations/enterprise-sso) documentation for more information. - ## Active organization When a user is a member of an organization, they can switch between their personal workspace and an organization workspace. The organization workspace that a user is currently viewing is called the **active organization**. The active organization determines which organization-specific data the user can access and which role and related permissions they have within the organization. @@ -169,3 +165,7 @@ If the prebuilt components don't meet your specific needs or if you require more - [Creating an infinite paginated list of memberships](/docs/organizations/viewing-memberships) - [Inviting users to an organization](/docs/organizations/inviting-users), which also includes code for creating a custom list of invitations - [Managing memberships](/docs/organizations/managing-roles), which includes code for updating and deleting a user's membership, for inviting a user, and for creating a custom list of memberships, invitations, and requests + +## Enterprise SSO + +An enterprise connection can be configured for an organization. Users can sign in through the configured IdP and be automatically added as a member of the organization. See the [manage enterprise SSO](/docs/organizations/enterprise-sso) documentation for more information. From cacd16ce5dd05e518501a2d74278fdcab5c653b5 Mon Sep 17 00:00:00 2001 From: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com> Date: Wed, 11 Dec 2024 10:37:24 -0300 Subject: [PATCH 09/23] Fix link --- docs/organizations/verified-domains.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/organizations/verified-domains.mdx b/docs/organizations/verified-domains.mdx index db8c4584d4..2744cc35a9 100644 --- a/docs/organizations/verified-domains.mdx +++ b/docs/organizations/verified-domains.mdx @@ -8,7 +8,7 @@ Verified domains can be used to streamline enrollment into an organization. For A verified domain cannot be a disposable domain or common email provider. For example, you cannot create a verified domain for `@gmail.com`. > [!NOTE] -> You cannot add a verified domain if it is already in use for the [organization's SSO](/docs/organizations/manage-sso) +> You cannot add a verified domain if it is already in use for the [organization's SSO](/docs/organizations/enterprise-sso) ## Enable verified domains From 0d66a8d028936438bbe517d95c2deeb01809d971 Mon Sep 17 00:00:00 2001 From: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com> Date: Wed, 11 Dec 2024 10:43:09 -0300 Subject: [PATCH 10/23] Run linting --- .../enterprise-connections/saml/azure.mdx | 10 +++++----- docs/organizations/enterprise-sso.mdx | 14 +++++++------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/authentication/enterprise-connections/saml/azure.mdx b/docs/authentication/enterprise-connections/saml/azure.mdx index a3ac561c2c..29c6ae8350 100644 --- a/docs/authentication/enterprise-connections/saml/azure.mdx +++ b/docs/authentication/enterprise-connections/saml/azure.mdx @@ -32,11 +32,11 @@ To make the setup process easier, it's recommended to keep two browser tabs open 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. 1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **SAML**, select **Microsoft Entra ID (Formerly AD)** as the identity provider. - 2. Add the **Name** of the connection. This is the name that will be displayed on the sign-in form. - 3. Add the **Domain** for which you want to enable this connection. This is the domain of the users you wish to allow to sign in to your application. Optionally, select an **Organization**. - 4. Select **Add connection**. You'll be redirected to the connection's configuration page. - 5. Find the **Service Provider Configuration** section. - 6. Save the **Identifier (Entity ID)** and **Reply URL (Assertion Consumer Service URL)** values somewhere secure. You'll need these in the [Configure your service provider](#configure-your-service-provider) step. Leave this page open. + 1. Add the **Name** of the connection. This is the name that will be displayed on the sign-in form. + 1. Add the **Domain** for which you want to enable this connection. This is the domain of the users you wish to allow to sign in to your application. Optionally, select an **Organization**. + 1. Select **Add connection**. You'll be redirected to the connection's configuration page. + 1. Find the **Service Provider Configuration** section. + 1. Save the **Identifier (Entity ID)** and **Reply URL (Assertion Consumer Service URL)** values somewhere secure. You'll need these in the [Configure your service provider](#configure-your-service-provider) step. Leave this page open. ### Create a new enterprise app in Microsoft diff --git a/docs/organizations/enterprise-sso.mdx b/docs/organizations/enterprise-sso.mdx index a0a9886ae1..382b0147fb 100644 --- a/docs/organizations/enterprise-sso.mdx +++ b/docs/organizations/enterprise-sso.mdx @@ -12,7 +12,7 @@ When a user signs in or signs up with an organization's enterprise connection, t 1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. 1. Select **Add connection** and select **For specific domains or organizations**. 1. Select a Identity Provider. -2. Add the **Domain** for which you want to enable this connection and select an **Organization**. +1. Add the **Domain** for which you want to enable this connection and select an **Organization**. ## Onboarding flows with enterprise SSO @@ -21,18 +21,18 @@ Using organizations with enterprise SSO can unlock powerful onboarding flows for ### Organization created first (Top-down approach) 1. You create an organization for your customer through the Clerk Dashboard -2. Collaborate with the customer's IT administrator to obtain the necessary SSO configuration details -3. Configure the SSO connection for the organization via the Dashboard -4. Invite users to the organization, who can sign in using SSO +1. Collaborate with the customer's IT administrator to obtain the necessary SSO configuration details +1. Configure the SSO connection for the organization via the Dashboard +1. Invite users to the organization, who can sign in using SSO This flow is common for enterprise sales where the relationship is established before users start accessing the application. ### User-initiated setup (Bottom-up approach) 1. End user signs up to evaluate your application, starting with an individual account -2. After deciding to adopt the application, they create an organization for their company -3. Configure SSO for the organization through the Clerk Dashboard -4. All subsequent users from that organization can now sign in using enterprise SSO +1. After deciding to adopt the application, they create an organization for their company +1. Configure SSO for the organization through the Clerk Dashboard +1. All subsequent users from that organization can now sign in using enterprise SSO This flow is common when individual users try the product before company-wide adoption. From f6c5265d0624b4ace3b7beb422cc7ee57a6669f4 Mon Sep 17 00:00:00 2001 From: vi Date: Wed, 11 Dec 2024 16:30:11 -0500 Subject: [PATCH 11/23] update --- .../authentication-flows.mdx | 8 +++- .../enterprise-connections/easie/google.mdx | 12 ++--- .../easie/microsoft.mdx | 12 ++--- .../oidc/custom-provider.mdx | 2 +- .../enterprise-connections/saml/azure.mdx | 10 ++-- .../saml/custom-provider.mdx | 12 +++-- .../enterprise-connections/saml/google.mdx | 6 +-- .../enterprise-connections/saml/okta.mdx | 23 ++++----- docs/organizations/enterprise-sso.mdx | 48 ++++++++++--------- docs/organizations/overview.mdx | 9 +++- docs/organizations/verified-domains.mdx | 4 +- 11 files changed, 80 insertions(+), 66 deletions(-) diff --git a/docs/authentication/enterprise-connections/authentication-flows.mdx b/docs/authentication/enterprise-connections/authentication-flows.mdx index cda6ab5ae4..d75cab8de6 100644 --- a/docs/authentication/enterprise-connections/authentication-flows.mdx +++ b/docs/authentication/enterprise-connections/authentication-flows.mdx @@ -3,7 +3,7 @@ title: Enterprise SSO authentication flows description: Learn about the Enterprise SSO authentication flows. --- -There are two types of Enterprise SSO connections: [EASIE](#easie) and [SAML](#saml). +There are three types of Enterprise SSO connections: [EASIE](#easie), [SAML](#saml), and [OIDC](#oidc). ## EASIE @@ -36,7 +36,7 @@ In an IdP-initiated flow: To allow IdP-initiated flows for your SAML connection: 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. -1. Select **Add connection** and select **For specific domains**. + 1. Select **Add connection** and select **For specific domains or organizations**. 