Docs

Add a custom OpenID Connect (OIDC) Provider as an enterprise connection

You will learn the following:

  • Add a custom OIDC provider to authenticate users with Enterprise SSO

Before you start

This guide explains how to use a custom OpenID Connect (OIDC) provider to authenticate users via Enterprise SSO.

To make the setup process easier, it's recommended to keep two browser tabs open: one for the Clerk Dashboard and one for your Identity Provider (IdP).

Set up an enterprise connection in Clerk

  1. In the Clerk Dashboard, navigate to the SSO Connections page.
  2. Select Add connection and select For specific domains or organizations.
  3. Under OpenID Connect (OIDC), select Custom OIDC Provider.
  4. Add the Name of the connection.
  5. Add the Key of the provider. This is the provider's unique identifier (cannot be changed after creation).
  6. Enter the Domain. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an Organization.
  7. Select Add connection. You will be redirected to the connection's configuration page. Keep this page open.

Configure your IdP

  1. If necessary, create a new application in your IdP.
  2. In the connection's configuration page of the Clerk Dashboard, copy the Authorized redirect URI.
  3. Add the value to your IdP's whitelisted URLs.
  4. Find your application's Discovery Endpoint, Client ID, and Client Secret and copy them.

Set the Discovery Endpoint, Client ID, and Client Secret in Clerk

  1. In your IdP settings, copy your application's Discovery Endpoint, Client ID, and Client Secret.
  2. In the connection's configuration page in the Clerk Dashboard, paste these values in their respective fields.
  3. Under Scopes, add the minimum required scopes based on the IdP's documentation if needed. Common OIDC scopes include openid, email, and profile.
  4. Select Save.

Note

Most IdPs provide a Discovery Endpoint to retrieve metadata about an OIDC provider. If your IdP doesn't offer this endpoint or if you need greater control over the setup process, in the connection's configuration page in the Clerk Dashboard, find the Identity Provider Configuration section and select Use Manual Configuration to manually configure the connection.

Configure attribute mapping (optional)

Clerk expects the claims returned by your IdP to follow the OIDC Standard. If your provider returns claims in a non-standard format, use the Attribute Mapping section on the connection's configuration page to adjust the mapping of Clerk's user properties to match the IdP's claim attributes.

Warning

OIDC Enterprise connections require the email_verified claim to verify email ownership. However, some IdPs, such as Microsoft Azure Active Directory, might not return this claim or use a non-standard format.

If the IdP doesn't return this claim, you can leave the Email address verified field blank and set the Default value to True. This should only be done if you fully trust the IdP, as it can expose your app to OAuth attacks.

Allow additional identifiers (optional)

User profile information is sourced from the IdP. To allow users to add new identifiers (e.g., email address or phone number) to their profiles:

  1. In the connection's configuration page of the Clerk Dashboard, navigate to the Advanced tab.
  2. Enable Allow additional identifiers.
  3. Select Save.

Enable the connection for Clerk

To make the connection available for your users to authenticate with:

  1. Navigate back to the Clerk Dashboard where you should still have the connection's configuration page open. If not, navigate to the SSO connections page and select the connection.
  2. At the top of the page, toggle on Enable connection and select Save.

Test your connection

The simplest way to test your enterprise connection is to visit your Clerk app's Account Portal, which is available for all Clerk apps out-of-the-box.

  1. In the Clerk Dashboard, navigate to the Account Portal page.
  2. Next to the Sign-in URL, select Visit. The URL should resemble:
    • For developmenthttps://your-domain.accounts.dev/sign-in
    • For productionhttps://accounts.your-domain.com/sign-in
  3. Sign in with your IdP account.

Feedback

What did you think of this content?
Edit this page on GitHub

Last updated on