Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: SSO per org #1755

Merged
merged 25 commits into from
Dec 18, 2024
Merged

feat: SSO per org #1755

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
e3cc745
Add draft for upcoming changes
LauraBeatris Nov 29, 2024
7d8f7d1
Add enterprise SSO description to organizations overview
mzhong9723 Dec 10, 2024
329d11c
Fix linter
mzhong9723 Dec 10, 2024
ac4fbef
Update instructions for each provider guide
LauraBeatris Dec 10, 2024
b05feca
Add onboarding flows
LauraBeatris Dec 10, 2024
d9f28b4
Rename from "Manage SSO" to "Enterprise SSO"
LauraBeatris Dec 10, 2024
41a9122
Update link to "Enterprise SSO"
LauraBeatris Dec 10, 2024
9df41a0
Refactor "Enterprise SSO" as a separate H2 section
LauraBeatris Dec 10, 2024
013e86a
Fix link
LauraBeatris Dec 11, 2024
37e1e58
Run linting
LauraBeatris Dec 11, 2024
bf4c51d
update
victoriaxyz Dec 11, 2024
cf2b595
lint
victoriaxyz Dec 11, 2024
be89784
Fix guidance regarding domain field
LauraBeatris Dec 12, 2024
a8386f8
fix: Remove "Enable custom credentials" step from EASIE setup
LauraBeatris Dec 12, 2024
b69f178
chore: Update credentials instructions for EASIE
LauraBeatris Dec 12, 2024
8940dd5
chore: Add section for managing memberships with SSO enabled
LauraBeatris Dec 12, 2024
2664d99
refactor: Remove specific "Enterprise SSO" to generic org-level SSO
LauraBeatris Dec 12, 2024
9d1c2dc
chore: Add section regarding updating org from existing connection
LauraBeatris Dec 12, 2024
fe147d0
fix: Add empty space between warning and section
LauraBeatris Dec 12, 2024
fb78019
refactor: Rename page name
LauraBeatris Dec 12, 2024
3414881
lil code review
alexisintech Dec 12, 2024
69dba6c
fix: Remove duplicated file due Git conflicts
LauraBeatris Dec 12, 2024
d024352
fix: Run linting
LauraBeatris Dec 12, 2024
d710977
Update reference for BAPI
LauraBeatris Dec 17, 2024
fcb506a
Run format
LauraBeatris Dec 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions docs/authentication/enterprise-connections/authentication-flows.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: Enterprise SSO authentication flows
description: Learn about the Enterprise SSO authentication flows.
---

There are two types of Enterprise SSO connections: [EASIE](#easie) and [SAML](#saml).
Clerk offers the following types of Enterprise SSO connections: [EASIE](#easie), [SAML](#saml), and [OIDC](#oidc).

## EASIE

Expand Down Expand Up @@ -36,7 +36,7 @@ In an IdP-initiated flow:
To allow IdP-initiated flows for your SAML connection:

1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
1. Select **Add connection** and select **For specific domains**.
1. Select **Add connection** and select **For specific domains or organizations**.
1. Select your **Identity Provider**. Complete the fields and select **Add connection**. You'll be redirected to the SAML connection's configuration page.
1. Select the **Advanced** tab.
1. In **Advanced Settings**, enable **Allow IdP-Initiated flow**. A modal will open. Select **Enable** to confirm.
Expand All @@ -56,3 +56,7 @@ To mitigate the risks associated with IdP-initiated flows, Clerk implements seve
- **Replay detection**: Clerk consumes and remembers each response to prevent re-use. This ensures that bad actors cannot steal and reuse a response to gain access to a user's account.
- **Multi-factor authentication**: Clerk supports [multi-factor authentication (MFA)](/docs/authentication/configuration/sign-up-sign-in-options#multi-factor-authentication) for SAML IdP-initiated flows. MFA requires users to provide two or more forms of verification, which significantly enhances security by reducing the risk of unauthorized access.
- **Use small validation periods**: Each SAML response contains a timestamp indicating when it was issued and when it will expire. Since IdP-initiated flows are expected to be completed within seconds, validation periods must be as small as possible to prevent attacks. Common IdP providers such as Azure, Google, and Okta handle this by default. However, if you're using a custom IdP, you must ensure that the validation periods are set correctly.

