Add Okta Workforce as a SAML connection
You will learn the following:
- Use Okta Workforce to enable SSO via SAML for your Clerk app
Enabling SAML with Okta Workforce allows your users to sign up and sign in to your Clerk application with their Okta account.
To make the setup process easier, it's recommended to keep two browser tabs open: one for the Clerk Dashboard and one for the Okta dashboard.
Enable Okta as a SAML connection in Clerk
- In the Clerk Dashboard, navigate to the SSO connections page.
- Select Add connection and select For specific domains or organizations.
- Under SAML, select Okta Workforce.
- Enter the Domain. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an Organization.
- Enter the Name. This will be displayed on the sign-in form.
- Select Add connection. You'll be redirected to the connection's configuration page.
- In the Service Provider Configuration section, save the Single sign-on URL and Audience URI (SP Entity ID) values somewhere secure. Keep this page open.
Create a new enterprise application in Okta
- Navigate to Okta and sign in.
- In the Okta dashboard, select Admin in the top right corner.
- In the navigation sidebar, select the Applications dropdown and select Applications.
- Select Create App Integration.
- In the Create a new app integration modal, select the SAML 2.0 option and select the Next button.
- Once redirected to the Create SAML Integration page, complete the General Settings fields. An App name is required.
- Select Next. You'll be redirected to the Configure SAML page.
- Paste the Single sign-on URL and the Audience URI (SP Entity ID) values that you saved from the Clerk Dashboard into their respective fields.
Map Okta claims to Clerk attributes
Mapping the claims in your IdP to the attributes in Clerk ensures that the data from your IdP is correctly mapped to the data in Clerk.
Clerk attribute | Okta claim |
---|---|
mail | user.email |
firstName | user.firstName |
lastName | user.lastName |
- In the Okta dashboard, find the Attribute Statements (optional) section.
- For the Name field, enter
mail
. - For the Value field, choose
user.email
from the dropdown. - Select the Add Another button to add another attribute.
- For the Name field, enter
firstName
. - For the Value field, choose
user.firstName
from the dropdown. - Select the Add Another button to add another attribute.
- For the Name field, enter
lastName
. - For the Value field, choose
user.lastName
from the dropdown. - Scroll to the bottom of the page and select the Next button to continue.
- You will be redirected to the Feedback page. Fill out the feedback however you would like and select the Finish button to complete the setup.
Assign selected user or group in Okta
You need to assign your users/user groups to your enterprise application. For example, if you were part of the Clerk organization, you would have access to users and groups in the Clerk organization. In this case, you could assign one or more users or entire groups to the enterprise application you just created.
- In the Okta dashboard, select the Assignments tab.
- Select the Assign dropdown. You can either select Assign to people or Assign to groups.
- In the search field, enter the user or group of users that you want to assign to the enterprise application.
- Select the Assign button next to the user or group that you want to assign.
- Select the Done button to complete the assignment.
Configure Okta as your Identity Provider
Once you have completed the setup in Okta, you will be redirected to the application instances page with the Sign On tab selected.
- Under Sign on methods, copy the Metadata URL.
- Navigate back to the Clerk Dashboard and find the Identity Provider configuration section.
- Under the Metadata configuration option, paste the Metadata URL.
- Select the Fetch & save button to complete the setup.
Enable the connection in Clerk
To make the connection available for your users to authenticate with:
- Navigate back to the Clerk Dashboard where you should still have the connection's configuration page open. If not, navigate to the SSO connections page and select the connection.
- At the top of the page, toggle on Enable connection and select Save.
Feedback
Last updated on