1. Select your **Identity Provider**. Complete the fields and select **Add connection**. You'll be redirected to the SAML connection's configuration page. 1. Select the **Advanced** tab. 1. In **Advanced Settings**, enable **Allow IdP-Initiated flow**. A modal will open. Select **Enable** to confirm. @@ -56,3 +56,7 @@ To mitigate the risks associated with IdP-initiated flows, Clerk implements seve - **Replay detection**: Clerk consumes and remembers each response to prevent re-use. This ensures that bad actors cannot steal and reuse a response to gain access to a user's account. - **Multi-factor authentication**: Clerk supports [multi-factor authentication (MFA)](/docs/authentication/configuration/sign-up-sign-in-options#multi-factor-authentication) for SAML IdP-initiated flows. MFA requires users to provide two or more forms of verification, which significantly enhances security by reducing the risk of unauthorized access. - **Use small validation periods**: Each SAML response contains a timestamp indicating when it was issued and when it will expire. Since IdP-initiated flows are expected to be completed within seconds, validation periods must be as small as possible to prevent attacks. Common IdP providers such as Azure, Google, and Okta handle this by default. However, if you're using a custom IdP, you must ensure that the validation periods are set correctly. + +## OIDC + +Clerk supports Enterprise SSO via the OpenID Connect (OIDC) protocol, either through [EASIE](#easie) or by [integrating with any OIDC-compatible provider](/docs/authentication/enterprise-connections/oidc/custom-provider). diff --git a/docs/authentication/enterprise-connections/easie/google.mdx b/docs/authentication/enterprise-connections/easie/google.mdx index 6a335b9cb8..ab1d134889 100644 --- a/docs/authentication/enterprise-connections/easie/google.mdx +++ b/docs/authentication/enterprise-connections/easie/google.mdx @@ -32,9 +32,9 @@ Enabling EASIE SSO with Google allows your users to sign up and sign in to your For _development instances_, Clerk uses preconfigured shared credentials and redirect URIs—no other configuration is needed. 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. -1. Select **Add connection** and select **For specific domains or organizations**. -1. Under **EASIE**, select **Google** as the identity provider. -1. Add the **Domain** for which you want to enable this connection. This is the domain of the users you wish to allow to sign in to your application. Optionally, select an **Organization**. + 1. Select **Add connection** and select **For specific domains or organizations**. +1. Under **EASIE**, select **Google**. +1. Enter the **Domain**. This is the URL users use to sign in to your application. Optionally, select an **Organization**. 1. Select **Add connection**. ## Configure for your production instance @@ -51,9 +51,9 @@ To make the setup process easier, it's recommended to keep two browser tabs open 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. 1. Select **Add connection** and select **For specific domains or organizations**. - 1. Below EASIE, select **Google** as the identity provider. - 1. Add the **Domain** for which you want to enable this connection. This is the domain of the users you wish to allow to sign in to your application. Optionally, select an **Organization**. - 1. Ensure that **Use custom credentials** is toggled on. + 1. Under **EASIE**, select **Google**. + 1. Enter the **Domain**. This is the URL users use to sign in to your application. Optionally, select an **Organization**. + 1. Enable **Use custom credentials**. 1. Save the **Redirect URI** somewhere secure. Keep this page open. ### Create a Google Developer project diff --git a/docs/authentication/enterprise-connections/easie/microsoft.mdx b/docs/authentication/enterprise-connections/easie/microsoft.mdx index f6332d5ff9..e1448b9050 100644 --- a/docs/authentication/enterprise-connections/easie/microsoft.mdx +++ b/docs/authentication/enterprise-connections/easie/microsoft.mdx @@ -32,9 +32,9 @@ Enabling EASIE SSO with Microsoft (formerly [Active Directory](https://learn.mic For _development instances_, Clerk uses preconfigured shared credentials and redirect URIs—no other configuration is needed. 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. -1. Select the **Add connection** button, and select **For specific domains or organizations**. -1. Under **EASIE**, select **Microsoft** as the identity provider. -1. Add the **Domain** for which you want to enable this connection. This is the domain of the users you wish to allow to sign in to your application. Optionally, select an **Organization**. +1. Select **Add connection** and select **For specific domains or organizations**. +1. Under **EASIE**, select **Microsoft**. +1. Enter the **Domain**. This is the URL users use to sign in to your application. Optionally, select an **Organization**. 1. Select **Add connection**. ## Configure for your production instance @@ -51,9 +51,9 @@ To make the setup process easier, it's recommended to keep two browser tabs open 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. 1. Select **Add connection** and select **For specific domains or organizations**. - 1. Under **EASIE**, select **Microsoft** as the identity provider. - 1. Add the **Domain** for which you want to enable this connection. This is the domain of the users you wish to allow to sign in to your application. Optionally, select an **Organization**. - 1. Ensure that **Use custom credentials** is toggled on. + 1. Under **EASIE**, select **Microsoft**. + 1. Enter the **Domain**. This is the URL users use to sign in to your application. Optionally, select an **Organization**. + 1. Enable **Use custom credentials**. 1. Save the **Redirect URI** somewhere secure. Keep this page open. ### Create a Microsoft Entra ID app diff --git a/docs/authentication/enterprise-connections/oidc/custom-provider.mdx b/docs/authentication/enterprise-connections/oidc/custom-provider.mdx index 3ae5b0ce3f..e5a8c97cbf 100644 --- a/docs/authentication/enterprise-connections/oidc/custom-provider.mdx +++ b/docs/authentication/enterprise-connections/oidc/custom-provider.mdx @@ -28,7 +28,7 @@ To make the setup process easier, it's recommended to keep two browser tabs open ### Set up an enterprise connection in Clerk 1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. - 1. Select **Add connection** and select **For specific domains**. + 1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **Third party**, select **OpenID Connect (OIDC)**. 1. Add the **Name** of the connection. 1. Add the **Key** of the provider. This is the provider's unique identifier (cannot be changed after creation). diff --git a/docs/authentication/enterprise-connections/saml/azure.mdx b/docs/authentication/enterprise-connections/saml/azure.mdx index 29c6ae8350..c07620da80 100644 --- a/docs/authentication/enterprise-connections/saml/azure.mdx +++ b/docs/authentication/enterprise-connections/saml/azure.mdx @@ -31,12 +31,12 @@ To make the setup process easier, it's recommended to keep two browser tabs open 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. 1. Select **Add connection** and select **For specific domains or organizations**. - 1. Under **SAML**, select **Microsoft Entra ID (Formerly AD)** as the identity provider. - 1. Add the **Name** of the connection. This is the name that will be displayed on the sign-in form. - 1. Add the **Domain** for which you want to enable this connection. This is the domain of the users you wish to allow to sign in to your application. Optionally, select an **Organization**. + 1. Under **SAML**, select **Microsoft Entra ID (Formerly AD)**. + 1. Enter the **Domain**. This is the URL users use to sign in to your application. Optionally, select an **Organization**. + 1. Enter the **Name**. This will be displayed on the sign-in form. 1. Select **Add connection**. You'll be redirected to the connection's configuration page. - 1. Find the **Service Provider Configuration** section. - 1. Save the **Identifier (Entity ID)** and **Reply URL (Assertion Consumer Service URL)** values somewhere secure. You'll need these in the [Configure your service provider](#configure-your-service-provider) step. Leave this page open. + 1. In the **Service Provider Configuration** section, save the **Reply URL (Assertion Consumer Service URL)** and **Identifier (Entity ID)** values somewhere secure. You'll need these in the [Configure your service provider](#configure-your-service-provider) step. + 1. Keep this page open. ### Create a new enterprise app in Microsoft diff --git a/docs/authentication/enterprise-connections/saml/custom-provider.mdx b/docs/authentication/enterprise-connections/saml/custom-provider.mdx index 80d2d19d19..5a01264095 100644 --- a/docs/authentication/enterprise-connections/saml/custom-provider.mdx +++ b/docs/authentication/enterprise-connections/saml/custom-provider.mdx @@ -1,6 +1,6 @@ --- -title: Add a custom Identity Provider as a SAML connection -description: Learn how to integrate an Identity Provider with Clerk using SAML SSO. +title: Add a custom Identity Provider (IdP) as a SAML connection +description: Learn how to integrate an Identity Provider (IdP) with Clerk using SAML SSO. --- -Clerk supports Enterprise SSO via the SAML protocol, enabling you to create authentication strategies for an Identity Provider (IdP). Currently, Clerk offers direct integrations with [Microsoft Azure AD](/docs/authentication/enterprise-connections/saml/azure), [Google Workspace](/docs/authentication/enterprise-connections/saml/google), and [Okta Workforce](/docs/authentication/enterprise-connections/saml/okta) as IdPs. However, you can also integrate with any other IdP that supports the SAML protocol. This guide will show you how to set up a SAML connection with a custom IdP in Clerk. +Clerk supports Enterprise SSO via the SAML protocol, enabling you to create authentication strategies for an Identity Provider (IdP). Currently, Clerk offers direct integrations with the following IdPs: [Microsoft Azure AD](/docs/authentication/enterprise-connections/saml/azure), [Google Workspace](/docs/authentication/enterprise-connections/saml/google), and [Okta Workforce](/docs/authentication/enterprise-connections/saml/okta). However, you can also integrate with any other IdPs that supports the SAML protocol. + +This guide shows you how to set up a SAML connection with a custom IdP in Clerk. ## Tutorial @@ -32,9 +34,9 @@ Clerk supports Enterprise SSO via the SAML protocol, enabling you to create auth 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. 