## OIDC

Clerk supports Enterprise SSO via the OpenID Connect (OIDC) protocol, either through [EASIE](#easie) or by [integrating with any OIDC-compatible provider](/docs/authentication/enterprise-connections/oidc/custom-provider).
21 changes: 10 additions & 11 deletions docs/authentication/enterprise-connections/easie/google.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,16 +25,16 @@ description: Learn how to allow users to sign up and sign in to your Clerk app w
- Use Google to authenticate users with EASIE SSO.
</TutorialHero>

Enabling EASIE SSO with Google allows your users to sign up and sign in to your Clerk application with their Google account.
Enabling [EASIE SSO](/docs/authentication/enterprise-connections/overview#easie) with Google allows your users to sign up and sign in to your Clerk application with their Google account.

## Configure for your development instance

For _development instances_, Clerk uses preconfigured shared credentials and redirect URIs—no other configuration is needed.

1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
1. Select **Add connection** and select **For specific domains**.
1. Under **EASIE**, select **Google** as the identity provider.
1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your app.
1. Select **Add connection** and select **For specific domains or organizations**.
1. Under **EASIE**, select **Google**.
1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**.
1. Select **Add connection**.

## Configure for your production instance
Expand All @@ -50,21 +50,20 @@ To make the setup process easier, it's recommended to keep two browser tabs open
### Enable Google as an EASIE connection

1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
1. Select **Add connection** and select **For specific domains**.
1. Below EASIE, select **Google** as the identity provider.
1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your application.
1. Ensure that **Use custom credentials** is toggled on.
1. Save the **Redirect URI** somewhere secure. Keep this page open.
1. Select **Add connection** and select **For specific domains or organizations**.
1. Under **EASIE**, select **Google**.
1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**.
1. Save the **Redirect URI** somewhere secure. Keep this modal open to enter the OAuth credentials in the following steps.

### Create a Google Developer project

1. Navigate to the [Google Cloud Console](https://console.cloud.google.com/).
1. Select a project or [create a new one](https://console.cloud.google.com/projectcreate).
1. If the **APIs & Services** page isn't already open, open the menu on the left and select **APIs & Services**.
1. In the menu on the left, select **Credentials**.
1. In the left sidebar, select **Credentials**.
1. Select **Create Credentials**. Then, select **OAuth client ID.** You may need to [configure your OAuth consent screen](https://support.google.com/cloud/answer/6158849?hl=en#userconsent\&zippy=%2Cuser-consent).
1. Select the appropriate application type for your project. Most likely, you will choose **Web application**.
1. In the **Authorized redirect URIs** setting, paste the **Redirect URI** value you saved from the Clerk Dashboard.
1. In the **Authorized redirect URIs** section, select **Add URI** and paste the **Redirect URI** value you saved from the Clerk Dashboard.
1. Select **Create**.

### Set the Client ID and Client Secret in the Clerk Dashboard
Expand Down
36 changes: 17 additions & 19 deletions docs/authentication/enterprise-connections/easie/microsoft.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,16 +25,16 @@ description: Learn how to allow users to sign up and sign in to your Clerk app w
- Use Microsoft to authenticate users with EASIE SSO.
</TutorialHero>

Enabling EASIE SSO with Microsoft (formerly [Active Directory](https://learn.microsoft.com/en-us/entra/fundamentals/new-name)) allows your users to sign up and sign in to your Clerk application with their Microsoft account.
Enabling [EASIE SSO](/docs/authentication/enterprise-connections/overview#easie) with Microsoft (formerly [Active Directory](https://learn.microsoft.com/en-us/entra/fundamentals/new-name)) allows your users to sign up and sign in to your Clerk application with their Microsoft account.

## Configure for your development instance

For _development instances_, Clerk uses preconfigured shared credentials and redirect URIs—no other configuration is needed.

1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
1. Select the **Add connection** button, and select **For specific domains**.
1. Under **EASIE**, select **Microsoft** as the identity provider.
1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your app.
1. Select **Add connection** and select **For specific domains or organizations**.
1. Under **EASIE**, select **Microsoft**.
1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**.
1. Select **Add connection**.

## Configure for your production instance
Expand All @@ -50,23 +50,22 @@ To make the setup process easier, it's recommended to keep two browser tabs open
### Enable Microsoft as an EASIE connection

1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
1. Select **Add connection** and select **For specific domains**.
1. Under **EASIE**, select **Microsoft** as the identity provider.
1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your app.
1. Ensure that **Use custom credentials** is toggled on.
1. Save the **Redirect URI** somewhere secure. Keep this page open.
1. Select **Add connection** and select **For specific domains or organizations**.
1. Under **EASIE**, select **Microsoft**.
1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**.
1. Save the **Redirect URI** somewhere secure. Keep this modal open to enter the OAuth credentials in the following steps.

