Add Microsoft Entra ID as a SAML connection
You will learn the following:
- Use Microsoft Azure Entra ID to enable SSO via SAML for your Clerk app.
Enabling single sign-on (SSO) with Microsoft Azure Entra ID (formerly Active Directory) allows your users to sign up and sign in to your Clerk application with their Microsoft account.
To make the setup process easier, it's recommended to keep two browser tabs open: one for the Clerk Dashboard and one for your Microsoft Azure portal.
Set up an enterprise connection in Clerk
To create a SAML connection in Clerk:
- In the Clerk Dashboard, navigate to the SSO connections page.
- Select Add connection and select For specific domains or organizations.
- Under SAML, select Microsoft Entra ID (Formerly AD).
- Enter the Domain. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an Organization.
- Enter the Name. This will be displayed on the sign-in form.
- Select Add connection. You'll be redirected to the connection's configuration page.
- In the Service Provider Configuration section, save the Reply URL (Assertion Consumer Service URL) and Identifier (Entity ID) values somewhere secure. You'll need these in the Configure your service provider step.
- Keep this page open.
Create a new enterprise app in Microsoft
To create a new enterprise app in Microsoft:
- In a separate page, navigate to the Microsoft Azure portal and sign in.
- Under the Azure Services section, find and select Enterprise applications. You may have to go to the All services page and then scroll down to the Identity section to find it.
- Select New application. You'll be redirected to the Browse Microsoft Entra Gallery page.
- Select Create your own application.
- In the modal that opens:
- Enter the Name of your app.
- Ensure the option Integrate any other application you don't find in the gallery (Non-gallery) is selected.
- Select Create.
Assign selected user or group in Microsoft
Now that you have created the enterprise app, you need to assign users or groups to the app. For example, if you were part of the Clerk organization, you would have access to users and groups within the Clerk organization. In this case, you could assign individual users or entire groups to the enterprise app you just created.
- In the Getting Started section, select the Assign users and groups link.
- Select Add user/group. You'll be redirected to the Add Assignment page.
- Select the None Selected link.
- To assign a user to the enterprise app, you can either use the search field to find a user or select the checkbox next to the user in the table.
- Select Select at the bottom of the page. You'll be redirected to the Add Assignment page.
- Select Assign at the bottom of the page.
Configure SSO in Microsoft
After assigning the user or group to the enterprise app, you need to configure the SSO settings to enable SAML SSO.
- In the navigation sidebar, open the Manage dropdown and select Single sign-on.
- In the Select a single sign-on method section, select SAML.
Configure your service provider
To configure Clerk as your service provider, add these two fields to your IdP's application:
- Identifier (Entity ID) - A unique identifier for your SAML connection, required by your IdP app.
- Reply URL (Assertion Consumer Service URL) - The URL of your app where your IdP will redirect your users after they authenticate.
To complete the following values for these fields:
- On the Set up Single Sign-On with SAML page, find the Basic SAML Configuration section.
- Select Edit to open the Basic SAML Configuration panel.
- Paste the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) values you saved earlier into their respective fields. These values will be saved automatically.
- Select Save at the top of the panel. Close the panel.
Configure your identity provider
To configure Microsoft Entra ID as your identity provider, add the following fields to your app:
- On the Set up Single Sign-On with SAML page, find the SAML Certificates section.
- Copy the App Federation Metadata Url.
- Navigate back to the Clerk Dashboard. In the Identity Provider Configuration section, under App Federation Metadata Url, paste the App Federation Metadata URL.
- Select Fetch & save.
Map Microsoft claims to Clerk attributes
Mapping the claims in your IdP to the attributes in Clerk ensures that the data from your IdP is correctly mapped to the data in Clerk.
Clerk attribute | Microsoft claim |
---|---|
mail | user.userprincipalname |
firstName | user.givenname |
lastName | user.surname |
The only Microsoft claim that is necessary to map is the email address claim. This is the email address that your users will use to log in to your app.
- Navigate back to the Microsoft Azure portal.
- On the Set up Single Sign-On with SAML page, find the Attributes & Claims section.
- Select Edit.
- To edit the email claim, select the claim with the value of
user.email
. You'll be redirected to the Manage claim page. - Next to Source attribute, search for and select
user.userprincipalname
in the dropdown. - Select Save at the top of the page.
Enable the connection for Clerk
To make the connection available for your users to authenticate with:
- Navigate back to the Clerk Dashboard where you should still have the connection's configuration page open. If not, navigate to the SSO connections page and select the connection.
- At the top of the page, toggle on Enable connection and select Save.
Feedback
Last updated on