1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **SAML**, select **Custom SAML Provider**. - 1. Add the **Name** of the connection. This is the name that will be displayed in the sign-in form. 1. Add the **Domain** for which you want to enable this connection. This is the domain of the users you wish to allow to sign in to your application. Optionally, select an **Organization**. - 1. Select **Add connection**. You will be redirected to the connection's configuration page. + 1. Enter the **Name**. This will be displayed on the sign-in form. + 1. Select **Add connection**. You'll be redirected to the connection's configuration page. ### Create a new enterprise application in your IdP diff --git a/docs/authentication/enterprise-connections/saml/google.mdx b/docs/authentication/enterprise-connections/saml/google.mdx index b9b4674c0a..6b0f079e6a 100644 --- a/docs/authentication/enterprise-connections/saml/google.mdx +++ b/docs/authentication/enterprise-connections/saml/google.mdx @@ -29,9 +29,9 @@ description: Learn how to integrate Google Workspace with Clerk using SAML SSO. 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. 1. Select **Add connection** and select **For specific domains or organizations**. - 1. Under **SAML**, select **Google Workspace** as the identity provider. - 1. Add the **Name** of the connection. This is the name that will be displayed in the sign-in form. - 1. Add the **Domain** for which you want to enable this connection. This is the domain of the users you wish to allow to sign in to your application. Optionally, select an **Organization**. + 1. Under **SAML**, select **Google Workspace**. + 1. Enter the **Domain**. This is the URL users use to sign in to your application. Optionally, select an **Organization**. + 1. Enter the **Name**. This will be displayed on the sign-in form. 1. Select **Add connection**. You'll be redirected to the connection's configuration page. ### Create a new enterprise application in Google diff --git a/docs/authentication/enterprise-connections/saml/okta.mdx b/docs/authentication/enterprise-connections/saml/okta.mdx index 46819e0d8b..f2af3d04e2 100644 --- a/docs/authentication/enterprise-connections/saml/okta.mdx +++ b/docs/authentication/enterprise-connections/saml/okta.mdx @@ -20,22 +20,19 @@ description: Learn how to integrate Okta Workforce with Clerk using SAML SSO. - Use Okta Workforce to enable single sign-on (SSO) via SAML for your Clerk application. -## Tutorial - ### Set up an enterprise connection in Clerk To create a SAML connection in Clerk: - 1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. + 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. 1. Select **Add connection** and select **For specific domains or organizations**. - 1. Under **SAML**, select **Okta Workforce** as the identity provider. - 1. Add the **Name** of the connection. This is the name that will be displayed in the sign-in form. - 1. Add the **Domain** for which you want to enable this connection. This is the domain of the users you wish to allow to sign in to your application. Optionally, select an **Organization**. - 1. Select **Add connection**. You will be redirected to the connection's configuration page. - 1. Find the **Service Provider Configuration** section. - 1. Save the **Single sign-on URL** and the **Audience URI (SP Entity ID)** values somewhere secure. You'll need these in the [Configure your service provider](#configure-your-service-provider) step. - 1. Leave this page open. + 1. Under **SAML**, select **Okta Workforce**. + 1. Enter the **Domain**. This is the URL users use to sign in to your application. Optionally, select an **Organization**. + 1. Enter the **Name**. This will be displayed on the sign-in form. + 1. Select **Add connection**. You'll be redirected to the connection's configuration page. + 1. In the **Service Provider Configuration** section, save the **Single sign-on URL** and **Audience URI (SP Entity ID)** values somewhere secure. You'll need these in the [Configure your service provider](#configure-your-service-provider) step. + 1. Keep this page open. ### Create a new enterprise application in Okta @@ -44,10 +41,10 @@ description: Learn how to integrate Okta Workforce with Clerk using SAML SSO. 1. Navigate to [Okta](https://www.okta.com/) and sign in. 1. In the Okta dashboard, select **Admin** in the top right corner. 1. In the navigation sidebar, select the **Applications** dropdown and select **Applications**. - 1. Select the **Create App Integration** button. + 1. Select **Create App Integration**. 1. In the **Create a new app integration** modal, select the **SAML 2.0** option and select the **Next** button. - 1. Once redirected to the **Create SAML Integration** page, fill in the **General Settings** fields. An **App name** is required. - 1. Select the **Next** button to continue. + 1. Once redirected to the **Create SAML Integration** page, complete the **General Settings** fields. An **App name** is required. + 1. Select **Next**. ### Configure your service provider diff --git a/docs/organizations/enterprise-sso.mdx b/docs/organizations/enterprise-sso.mdx index 382b0147fb..7cc8e788c2 100644 --- a/docs/organizations/enterprise-sso.mdx +++ b/docs/organizations/enterprise-sso.mdx @@ -1,11 +1,14 @@ --- -title: Organization-level Enterprise SSO - +title: Organization-level enterprise SSO +description: Learn how to set up and manage enterprise SSO for organizations. --- -Clerk supports adding an enterprise SSO to an organization to allow for sign-in with an IdP and seamless organization onboarding. All types of [enterprise connections](/docs/authentication/enterprise-connections/authentication-flows) are supported. +Clerk supports adding enterprise SSO connections to organizations, enabling users to sign in with an Identity Provider (IdP) and easily join organizations. There are three types of [enterprise connections](/docs/authentication/enterprise-connections/authentication-flows) that are supported: EASIE, SAML, and OIDC. + +When users sign in or up using an organization's enterprise connection, they're automatically added as members of that organization and assigned the [default role](/docs/organizations/roles-permissions#default-roles), which can be either `member` or `admin`. -When a user signs in or signs up with an organization's enterprise connection, they will also be added as a member of that organization and assigned the [default role](/docs/organizations/roles-permissions#default-roles). +> [!WARNING] +> A domain used for enterprise SSO can't be used as a [verified domain](/docs/organizations/verified-domains) for the same organization. ## Add an organization-level enterprise SSO connection @@ -14,31 +17,32 @@ When a user signs in or signs up with an organization's enterprise connection, t 1. Select a Identity Provider. 1. Add the **Domain** for which you want to enable this connection and select an **Organization**. -## Onboarding flows with enterprise SSO +## Onboarding flows -Using organizations with enterprise SSO can unlock powerful onboarding flows for your enterprise users. Here are two common scenarios: +The two common onboarding flows for organizations with enterprise SSO are to either create an organization first or to have users initiate the setup themselves. -### Organization created first (Top-down approach) +#### Organization created first (top-down approach) -1. You create an organization for your customer through the Clerk Dashboard -1. Collaborate with the customer's IT administrator to obtain the necessary SSO configuration details -1. Configure the SSO connection for the organization via the Dashboard -1. Invite users to the organization, who can sign in using SSO +This flow is common for enterprise sales where the relationship is established before users access the application. -This flow is common for enterprise sales where the relationship is established before users start accessing the application. +1. [Create an organization](/docs/organizations/overview#create-an-organization) for your customer through the Clerk Dashboard. +1. Collaborate with the customer's IT administrator to obtain the necessary configuration details. +1. Configure the SSO connection for the organization. +1. Invite users to the organization, who can then sign in using SSO. -### User-initiated setup (Bottom-up approach) - -1. End user signs up to evaluate your application, starting with an individual account -1. After deciding to adopt the application, they create an organization for their company -1. Configure SSO for the organization through the Clerk Dashboard -1. All subsequent users from that organization can now sign in using enterprise SSO +#### User-initiated setup (bottom-up approach) This flow is common when individual users try the product before company-wide adoption. -### Domain-based SSO enforcement +1. An end user signs up to evaluate your application, starting with an individual account. +1. After adopting the application, the user [creates an organization](/docs/organizations/overview#create-an-organization) for their company. +1. Configure SSO for the organization through the Clerk Dashboard. +1. All subsequent users from that