### Create a Microsoft Entra ID app

> [!TIP]
> If you already have a Microsoft Entra ID app you'd like to connect to Clerk, select your app from the [Microsoft Azure portal](https://portal.azure.com/#home) and skip to [the next step in this tutorial](#get-your-client-id-and-client-secret).

1. On the homepage of the [Microsoft Azure portal](https://portal.azure.com/#home), in the **Azure services** section, select **[Microsoft Entra ID](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview)**.
1. In the sidebar, open the **Manage** dropdown and select **[App registrations](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps)**.
1. In the left sidebar, in the **Manage** dropdown, select **[App registrations](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps)**.
1. Select **New Registration**. You'll be redirected to the **Register an application** page.
1. Complete the form as follows:
1. Under **Name**, enter your app name.
1. Under **Supported account types**, select **Accounts in any organizational directory (Any Microsoft Entra ID tenant Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**.
1. Under **Supported account types**, select **Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**.
1. Under **Redirect URI (Optional)**, select **Web**.
1. Select **Register** to submit the form.

Expand All @@ -79,24 +78,23 @@ To make the setup process easier, it's recommended to keep two browser tabs open
This claim is mandatory for applications backing EASIE connections. To enable it, you must:

1. In the Microsoft Azure portal, navigate to your app.
1. In the sidebar, select **Token configuration**.
1. In the left sidebar, in the **Manage** dropdown, select **Token configuration**.
1. Select **Add optional claim**.
1. For the **Token type**, select **ID**. Then, in the table that opens, enable the `email` and `xms_pdl` claims.
1. At the bottom of the modal, select **Add**. A new modal will prompt you to turn on the Microsoft Graph email permission. Enable it, then select **Add** to complete the form.
1. Repeat the previous steps for **Token type**, but select **Access** instead of **ID**. The **Optional claims** list should now show two claims for `email` and two for `xms_pdl`: one each for **ID** and **Access**.
1. In the sidebar, go to **Manifest**.
1. Repeat the previous steps but for **Token type**, select **Access** instead of **ID**. The **Optional claims** list should now show two claims for `email` and two for `xms_pdl`: one each for **ID** and **Access**.
1. In the left sidebar, in the **Manage** dropdown, select **Manifest**.
1. In the text editor, search for `"acceptMappedClaims"` and set its value from `null` to `true`.
1. Search for `"optionalClaims"`, where you'll find the `idToken` and `accessToken` arrays. Each array has an object with the name `xms_pdl`. Change the name to `xms_edov`.
1. At the top of the page, select **Save**.
1. In the sidebar, navigate back to **Token configuration** and confirm that the **Optional claims** list includes two claims for `email` and two for `xms_edov`: one each for **ID** and **Access**.
1. In the left sidebar, in the **Manage** dropdown, select **Token configuration** to confirm that the **Optional claims** list includes two claims for `email` and two for `xms_edov`: one each for **ID** and **Access**.

With these steps complete, Microsoft will send the `xms_edov` claim in the token, which Clerk will use to determine whether the email is verified, even when used with Microsoft Entra ID.

### Get your client ID and client secret

Once your Microsoft Entra ID app is created, or once you select your app from the Microsoft Azure portal, you'll be redirected to its **Overview**.

1. From your app's overview, save the **Application (client) ID** somewhere secure. You'll need it to connect your Microsoft Entra ID app to your Clerk app.
1. In the left sidebar, select **Overview**.
1. Save the **Application (client) ID** somewhere secure. You'll need it to connect your Microsoft Entra ID app to your Clerk app.
1. Under **Client credentials**, select **Add a certificate or secret** to generate a **Client Secret**. You'll be redirected to the **Certificate & secrets** page.
1. Select **New client secret**. In the modal that opens, enter a description and set an expiration time for your secret.
> [!IMPORTANT]
Expand All @@ -112,7 +110,7 @@ To make the setup process easier, it's recommended to keep two browser tabs open
To connect your Clerk app to your Microsoft app, set the **Redirect URI** in your Microsoft Azure portal.

1. Navigate back to the Microsoft Azure portal.
1. In the sidebar, open the **Manage** dropdown and select **Authentication**.
1. In the left sidebar, in the **Manage** dropdown, select **Authentication**.
1. Select **Add a platform**.
1. Select **Web**.
1. In the **Redirect URIs** field and the **Front-channel logout URL** field, paste the **Redirect URI** you copied from the Clerk Dashboard.
Expand Down
4 changes: 2 additions & 2 deletions docs/authentication/enterprise-connections/oidc/custom-provider.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,11 +28,11 @@ To make the setup process easier, it's recommended to keep two browser tabs open
## Set up an enterprise connection in Clerk

1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
1. Select **Add connection** and select **For specific domains**.
1. Select **Add connection** and select **For specific domains or organizations**.
1. Under **OpenID Connect (OIDC)**, select **Custom OIDC Provider**.
1. Add the **Name** of the connection.
1. Add the **Key** of the provider. This is the provider's unique identifier (cannot be changed after creation).
1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your app.
1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**.
1. Select **Add connection**. You will be redirected to the connection's configuration page. Keep this page open.

