Add Microsoft Entra ID as a SAML connection

Enable Microsoft Entra ID as a SAML connection in Clerk

1. In the Clerk Dashboard, navigate to the SSO connections⁠ page.
2. Select Add connection and select For specific domains or organizations.
3. Under SAML, select Microsoft Entra ID (Formerly AD).
4. Enter the Domain. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an Organization.
5. Enter the Name. This will be displayed on the sign-in form.
6. Select Add connection. You'll be redirected to the connection's configuration page.
7. In the Service Provider Configuration section, save the Reply URL (Assertion Consumer Service URL) and Identifier (Entity ID) values somewhere secure. Keep this page open.

Create a new enterprise app in Microsoft

1. In a separate page, navigate to the Microsoft Azure portal⁠ and sign in.
2. Under the Azure Services section, find and select Enterprise applications. You may have to go to the All services⁠ page and then scroll down to the Identity section to find it.
3. Select New application. You'll be redirected to the Browse Microsoft Entra Gallery page.
4. Select Create your own application.
5. In the modal that opens:

• Enter the Name of your app.
• Select Integrate any other application you don't find in the gallery (Non-gallery).
• Select Create.

Assign selected user or group in Microsoft

Now that you have created the enterprise app, you need to assign users or groups to the app. For example, if you were part of the Clerk organization, you would have access to users and groups within the Clerk organization. In this case, you could assign individual users or entire groups to the enterprise app you just created.

1. In the Getting Started section, select the Assign users and groups link.
2. Select Add user/group. You'll be redirected to the Add Assignment page.
3. Select the None Selected link.
4. To assign a user to the enterprise app, you can either use the search field to find a user or select the checkbox next to the user in the table.
5. Select Select at the bottom of the page. You'll be redirected to the Add Assignment page.
6. Select Assign at the bottom of the page.

Configure Clerk as your Service Provider

After assigning the user or group to the enterprise app, you need to configure the SSO settings in Microsoft to enable SAML SSO.

1. In the navigation sidenav, open the Manage dropdown and select Single sign-on.
2. In the Select a single sign-on method section, select SAML. You'll be redirected to the Set up Single Sign-On with SAML page.
3. Find the Basic SAML Configuration section.
4. Select Edit. The Basic SAML Configuration panel will open.
5. Paste the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) values you saved from the Clerk Dashboard into their respective fields. These values will be saved automatically.
6. Select Save at the top of the panel. Close the panel.

Configure Microsoft as your Identity Provider

1. On the Set up Single Sign-On with SAML page, find the SAML Certificates section.
2. Copy the App Federation Metadata Url.
3. Navigate back to the Clerk Dashboard. In the Identity Provider Configuration section, under App Federation Metadata Url, paste the App Federation Metadata URL.
4. Select Fetch & save.

Map Microsoft claims to Clerk attributes

Mapping the claims in your IdP to the attributes in Clerk ensures that the data from your IdP is correctly mapped to the data in Clerk.

The only Microsoft claim that is necessary to map is the email address claim. This is the email address that your users will use to authenticate into your app.

1. On the Set up Single Sign-On with SAML page, find the Attributes & Claims section.
2. Select Edit.
3. To edit the email claim, select the claim with the claim name ending with /claims/emailaddress. You'll be redirected to the Manage claim page.
4. Next to Source attribute, search for and select user.userprincipalname in the dropdown.
5. Select Save at the top of the page.

Enable the connection in Clerk

To make the connection available for your users to authenticate with:

1. Navigate back to the Clerk Dashboard where you should still have the connection's configuration page open. If not, navigate to the SSO connections⁠ page and select the connection.
2. At the top of the page, toggle on Enable connection and select Save.