organization can now sign in using enterprise SSO. + +## Enforcing SSO by domain -SSO connections are enforced on a per-domain basis within organizations. This allows for flexible access management: +SSO connections are enforced on a per-domain basis in organizations, enabling flexible access management: -- You can configure SSO for your primary domain (e.g., `company.com`) to enforce SSO authentication for employees -- Simultaneously, you can add verified domains without SSO for external collaborators (like contractors or consultants) +- Configure SSO for your primary domain (e.g., `company.com`) to enforce SSO authentication for employees. +- Add additional domains without SSO for external collaborators (e.g., contractors, consultants) +- Each domain in an organization can have different authentication requirements. diff --git a/docs/organizations/overview.mdx b/docs/organizations/overview.mdx index 7a4ceda3bb..ca0255ab3e 100644 --- a/docs/organizations/overview.mdx +++ b/docs/organizations/overview.mdx @@ -168,4 +168,11 @@ If the prebuilt components don't meet your specific needs or if you require more ## Enterprise SSO -An enterprise connection can be configured for an organization. Users can sign in through the configured IdP and be automatically added as a member of the organization. See the [manage enterprise SSO](/docs/organizations/enterprise-sso) documentation for more information. +Enterprise Single Sign-On (SSO) can be configured at the organization level, allowing organizations to use their own Identity Provider (IdP) for authentication. When configured: + +- Users can sign in through their organization's configured IdP +- Users are automatically added as members of the organization upon successful authentication +- Organizations can maintain their existing identity management workflows +- SAML 2.0 and OIDC protocols are supported + +For instructions on how to set up and manage enterprise SSO for your organizations, see the [dedicated guide](/docs/organizations/enterprise-sso). diff --git a/docs/organizations/verified-domains.mdx b/docs/organizations/verified-domains.mdx index 2744cc35a9..8625c7cfcc 100644 --- a/docs/organizations/verified-domains.mdx +++ b/docs/organizations/verified-domains.mdx @@ -7,8 +7,8 @@ Verified domains can be used to streamline enrollment into an organization. For A verified domain cannot be a disposable domain or common email provider. For example, you cannot create a verified domain for `@gmail.com`. -> [!NOTE] -> You cannot add a verified domain if it is already in use for the [organization's SSO](/docs/organizations/enterprise-sso) +> [!WARNING] +> A verified domain can't be added if it's already in use for the [organization's SSO](/docs/organizations/enterprise-sso). ## Enable verified domains From 2565cd09fe8fcaa7429c26e6f867a3f110656bc4 Mon Sep 17 00:00:00 2001 From: vi Date: Wed, 11 Dec 2024 16:35:56 -0500 Subject: [PATCH 12/23] lint --- .../enterprise-connections/authentication-flows.mdx | 2 +- docs/authentication/enterprise-connections/easie/google.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/authentication/enterprise-connections/authentication-flows.mdx b/docs/authentication/enterprise-connections/authentication-flows.mdx index d75cab8de6..4cf63da22a 100644 --- a/docs/authentication/enterprise-connections/authentication-flows.mdx +++ b/docs/authentication/enterprise-connections/authentication-flows.mdx @@ -36,7 +36,7 @@ In an IdP-initiated flow: To allow IdP-initiated flows for your SAML connection: 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. - 1. Select **Add connection** and select **For specific domains or organizations**. +1. Select **Add connection** and select **For specific domains or organizations**. 1. Select your **Identity Provider**. Complete the fields and select **Add connection**. You'll be redirected to the SAML connection's configuration page. 1. Select the **Advanced** tab. 1. In **Advanced Settings**, enable **Allow IdP-Initiated flow**. A modal will open. Select **Enable** to confirm. diff --git a/docs/authentication/enterprise-connections/easie/google.mdx b/docs/authentication/enterprise-connections/easie/google.mdx index ab1d134889..3b0b0125bf 100644 --- a/docs/authentication/enterprise-connections/easie/google.mdx +++ b/docs/authentication/enterprise-connections/easie/google.mdx @@ -32,7 +32,7 @@ Enabling EASIE SSO with Google allows your users to sign up and sign in to your For _development instances_, Clerk uses preconfigured shared credentials and redirect URIs—no other configuration is needed. 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. - 1. Select **Add connection** and select **For specific domains or organizations**. +1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **EASIE**, select **Google**. 1. Enter the **Domain**. This is the URL users use to sign in to your application. Optionally, select an **Organization**. 1. Select **Add connection**. From 527ae9f4ddd70eb98d1d40b522cc5dbb06670097 Mon Sep 17 00:00:00 2001 From: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com> Date: Thu, 12 Dec 2024 10:52:21 -0300 Subject: [PATCH 13/23] Fix guidance regarding domain field --- docs/authentication/enterprise-connections/easie/google.mdx | 4 ++-- .../authentication/enterprise-connections/easie/microsoft.mdx | 4 ++-- docs/authentication/enterprise-connections/saml/azure.mdx | 2 +- docs/authentication/enterprise-connections/saml/google.mdx | 2 +- docs/authentication/enterprise-connections/saml/okta.mdx | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/authentication/enterprise-connections/easie/google.mdx b/docs/authentication/enterprise-connections/easie/google.mdx index 3b0b0125bf..0d7a476fb4 100644 --- a/docs/authentication/enterprise-connections/easie/google.mdx +++ b/docs/authentication/enterprise-connections/easie/google.mdx @@ -34,7 +34,7 @@ For _development instances_, Clerk uses preconfigured shared credentials and red 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. 1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **EASIE**, select **Google**. -1. Enter the **Domain**. This is the URL users use to sign in to your application. Optionally, select an **Organization**. +1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**. 1. Select **Add connection**. ## Configure for your production instance @@ -52,7 +52,7 @@ To make the setup process easier, it's recommended to keep two browser tabs open 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. 1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **EASIE**, select **Google**. - 1. Enter the **Domain**. This is the URL users use to sign in to your application. Optionally, select an **Organization**. + 1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**. 1. Enable **Use custom credentials**. 1. Save the **Redirect URI** somewhere secure. Keep this page open. diff --git a/docs/authentication/enterprise-connections/easie/microsoft.mdx b/docs/authentication/enterprise-connections/easie/microsoft.mdx index e1448b9050..373b6e6fc1 100644 --- a/docs/authentication/enterprise-connections/easie/microsoft.mdx +++ b/docs/authentication/enterprise-connections/easie/microsoft.mdx @@ -34,7 +34,7 @@ For _development instances_, Clerk uses preconfigured shared credentials and red 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. 1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **EASIE**, select **Microsoft**. -1. Enter the **Domain**. This is the URL users use to sign in to your application. Optionally, select an **Organization**. +1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**. 1. Select **Add connection**. ## Configure for your production instance @@ -52,7 +52,7 @@ To make the setup process easier, it's recommended to keep two browser tabs open 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. 1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **EASIE**, select **Microsoft**. - 1. Enter the **Domain**. This is the URL users use to sign in to your application. Optionally, select an **Organization**. + 1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**. 1. Enable **Use custom credentials**. 1. Save the **Redirect URI** somewhere secure. Keep this page open. diff --git a/docs/authentication/enterprise-connections/saml/azure.mdx b/docs/authentication/enterprise-connections/saml/azure.mdx index c07620da80..fe05632607 100644 --- a/docs/authentication/enterprise-connections/saml/azure.mdx +++ b/docs/authentication/enterprise-connections/saml/azure.mdx @@ -32,7 +32,7 @@ To make the setup process easier, it's recommended to keep two browser tabs open 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. 1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **SAML**, select **Microsoft Entra ID (Formerly AD)**. - 1. Enter the **Domain**. This is the URL users use to sign in to your application. Optionally, select an **Organization**. + 1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**. 1. Enter the **Name**. This will be displayed on the sign-in form. 1. Select **Add connection**. You'll be redirected to the connection's configuration page. 1. In the **Service Provider Configuration** section, save the **Reply URL (Assertion Consumer Service URL)** and **Identifier (Entity ID)** values somewhere secure. You'll need these in the [Configure your service provider](#configure-your-service-provider) step. diff --git a/docs/authentication/enterprise-connections/saml/google.mdx b/docs/authentication/enterprise-connections/saml/google.mdx index 6b0f079e6a..cedd8531ae 100644 --- a/docs/authentication/enterprise-connections/saml/google.mdx +++ b/docs/authentication/enterprise-connections/saml/google.mdx @@ -30,7 +30,7 @@ description: Learn how to integrate Google Workspace with Clerk using SAML SSO. 