From a058e823b45674cb9ddc26e84ea63087f05a0bb4 Mon Sep 17 00:00:00 2001 From: Nicolas Lopes Date: Fri, 10 Jan 2025 14:16:58 -0300 Subject: [PATCH 1/4] docs(authentication/enterprise-connections/overview): add native applications section under SAML --- docs/authentication/enterprise-connections/overview.mdx | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/authentication/enterprise-connections/overview.mdx b/docs/authentication/enterprise-connections/overview.mdx index db77f71d6a..d4b01372f0 100644 --- a/docs/authentication/enterprise-connections/overview.mdx +++ b/docs/authentication/enterprise-connections/overview.mdx @@ -24,6 +24,15 @@ To configure subdomains for a SAML connection: > [!NOTE] > To enable the **Allow subdomains** option, your SAML connection domain must be an [eTLD+1](https://developer.mozilla.org/en-US/docs/Glossary/eTLD). +#### Native applications + +Clerk ensures that security critical nonces are passed only to allowlisted URLs when the SAML flow is completed in native browsers or webviews. For maximum security in your **production** instances, you need to allowlist your custom redirect URLs via the [Clerk Dashboard](https://dashboard.clerk.com/) or the [Clerk Backend API](/docs/references/backend/redirect-urls/create-redirect-url). + +To allowlist a redirect URL via the Clerk Dashboard: + +1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. +1. Scroll to the **Allowlist for mobile OAuth/SAML redirect** section and add your redirect URLs. + ## OIDC Clerk supports Enterprise SSO via the OpenID Connect (OIDC) protocol, either through [EASIE](#easie) or by [integrating with any OIDC-compatible provider](/docs/authentication/enterprise-connections/oidc/custom-provider). From e15f5b165aa7bc073e58f95bd22753accef752c2 Mon Sep 17 00:00:00 2001 From: Alexis Aguilar <98043211+alexisintech@users.noreply.github.com> Date: Fri, 10 Jan 2025 15:46:55 -0500 Subject: [PATCH 2/4] fix headings --- docs/authentication/enterprise-connections/overview.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/authentication/enterprise-connections/overview.mdx b/docs/authentication/enterprise-connections/overview.mdx index d4b01372f0..ed414acbd7 100644 --- a/docs/authentication/enterprise-connections/overview.mdx +++ b/docs/authentication/enterprise-connections/overview.mdx @@ -9,7 +9,7 @@ Enterprise Single Sign-On (SSO) allows users to sign in seamlessly using their I Clerk supports Enterprise SSO via the SAML protocol, enabling you to create authentication strategies for an IdP. The following IdPs are supported: [Microsoft Azure AD](/docs/authentication/enterprise-connections/saml/azure), [Google Workspace](/docs/authentication/enterprise-connections/saml/google), and [Okta Workforce](/docs/authentication/enterprise-connections/saml/okta). However, you can also [integrate with any other IdP](/docs/authentication/enterprise-connections/saml/custom-provider) that supports the SAML protocol. -#### Allow subdomains +### Allow subdomains Authenticating via SAML SSO requires the user's email address domain to match the exact domain the SAML connection has been configured with. By default, subdomains are not supported. For example, a user with the email address `john@sales.example.com` wouldn't be able to use a SAML connection with the `example.com` domain to authenticate. @@ -24,7 +24,7 @@ To configure subdomains for a SAML connection: > [!NOTE] > To enable the **Allow subdomains** option, your SAML connection domain must be an [eTLD+1](https://developer.mozilla.org/en-US/docs/Glossary/eTLD). -#### Native applications +### Native applications Clerk ensures that security critical nonces are passed only to allowlisted URLs when the SAML flow is completed in native browsers or webviews. For maximum security in your **production** instances, you need to allowlist your custom redirect URLs via the [Clerk Dashboard](https://dashboard.clerk.com/) or the [Clerk Backend API](/docs/references/backend/redirect-urls/create-redirect-url). @@ -54,7 +54,7 @@ Within 10 minutes of a user being removed from the OpenID provider (e.g. [suspen It is ultimately the app's responsibility to handle this unauthenticated state and display something appropriate to the user. For example, Next.js apps using [`auth.protect()`](/docs/references/nextjs/auth#auth-protect) will automatically redirect the user to the sign-in page. -### SAML vs. EASIE +## SAML vs. EASIE The primary security difference between EASIE SSO and SAML SSO is that EASIE depends on a multi-tenant identity provider, while SAML depends on a single-tenant identity provider. Relying on a multi-tenant provider **increases** the risk that a user from one tenant will mistakenly be granted access to the resources of another tenant. While Clerk implements [measures to address this risk](https://easie.dev/#mitigating-tenant-crossover-vulnerabilities:~:text=4.%20Mitigating%20tenant%20crossover%20vulnerabilities), apps that require single-tenant IdPs should opt for SAML. From c09f2706e1cf2b4713d6e6de53a2e5c6c2acf2b1 Mon Sep 17 00:00:00 2001 From: nicolas lopes <57234795+NicolasLopes7@users.noreply.github.com> Date: Mon, 13 Jan 2025 17:22:20 -0300 Subject: [PATCH 3/4] Update docs/authentication/enterprise-connections/overview.mdx Co-authored-by: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com> --- docs/authentication/enterprise-connections/overview.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/authentication/enterprise-connections/overview.mdx b/docs/authentication/enterprise-connections/overview.mdx index ed414acbd7..da419155f6 100644 --- a/docs/authentication/enterprise-connections/overview.mdx +++ b/docs/authentication/enterprise-connections/overview.mdx @@ -26,7 +26,7 @@ To configure subdomains for a SAML connection: ### Native applications -Clerk ensures that security critical nonces are passed only to allowlisted URLs when the SAML flow is completed in native browsers or webviews. For maximum security in your **production** instances, you need to allowlist your custom redirect URLs via the [Clerk Dashboard](https://dashboard.clerk.com/) or the [Clerk Backend API](/docs/references/backend/redirect-urls/create-redirect-url). +Clerk ensures that security critical nonces are passed only to allowlisted URLs when the SSO flow is completed in native browsers or webviews. For maximum security in your **production** instances, you need to allowlist your custom redirect URLs via the [Clerk Dashboard](https://dashboard.clerk.com/) or the [Clerk Backend API](/docs/references/backend/redirect-urls/create-redirect-url). To allowlist a redirect URL via the Clerk Dashboard: From 6db106fe3f17f3abcecf3138056b414654b9d934 Mon Sep 17 00:00:00 2001 From: nicolas lopes <57234795+NicolasLopes7@users.noreply.github.com> Date: Mon, 13 Jan 2025 17:24:56 -0300 Subject: [PATCH 4/4] Update docs/authentication/enterprise-connections/overview.mdx Co-authored-by: victoria --- docs/authentication/enterprise-connections/overview.mdx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/authentication/enterprise-connections/overview.mdx b/docs/authentication/enterprise-connections/overview.mdx index da419155f6..23c41e3bac 100644 --- a/docs/authentication/enterprise-connections/overview.mdx +++ b/docs/authentication/enterprise-connections/overview.mdx @@ -31,7 +31,8 @@ Clerk ensures that security critical nonces are passed only to allowlisted URLs To allowlist a redirect URL via the Clerk Dashboard: 1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. -1. Scroll to the **Allowlist for mobile OAuth/SAML redirect** section and add your redirect URLs. +1. Scroll down to the **Allowlist for mobile SSO redirect** section. +1. Under **Redirect URLs**, paste your the URL and select **Add**. ## OIDC