## Configure your IdP
Expand Down
12 changes: 6 additions & 6 deletions docs/authentication/enterprise-connections/saml/azure.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,13 @@ To make the setup process easier, it's recommended to keep two browser tabs open
To create a SAML connection in Clerk:

1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
1. Select **Add connection** and select **For specific domains**.
1. Under **SAML**, select **Microsoft Entra ID (Formerly AD)** as the identity provider.
1. Add the **Name** of the connection. This is the name that will be displayed on the sign-in form.
1. Enter the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your app.
1. Select **Add connection** and select **For specific domains or organizations**.
1. Under **SAML**, select **Microsoft Entra ID (Formerly AD)**.
1. Enter the **Domain**. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an **Organization**.
1. Enter the **Name**. This will be displayed on the sign-in form.
1. Select **Add connection**. You'll be redirected to the connection's configuration page.
1. Find the **Service Provider Configuration** section.
1. Save the **Identifier (Entity ID)** and **Reply URL (Assertion Consumer Service URL)** values somewhere secure. You'll need these in the [Configure your service provider](#configure-your-service-provider) step. Leave this page open.
1. In the **Service Provider Configuration** section, save the **Reply URL (Assertion Consumer Service URL)** and **Identifier (Entity ID)** values somewhere secure. You'll need these in the [Configure your service provider](#configure-your-service-provider) step.
1. Keep this page open.

## Create a new enterprise app in Microsoft

Expand Down
16 changes: 9 additions & 7 deletions docs/authentication/enterprise-connections/saml/custom-provider.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
title: Add a custom Identity Provider as a SAML connection
description: Learn how to integrate an Identity Provider with Clerk using SAML SSO.
title: Add a custom Identity Provider (IdP) as a SAML connection
description: Learn how to integrate an Identity Provider (IdP) with Clerk using SAML SSO.
---

<TutorialHero
Expand All @@ -20,19 +20,21 @@ description: Learn how to integrate an Identity Provider with Clerk using SAML S
- Use a custom IdP to enable single sign-on (SSO) via SAML for your Clerk application.
</TutorialHero>

Clerk supports Enterprise SSO via the SAML protocol, enabling you to create authentication strategies for an Identity Provider (IdP). Currently, Clerk offers direct integrations with [Microsoft Azure AD](/docs/authentication/enterprise-connections/saml/azure), [Google Workspace](/docs/authentication/enterprise-connections/saml/google), and [Okta Workforce](/docs/authentication/enterprise-connections/saml/okta) as IdPs. However, you can also integrate with any other IdP that supports the SAML protocol. This guide will show you how to set up a SAML connection with a custom IdP in Clerk.
Clerk supports Enterprise SSO via the SAML protocol, enabling you to create authentication strategies for an Identity Provider (IdP). Currently, Clerk offers direct integrations with the following IdPs: [Microsoft Azure AD](/docs/authentication/enterprise-connections/saml/azure), [Google Workspace](/docs/authentication/enterprise-connections/saml/google), and [Okta Workforce](/docs/authentication/enterprise-connections/saml/okta). However, you can also integrate with any other IdPs that supports the SAML protocol.

This guide shows you how to set up a SAML connection with a custom IdP in Clerk.

<Steps>
## Set up an enterprise connection in Clerk

To create a SAML connection in Clerk:

1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
1. Select **Add connection** and select **For specific domains**.
1. Select **Add connection** and select **For specific domains or organizations**.
1. Under **SAML**, select **Custom SAML Provider**.
1. Add the **Name** of the connection. This is the name that will be displayed in the sign-in form.
1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your application.
1. Select **Add connection**. You will be redirected to the connection's configuration page.
1. Add the **Domain** for which you want to enable this connection. This is the domain of the users you wish to allow to sign in to your application. Optionally, select an **Organization**.
1. Enter the **Name**. This will be displayed on the sign-in form.
1. Select **Add connection**. You'll be redirected to the connection's configuration page.

## Create a new enterprise application in your IdP

Expand Down
Loading
Loading