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. 1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **SAML**, select **Google Workspace**. - 1. Enter the **Domain**. This is the URL users use to sign in to your application. Optionally, select an **Organization**. + 1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**. 1. Enter the **Name**. This will be displayed on the sign-in form. 1. Select **Add connection**. You'll be redirected to the connection's configuration page. diff --git a/docs/authentication/enterprise-connections/saml/okta.mdx b/docs/authentication/enterprise-connections/saml/okta.mdx index f2af3d04e2..89ef19f888 100644 --- a/docs/authentication/enterprise-connections/saml/okta.mdx +++ b/docs/authentication/enterprise-connections/saml/okta.mdx @@ -28,7 +28,7 @@ description: Learn how to integrate Okta Workforce with Clerk using SAML SSO. 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. 1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **SAML**, select **Okta Workforce**. - 1. Enter the **Domain**. This is the URL users use to sign in to your application. Optionally, select an **Organization**. + 1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**. 1. Enter the **Name**. This will be displayed on the sign-in form. 1. Select **Add connection**. You'll be redirected to the connection's configuration page. 1. In the **Service Provider Configuration** section, save the **Single sign-on URL** and **Audience URI (SP Entity ID)** values somewhere secure. You'll need these in the [Configure your service provider](#configure-your-service-provider) step. From 09a3e6537661b40afc73c19db573562f1ccf894c Mon Sep 17 00:00:00 2001 From: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com> Date: Thu, 12 Dec 2024 10:57:21 -0300 Subject: [PATCH 14/23] fix: Remove "Enable custom credentials" step from EASIE setup --- docs/authentication/enterprise-connections/easie/google.mdx | 3 +-- docs/authentication/enterprise-connections/easie/microsoft.mdx | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/authentication/enterprise-connections/easie/google.mdx b/docs/authentication/enterprise-connections/easie/google.mdx index 0d7a476fb4..471e620f41 100644 --- a/docs/authentication/enterprise-connections/easie/google.mdx +++ b/docs/authentication/enterprise-connections/easie/google.mdx @@ -53,8 +53,7 @@ To make the setup process easier, it's recommended to keep two browser tabs open 1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **EASIE**, select **Google**. 1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**. - 1. Enable **Use custom credentials**. - 1. Save the **Redirect URI** somewhere secure. Keep this page open. + 2. Save the **Redirect URI** somewhere secure. Keep this page open. ### Create a Google Developer project diff --git a/docs/authentication/enterprise-connections/easie/microsoft.mdx b/docs/authentication/enterprise-connections/easie/microsoft.mdx index 373b6e6fc1..9245bf0c10 100644 --- a/docs/authentication/enterprise-connections/easie/microsoft.mdx +++ b/docs/authentication/enterprise-connections/easie/microsoft.mdx @@ -53,8 +53,7 @@ To make the setup process easier, it's recommended to keep two browser tabs open 1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **EASIE**, select **Microsoft**. 1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**. - 1. Enable **Use custom credentials**. - 1. Save the **Redirect URI** somewhere secure. Keep this page open. + 2. Save the **Redirect URI** somewhere secure. Keep this page open. ### Create a Microsoft Entra ID app From 12179138b06a9800f63c61879ad111410c524771 Mon Sep 17 00:00:00 2001 From: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com> Date: Thu, 12 Dec 2024 11:01:02 -0300 Subject: [PATCH 15/23] chore: Update credentials instructions for EASIE --- docs/authentication/enterprise-connections/easie/google.mdx | 2 +- docs/authentication/enterprise-connections/easie/microsoft.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/authentication/enterprise-connections/easie/google.mdx b/docs/authentication/enterprise-connections/easie/google.mdx index 471e620f41..1305fbb1fb 100644 --- a/docs/authentication/enterprise-connections/easie/google.mdx +++ b/docs/authentication/enterprise-connections/easie/google.mdx @@ -53,7 +53,7 @@ To make the setup process easier, it's recommended to keep two browser tabs open 1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **EASIE**, select **Google**. 1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**. - 2. Save the **Redirect URI** somewhere secure. Keep this page open. + 2. Save the **Redirect URI** somewhere secure. Keep this dialog open to enter the OAuth credentials in the following steps. ### Create a Google Developer project diff --git a/docs/authentication/enterprise-connections/easie/microsoft.mdx b/docs/authentication/enterprise-connections/easie/microsoft.mdx index 9245bf0c10..ff5e9eb331 100644 --- a/docs/authentication/enterprise-connections/easie/microsoft.mdx +++ b/docs/authentication/enterprise-connections/easie/microsoft.mdx @@ -53,7 +53,7 @@ To make the setup process easier, it's recommended to keep two browser tabs open 1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **EASIE**, select **Microsoft**. 1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**. - 2. Save the **Redirect URI** somewhere secure. Keep this page open. + 1. Save the **Redirect URI** somewhere secure. Keep this dialog open to enter the OAuth credentials in the following steps. ### Create a Microsoft Entra ID app From c7afdbb72a9373355e433c21298d63e66225f3f7 Mon Sep 17 00:00:00 2001 From: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com> Date: Thu, 12 Dec 2024 11:17:08 -0300 Subject: [PATCH 16/23] chore: Add section for managing memberships with SSO enabled --- docs/authentication/enterprise-connections/easie/google.mdx | 2 +- docs/organizations/enterprise-sso.mdx | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/authentication/enterprise-connections/easie/google.mdx b/docs/authentication/enterprise-connections/easie/google.mdx index 1305fbb1fb..c2404bb3e3 100644 --- a/docs/authentication/enterprise-connections/easie/google.mdx +++ b/docs/authentication/enterprise-connections/easie/google.mdx @@ -53,7 +53,7 @@ To make the setup process easier, it's recommended to keep two browser tabs open 1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **EASIE**, select **Google**. 1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**. - 2. Save the **Redirect URI** somewhere secure. Keep this dialog open to enter the OAuth credentials in the following steps. + 1. Save the **Redirect URI** somewhere secure. Keep this dialog open to enter the OAuth credentials in the following steps. ### Create a Google Developer project diff --git a/docs/organizations/enterprise-sso.mdx b/docs/organizations/enterprise-sso.mdx index 7cc8e788c2..f1f5ec2046 100644 --- a/docs/organizations/enterprise-sso.mdx +++ b/docs/organizations/enterprise-sso.mdx @@ -46,3 +46,9 @@ SSO connections are enforced on a per-domain basis in organizations, enabling fl - Configure SSO for your primary domain (e.g., `company.com`) to enforce SSO authentication for employees. - Add additional domains without SSO for external collaborators (e.g., contractors, consultants) - Each domain in an organization can have different authentication requirements. + +## Managing memberships + +### Removing a member from your organization + +Users cannot leave the organization themselves, but they can be removed in the Clerk Dashboard, using [Clerk's Backend API](/docs/reference/backend-api/tag/Organization-Memberships#operation/DeleteOrganizationMembership) endpoint, and by another organization member with the [manage members permission](/docs/organizations/roles-permissions#system-permissions) (`org:sys_memberships:manage`). However, the user will be added back to the organization on next sign in, unless they are removed from the IdP or the enterprise connection is no longer associated with the organization. From a806c3b1d2bacf9a06c9b67539d94eab2d7b689e Mon Sep 17 00:00:00 2001 From: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com> Date: Thu, 12 Dec 2024 11:23:50 -0300 Subject: [PATCH 17/23] refactor: Remove specific "Enterprise SSO" to generic org-level SSO --- docs/manifest.json | 4 ++-- docs/organizations/enterprise-sso.mdx | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/manifest.json b/docs/manifest.json index a996d9354a..9d934e5d93 100644 --- a/docs/manifest.json +++ b/docs/manifest.json @@ -669,8 +669,8 @@ "href": "/docs/organizations/verified-domains" }, { - "title": "Enterprise SSO", - "href": "/docs/organizations/enterprise-sso" + "title": "Manage SSO", + "href": "/docs/organizations/manage-sso" }, { "title": "Guides", diff --git a/docs/organizations/enterprise-sso.mdx b/docs/organizations/enterprise-sso.mdx index f1f5ec2046..91660da86c 100644 --- a/docs/organizations/enterprise-sso.mdx +++ b/docs/organizations/enterprise-sso.mdx @@ -1,16 +1,16 @@ --- -title: Organization-level enterprise SSO -description: Learn how to set up and manage enterprise SSO for organizations. +title: Organization-level SSO +description: Learn how to set up and manage SSO for organizations. --- -Clerk supports adding enterprise SSO connections to organizations, enabling users to sign in with an Identity Provider (IdP) and easily join organizations. There are three types of [enterprise connections](/docs/authentication/enterprise-connections/authentication-flows) that are supported: EASIE, SAML, and OIDC. +Clerk supports adding SSO connections to organizations, enabling users to sign in with an Identity Provider (IdP) and easily join organizations. There are three types of [enterprise connections](/docs/authentication/enterprise-connections/authentication-flows) that are supported: EASIE, SAML, and OIDC. When users sign in or up using an organization's enterprise connection, they're automatically added as members of that organization and assigned the [default role](/docs/organizations/roles-permissions#default-roles), which can be either `member` or `admin`. > [!WARNING] > A domain used for enterprise SSO can't be used as a [verified domain](/docs/organizations/verified-domains) for the same organization. -## Add an organization-level enterprise SSO connection +## Add an organization-level SSO connection 1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. 