Streamline enterprise customer onboarding with SAML and Clerk

Enterprise customers can provide massive growth for your B2B applications, but they come with their own unique challenges.

Onboarding is one such challenge. With a potentially large user base that might consistently churn, quickly providing new users the access they need can be a huge win for your B2B applications. Combining SAML, a common enterprise single sign-on strategy, with verified domains can automate the entire process of onboarding users into your application, providing a delightful experience for those users as well as the enterprise's support department.

In this article, you’ll learn more about SAML and how verified domains can be configured to automatically enroll new enterprise users.

What is SAML?

Secure Assertion Markup Language (or SAML) is an enterprise single sign-on standard enabling different systems to communicate securely.

It allows systems to share user details such as various attributes about the user, the groups they are members of, and supports Just-in-Time (JIT) Provisioning. Admins can also easily map these attributes if they do not match between the two systems, making the system quite flexible.

When Clerk is configured with a SAML connection, users who log in using an email address associated with the connection will automatically be prompted to log in using the specified identity provider. If they log in using a social provider like Google or GitHub, Clerk will detect the email address through those flows as well and ask the user to authenticate with the enterprise connection.

SAML is commonly used in the enterprise space to streamline the onboarding experience for their users while reducing stress on IT and support.

Automated enrollment with verified domains

Clerk organizations provide a way for developers to empower their users to create and manage tenants within an application.

If one of your customers is a large corporation that uses SAML, you can further streamline the onboarding process for their new users by configuring a verified domain with an organization. With verified domains configured, users using an email address with that domain will automatically be invited to join an organization in your application with no further action from IT.

When combined with SAML connections, the users can simply sign up for your service using their work email, use the same credentials they use for other work apps, and immediately get access to the tenant within your application.

SAML with verified domains in action

With a general understanding of how Clerk’s organizations and verified domains can help you and your SAML customers, let’s see how to configure it. This guide will cover how to configure SAML using Google Workspaces, but field names are relatively standard across any service that supports SAML.

Before following along, make sure you have the following:

• An active Clerk account.
• A Google Workspace account.

If you want to follow along with this guide in video format, you can watch the video below:

Configuring SAML

In the Clerk Dashboard sidebar, go to User & authentication > SSO Connections. Select Add connection, choose For specific domains, and then Google Workspace. Complete the form as follows:

• Name: An arbitrary name to identify the connection.
• Domain: The domain that will use this connection.

Click Add connection when you are done.

Next, access your Google Workspace Admin panel and navigate to Apps > Web and Mobile Apps.

Select Add app, then Add custom SAML app. Google will open a new view to walk you through configuring the app. You’ll be sharing some information between the Clerk Dashboard and Google.

Populate the App Name with the name of your choice and select Continue.

Start by selecting Download Metadata which will download a file containing the configuration for the Google Workspaces App.

Back in the Clerk Dashboard, locate the Identity Provider Configuration section of the Enterprise Connection you created earlier, select Upload file, and upload the file you downloaded from Google.

Once the upload is finished, take note of the ACS URL and Entity ID values from the Clerk dashboard, you’ll need these for the next step.

Back in the Google Admin Console, click Continue to move on to step 3 of the setup process if you have not already. Populate the ACS URL and Entity ID fields you obtained from the Clerk Dashboard.

Click Continue to move on to step 4. Now you’ll configure attribute mapping which essentially tells Google Workspaces which of its user attributes maps to the attributes in Clerk. Select Add Mapping > Basic Information > Primary Email. In the App attributes field, enter “mail” as the value.

Select Finish to complete this part of the process. You should now be viewing the details screen of the app that was just created. The last step in the Google Admin Console is to enable this app for Workspace users. In the User access section, select View details.

Next, toggle ON for everyone and select Save.

This wraps up the work required in the Google Admin Console. The last step for configuring SAML is to enable the connection in Clerk.

Back in the Clerk dashboard, simply toggle the switch next to Enable connection and then select Save in the bubble that will appear from the bottom of the screen.

If you are stepping through this guide, you should now be able to authenticate using this SAML connection.

Using verified domains within organizations

To enable automatic enrollment within your application, start by enabling organizations within the Clerk dashboard if you have not already done so. This can be done under Organization Settings. Toggle on the following settings then click Save at the bottom of the screen:

• Unlimited membership
• Enable verified domains
• Automatic invitation

With these settings enabled, organization admins can use the Organization configuration view provided by Clerk to configure a verified domain for their enterprise to add their domain and automatically invite new users. Admins can access these settings by using the dropdown provided by <OrganizationSwitcher/> and selecting the cog icon next to their organization.

This will open the Organization configuration modal. Verified domains can be added in the General view:

Once a domain is added, admins can now specify their preferred enrollment settings:

Conclusion

SAML is a common single sign-on strategy used by enterprises all over the world. Your application can be configured to streamline onboarding for your enterprise customers using SAML by enabling verified domains for the organizations belonging to those customers. The result is a simplified experience for your customers, their support teams, and their users!