1. Select **Add connection** and select **For specific domains or organizations**. @@ -19,7 +19,7 @@ When users sign in or up using an organization's enterprise connection, they're ## Onboarding flows -The two common onboarding flows for organizations with enterprise SSO are to either create an organization first or to have users initiate the setup themselves. +The two common onboarding flows for organizations with SSO are to either create an organization first or to have users initiate the setup themselves. #### Organization created first (top-down approach) From 44e1258ede2458ae02f7412789cdbcd2f261520b Mon Sep 17 00:00:00 2001 From: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com> Date: Thu, 12 Dec 2024 13:26:36 -0300 Subject: [PATCH 18/23] chore: Add section regarding updating org from existing connection --- docs/manifest.json | 2 +- .../organizations/manage-organization-sso.mdx | 59 +++++++++++++++++++ 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 docs/organizations/manage-organization-sso.mdx diff --git a/docs/manifest.json b/docs/manifest.json index c6bab5d632..287c56b017 100644 --- a/docs/manifest.json +++ b/docs/manifest.json @@ -676,7 +676,7 @@ }, { "title": "Manage SSO", - "href": "/docs/organizations/manage-sso" + "href": "/docs/organizations/manage-organization-sso" }, { "title": "Guides", diff --git a/docs/organizations/manage-organization-sso.mdx b/docs/organizations/manage-organization-sso.mdx new file mode 100644 index 0000000000..c0b5d33c39 --- /dev/null +++ b/docs/organizations/manage-organization-sso.mdx @@ -0,0 +1,59 @@ +--- +title: Organization-level SSO +description: Learn how to set up and manage SSO for organizations. +--- + +Clerk supports adding SSO connections to organizations, enabling users to sign in with an Identity Provider (IdP) and easily join organizations. There are three types of [enterprise connections](/docs/authentication/enterprise-connections/authentication-flows) that are supported: EASIE, SAML, and OIDC. + +When users sign in or up using an organization's enterprise connection, they're automatically added as members of that organization and assigned the [default role](/docs/organizations/roles-permissions#default-roles), which can be either `member` or `admin`. + +> [!WARNING] +> A domain used for enterprise SSO can't be used as a [verified domain](/docs/organizations/verified-domains) for the same organization. +## Add an organization-level SSO connection + +1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. +1. Select **Add connection** and select **For specific domains or organizations**. +1. Select a Identity Provider. +1. Add the **Domain** for which you want to enable this connection and select an **Organization**. + +## Onboarding flows + +The two common onboarding flows for organizations with SSO are to either create an organization first or to have users initiate the setup themselves. + +#### Organization created first (top-down approach) + +This flow is common for enterprise sales where the relationship is established before users access the application. + +1. [Create an organization](/docs/organizations/overview#create-an-organization) for your customer through the Clerk Dashboard. +1. Collaborate with the customer's IT administrator to obtain the necessary configuration details. +1. Configure the SSO connection for the organization. +1. Invite users to the organization, who can then sign in using SSO. + +#### User-initiated setup (bottom-up approach) + +This flow is common when individual users try the product before company-wide adoption. + +1. An end user signs up to evaluate your application, starting with an individual account. +1. After adopting the application, the user [creates an organization](/docs/organizations/overview#create-an-organization) for their company. +1. Configure SSO for the organization through the Clerk Dashboard. +1. All subsequent users from that organization can now sign in using enterprise SSO. + +## Enforcing SSO by domain + +SSO connections are enforced on a per-domain basis in organizations, enabling flexible access management: + +- Configure SSO for your primary domain (e.g., `company.com`) to enforce SSO authentication for employees. +- Add additional domains without SSO for external collaborators (e.g., contractors, consultants) +- Each domain in an organization can have different authentication requirements. + +## Managing memberships + +### Removing a member from your organization + +Users cannot leave the organization themselves, but they can be removed in the Clerk Dashboard, using [Clerk's Backend API](/docs/reference/backend-api/tag/Organization-Memberships#operation/DeleteOrganizationMembership) endpoint, and by another organization member with the [manage members permission](/docs/organizations/roles-permissions#system-permissions) (`org:sys_memberships:manage`). However, the user will be added back to the organization on next sign in, unless they are removed from the IdP or the enterprise connection is no longer associated with the organization. + +## Updating organization from existing enterprise connection + +When transitioning an enterprise connection to a new organization, existing members will remain part of the original organization. However, they will automatically join the new organization upon their next sign-in. + +To remove members from the original organization, you have two options: utilize [Clerk's Backend API](/docs/reference/backend-api/tag/Organization-Memberships#operation/DeleteOrganizationMembership) or manage memberships directly through the Clerk Dashboard. From 449a7c35708c51aad87c8c63c17807e197ce45e2 Mon Sep 17 00:00:00 2001 From: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com> Date: Thu, 12 Dec 2024 13:27:35 -0300 Subject: [PATCH 19/23] fix: Add empty space between warning and section --- docs/organizations/manage-organization-sso.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/organizations/manage-organization-sso.mdx b/docs/organizations/manage-organization-sso.mdx index c0b5d33c39..7a1a9d3708 100644 --- a/docs/organizations/manage-organization-sso.mdx +++ b/docs/organizations/manage-organization-sso.mdx @@ -9,6 +9,7 @@ When users sign in or up using an organization's enterprise connection, they're > [!WARNING] > A domain used for enterprise SSO can't be used as a [verified domain](/docs/organizations/verified-domains) for the same organization. + ## Add an organization-level SSO connection 1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. From 1afc087b994d3f584d7eed851a5492004b13bc8d Mon Sep 17 00:00:00 2001 From: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com> Date: Thu, 12 Dec 2024 13:29:52 -0300 Subject: [PATCH 20/23] refactor: Rename page name --- docs/manifest.json | 2 +- .../{manage-organization-sso.mdx => manage-sso.mdx} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename docs/organizations/{manage-organization-sso.mdx => manage-sso.mdx} (100%) diff --git a/docs/manifest.json b/docs/manifest.json index 287c56b017..c6bab5d632 100644 --- a/docs/manifest.json +++ b/docs/manifest.json @@ -676,7 +676,7 @@ }, { "title": "Manage SSO", - "href": "/docs/organizations/manage-organization-sso" + "href": "/docs/organizations/manage-sso" }, { "title": "Guides", diff --git a/docs/organizations/manage-organization-sso.mdx b/docs/organizations/manage-sso.mdx similarity index 100% rename from docs/organizations/manage-organization-sso.mdx rename to docs/organizations/manage-sso.mdx From 0633364d85a70dd7066582b7d54856e49df3c4e8 Mon Sep 17 00:00:00 2001 From: Alexis Aguilar <98043211+alexisintech@users.noreply.github.com> Date: Thu, 12 Dec 2024 16:08:51 -0500 Subject: [PATCH 21/23] lil code review --- .../authentication-flows.mdx | 2 +- .../enterprise-connections/easie/google.mdx | 8 +++---- .../easie/microsoft.mdx | 23 +++++++++---------- .../oidc/custom-provider.mdx | 1 - docs/organizations/enterprise-sso.mdx | 6 ++--- 5 files changed, 19 insertions(+), 21 deletions(-) diff --git a/docs/authentication/enterprise-connections/authentication-flows.mdx b/docs/authentication/enterprise-connections/authentication-flows.mdx index 4cf63da22a..05a1d583d6 100644 --- a/docs/authentication/enterprise-connections/authentication-flows.mdx +++ b/docs/authentication/enterprise-connections/authentication-flows.mdx @@ -3,7 +3,7 @@ title: Enterprise SSO authentication flows description: Learn about the Enterprise SSO authentication flows. --- -There are three types of Enterprise SSO connections: [EASIE](#easie), [SAML](#saml), and [OIDC](#oidc). +Clerk offers the following types of Enterprise SSO connections: [EASIE](#easie), [SAML](#saml), and [OIDC](#oidc). ## EASIE diff --git a/docs/authentication/enterprise-connections/easie/google.mdx b/docs/authentication/enterprise-connections/easie/google.mdx index c2404bb3e3..caa6e91d22 100644 --- a/docs/authentication/enterprise-connections/easie/google.mdx +++ b/docs/authentication/enterprise-connections/easie/google.mdx @@ -25,7 +25,7 @@ description: Learn how to allow users to sign up and sign in to your Clerk app w - Use Google to authenticate users with EASIE SSO. -Enabling EASIE SSO with Google allows your users to sign up and sign in to your Clerk application with their Google account. +Enabling [EASIE SSO](/docs/authentication/enterprise-connections/overview#easie) with Google allows your users to sign up and sign in to your Clerk application with their Google account. ## Configure for your development instance @@ -53,17 +53,17 @@ To make the setup process easier, it's recommended to keep two browser tabs open 1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **EASIE**, select **Google**. 1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**. - 1. Save the **Redirect URI** somewhere secure. Keep this dialog open to enter the OAuth credentials in the following steps. + 1. Save the **Redirect URI** somewhere secure. Keep this modal open to enter the OAuth credentials in the following steps. ### Create a Google Developer project 1. Navigate to the [Google Cloud Console](https://console.cloud.google.com/). 1. Select a project or [create a new one](https://console.cloud.google.com/projectcreate). 1. If the **APIs & Services** page isn't already open, open the menu on the left and select **APIs & Services**. - 1. In the menu on the left, select **Credentials**. + 1. In the left sidebar, select **Credentials**. 1. Select **Create Credentials**. Then, select **OAuth client ID.** You may need to [configure your OAuth consent screen](https://support.google.com/cloud/answer/6158849?hl=en#userconsent\&zippy=%2Cuser-consent). 1. Select the appropriate application type for your project. Most likely, you will choose **Web application**. - 1. In the **Authorized redirect URIs** setting, paste the **Redirect URI** value you saved from the Clerk Dashboard. + 1. In the **Authorized redirect URIs** section, select **Add URI** and paste the **Redirect URI** value you saved from the Clerk Dashboard. 1. Select **Create**. ### Set the Client ID and Client Secret in the Clerk Dashboard diff --git a/docs/authentication/enterprise-connections/easie/microsoft.mdx b/docs/authentication/enterprise-connections/easie/microsoft.mdx index ff5e9eb331..e98dd01ed3 100644 --- a/docs/authentication/enterprise-connections/easie/microsoft.mdx +++ b/docs/authentication/enterprise-connections/easie/microsoft.mdx @@ -25,7 +25,7 @@ description: Learn how to allow users to sign up and sign in to your Clerk app w - Use Microsoft to authenticate users with EASIE SSO. -Enabling EASIE SSO with Microsoft (formerly [Active Directory](https://learn.microsoft.com/en-us/entra/fundamentals/new-name)) allows your users to sign up and sign in to your Clerk application with their Microsoft account. +Enabling [EASIE SSO](/docs/authentication/enterprise-connections/overview#easie) with Microsoft (formerly [Active Directory](https://learn.microsoft.com/en-us/entra/fundamentals/new-name)) allows your users to sign up and sign in to your Clerk application with their Microsoft account. ## Configure for your development instance @@ -53,7 +53,7 @@ To make the setup process easier, it's recommended to keep two browser tabs open 1. Select **Add connection** and select **For specific domains or organizations**. 1. Under **EASIE**, select **Microsoft**. 1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**. - 1. Save the **Redirect URI** somewhere secure. Keep this dialog open to enter the OAuth credentials in the following steps. + 1. Save the **Redirect URI** somewhere secure. Keep this modal open to enter the OAuth credentials in the following steps. ### Create a Microsoft Entra ID app @@ -61,11 +61,11 @@ To make the setup process easier, it's recommended to keep two browser tabs open > If you already have a Microsoft Entra ID app you'd like to connect to Clerk, select your app from the [Microsoft Azure portal](https://portal.azure.com/#home) and skip to [the next step in this tutorial](#get-your-client-id-and-client-secret). 1. On the homepage of the [Microsoft Azure portal](https://portal.azure.com/#home), in the **Azure services** section, select **[Microsoft Entra ID](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview)**. - 1. In the sidebar, open the **Manage** dropdown and select **[App registrations](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps)**. + 1. In the left sidebar, in the **Manage** dropdown, select **[App registrations](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps)**. 1. Select **New Registration**. You'll be redirected to the **Register an application** page. 1. Complete the form as follows: 1. Under **Name**, enter your app name. - 1. Under **Supported account types**, select **Accounts in any organizational directory (Any Microsoft Entra ID tenant – Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**. + 1. Under **Supported account types**, select **Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**. 1. Under **Redirect URI (Optional)**, select **Web**. 1. Select **Register** to submit the form. @@ -78,24 +78,23 @@ To make the setup process easier, it's recommended to keep two browser tabs open This claim is mandatory for applications backing EASIE connections. To enable it, you must: 1. In the Microsoft Azure portal, navigate to your app. - 1. In the sidebar, select **Token configuration**. + 1. In the left sidebar, in the **Manage** dropdown, select **Token configuration**. 1. Select **Add optional claim**. 1. For the **Token type**, select **ID**. Then, in the table that opens, enable the `email` and `xms_pdl` claims. 1. At the bottom of the modal, select **Add**. A new modal will prompt you to turn on the Microsoft Graph email permission. Enable it, then select **Add** to complete the form. - 1. Repeat the previous steps for **Token type**, but select **Access** instead of **ID**. The **Optional claims** list should now show two claims for `email` and two for `xms_pdl`: one each for **ID** and **Access**. - 1. In the sidebar, go to **Manifest**. + 1. Repeat the previous steps but for **Token type**, select **Access** instead of **ID**. The **Optional claims** list should now show two claims for `email` and two for `xms_pdl`: one each for **ID** and **Access**. + 1. In the left sidebar, in the **Manage** dropdown, select **Manifest**. 1. In the text editor, search for `"acceptMappedClaims"` and set its value from `null` to `true`. 1. Search for `"optionalClaims"`, where you'll find the `idToken` and `accessToken` arrays. Each array has an object with the name `xms_pdl`. Change the name to `xms_edov`. 1. At the top of the page, select **Save**. - 1. In the sidebar, navigate back to **Token configuration** and confirm that the **Optional claims** list includes two claims for `email` and two for `xms_edov`: one each for **ID** and **Access**. + 1. In the left sidebar, in the **Manage** dropdown, select **Token configuration** to confirm that the **Optional claims** list includes two claims for `email` and two for `xms_edov`: one each for **ID** and **Access**. With these steps complete, Microsoft will send the `xms_edov` claim in the token, which Clerk will use to determine whether the email is verified, even when used with Microsoft Entra ID. ### Get your client ID and client secret - Once your Microsoft Entra ID app is created, or once you select your app from the Microsoft Azure portal, you'll be redirected to its **Overview**. - - 1. From your app's overview, save the **Application (client) ID** somewhere secure. You'll need it to connect your Microsoft Entra ID app to your Clerk app. + 1. In the left sidebar, select **Overview**. + 1. Save the **Application (client) ID** somewhere secure. You'll need it to connect your Microsoft Entra ID app to your Clerk app. 1. Under **Client credentials**, select **Add a certificate or secret** to generate a **Client Secret**. You'll be redirected to the **Certificate & secrets** page. 1. Select **New client secret**. In the modal that opens, enter a description and set an expiration time for your secret. > [!IMPORTANT] @@ -111,7 +110,7 @@ To make the setup process easier, it's recommended to keep two browser tabs open To connect your Clerk app to your Microsoft app, set the **Redirect URI** in your Microsoft Azure portal. 1. Navigate back to the Microsoft Azure portal. - 1. In the sidebar, open the **Manage** dropdown and select **Authentication**. + 1. In the left sidebar, in the **Manage** dropdown, select **Authentication**. 1. Select **Add a platform**. 1. Select **Web**. 1. In the **Redirect URIs** field and the **Front-channel logout URL** field, paste the **Redirect URI** you copied from the Clerk Dashboard. diff --git a/docs/authentication/enterprise-connections/oidc/custom-provider.mdx b/docs/authentication/enterprise-connections/oidc/custom-provider.mdx index e5a8c97cbf..caa0291850 100644 --- a/docs/authentication/enterprise-connections/oidc/custom-provider.mdx +++ b/docs/authentication/enterprise-connections/oidc/custom-provider.mdx @@ -40,7 +40,6 @@ To make the setup process easier, it's recommended to keep two browser tabs open 1. If necessary, create a new application in your IdP. 1. In the connection's configuration page of the Clerk Dashboard, copy the **Authorized redirect URI**. 1. Add the value to your IdP's whitelisted URLs. - 1. Find your application's **Discovery Endpoint**, **Client ID**, and **Client Secret** and copy them. ### Set the Discovery Endpoint, Client ID, and Client Secret in Clerk diff --git a/docs/organizations/enterprise-sso.mdx b/docs/organizations/enterprise-sso.mdx index 91660da86c..c34f06adec 100644 --- a/docs/organizations/enterprise-sso.mdx +++ b/docs/organizations/enterprise-sso.mdx @@ -3,9 +3,9 @@ title: Organization-level SSO description: Learn how to set up and manage SSO for organizations. --- -Clerk supports adding SSO connections to organizations, enabling users to sign in with an Identity Provider (IdP) and easily join organizations. There are three types of [enterprise connections](/docs/authentication/enterprise-connections/authentication-flows) that are supported: EASIE, SAML, and OIDC. +Clerk supports adding SSO connections to organizations, enabling users to sign in with an Identity Provider (IdP) and easily join organizations. There types of [enterprise connections](/docs/authentication/enterprise-connections/authentication-flows) that are supported are EASIE, SAML, and OIDC. -When users sign in or up using an organization's enterprise connection, they're automatically added as members of that organization and assigned the [default role](/docs/organizations/roles-permissions#default-roles), which can be either `member` or `admin`. +When users sign up or in using an organization's enterprise connection, they're automatically added as members of that organization and assigned the [default role](/docs/organizations/roles-permissions#default-roles), which can be either `member` or `admin`. > [!WARNING] > A domain used for enterprise SSO can't be used as a [verified domain](/docs/organizations/verified-domains) for the same organization. @@ -14,7 +14,7 @@ When users sign in or up using an organization's enterprise connection, they're 1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. 1. Select **Add connection** and select **For specific domains or organizations**. -1. Select a Identity Provider. +1. Select an Identity Provider. 1. Add the **Domain** for which you want to enable this connection and select an **Organization**. ## Onboarding flows From 87d5bbc5666eed6e3d3af90d130e1f5738d43aa9 Mon Sep 17 00:00:00 2001 From: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com> Date: Thu, 12 Dec 2024 18:12:35 -0300 Subject: [PATCH 22/23] fix: Remove duplicated file due Git conflicts --- docs/organizations/enterprise-sso.mdx | 54 --------------------------- 1 file changed, 54 deletions(-) delete mode 100644 docs/organizations/enterprise-sso.mdx diff --git a/docs/organizations/enterprise-sso.mdx b/docs/organizations/enterprise-sso.mdx deleted file mode 100644 index c34f06adec..0000000000 --- a/docs/organizations/enterprise-sso.mdx +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: Organization-level SSO -description: Learn how to set up and manage SSO for organizations. ---- - -Clerk supports adding SSO connections to organizations, enabling users to sign in with an Identity Provider (IdP) and easily join organizations. There types of [enterprise connections](/docs/authentication/enterprise-connections/authentication-flows) that are supported are EASIE, SAML, and OIDC. - -When users sign up or in using an organization's enterprise connection, they're automatically added as members of that organization and assigned the [default role](/docs/organizations/roles-permissions#default-roles), which can be either `member` or `admin`. - -> [!WARNING] -> A domain used for enterprise SSO can't be used as a [verified domain](/docs/organizations/verified-domains) for the same organization. - -## Add an organization-level SSO connection - -1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. -1. Select **Add connection** and select **For specific domains or organizations**. -1. Select an Identity Provider. -1. Add the **Domain** for which you want to enable this connection and select an **Organization**. - -## Onboarding flows - -The two common onboarding flows for organizations with SSO are to either create an organization first or to have users initiate the setup themselves. - -#### Organization created first (top-down approach) - -This flow is common for enterprise sales where the relationship is established before users access the application. - -1. [Create an organization](/docs/organizations/overview#create-an-organization) for your customer through the Clerk Dashboard. -1. Collaborate with the customer's IT administrator to obtain the necessary configuration details. -1. Configure the SSO connection for the organization. -1. Invite users to the organization, who can then sign in using SSO. - -#### User-initiated setup (bottom-up approach) - -This flow is common when individual users try the product before company-wide adoption. - -1. An end user signs up to evaluate your application, starting with an individual account. -1. After adopting the application, the user [creates an organization](/docs/organizations/overview#create-an-organization) for their company. -1. Configure SSO for the organization through the Clerk Dashboard. -1. All subsequent users from that organization can now sign in using enterprise SSO. - -## Enforcing SSO by domain - -SSO connections are enforced on a per-domain basis in organizations, enabling flexible access management: - -- Configure SSO for your primary domain (e.g., `company.com`) to enforce SSO authentication for employees. -- Add additional domains without SSO for external collaborators (e.g., contractors, consultants) -- Each domain in an organization can have different authentication requirements. - -## Managing memberships - -### Removing a member from your organization - -Users cannot leave the organization themselves, but they can be removed in the Clerk Dashboard, using [Clerk's Backend API](/docs/reference/backend-api/tag/Organization-Memberships#operation/DeleteOrganizationMembership) endpoint, and by another organization member with the [manage members permission](/docs/organizations/roles-permissions#system-permissions) (`org:sys_memberships:manage`). However, the user will be added back to the organization on next sign in, unless they are removed from the IdP or the enterprise connection is no longer associated with the organization. From 7f862b6c9601039d812f1ae79291094dcbc723ff Mon Sep 17 00:00:00 2001 From: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com> Date: Thu, 12 Dec 2024 18:14:47 -0300 Subject: [PATCH 23/23] fix: Run linting --- docs/organizations/overview.mdx | 6 +++--- docs/organizations/verified-domains.mdx | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/organizations/overview.mdx b/docs/organizations/overview.mdx index ca0255ab3e..b750105d26 100644 --- a/docs/organizations/overview.mdx +++ b/docs/organizations/overview.mdx @@ -166,13 +166,13 @@ If the prebuilt components don't meet your specific needs or if you require more - [Inviting users to an organization](/docs/organizations/inviting-users), which also includes code for creating a custom list of invitations - [Managing memberships](/docs/organizations/managing-roles), which includes code for updating and deleting a user's membership, for inviting a user, and for creating a custom list of memberships, invitations, and requests -## Enterprise SSO +## Manage SSO -Enterprise Single Sign-On (SSO) can be configured at the organization level, allowing organizations to use their own Identity Provider (IdP) for authentication. When configured: +Single Sign-On (SSO) can be configured at the organization level, allowing organizations to use their own Identity Provider (IdP) for authentication. When configured: - Users can sign in through their organization's configured IdP - Users are automatically added as members of the organization upon successful authentication - Organizations can maintain their existing identity management workflows - SAML 2.0 and OIDC protocols are supported -For instructions on how to set up and manage enterprise SSO for your organizations, see the [dedicated guide](/docs/organizations/enterprise-sso). +For instructions on how to set up and manage SSO for your organizations, see the [dedicated guide](/docs/organizations/manage-sso). diff --git a/docs/organizations/verified-domains.mdx b/docs/organizations/verified-domains.mdx index 8625c7cfcc..bc45a9d06d 100644 --- a/docs/organizations/verified-domains.mdx +++ b/docs/organizations/verified-domains.mdx @@ -8,7 +8,7 @@ Verified domains can be used to streamline enrollment into an organization. For A verified domain cannot be a disposable domain or common email provider. For example, you cannot create a verified domain for `@gmail.com`. > [!WARNING] -> A verified domain can't be added if it's already in use for the [organization's SSO](/docs/organizations/enterprise-sso). +> A verified domain can't be added if it's already in use for the [organization's SSO](/docs/organizations/manage-sso). ## Enable verified domains