Use Microsoft Azure AD for SAML SSO
You will learn how to:
- Use Microsoft Azure Active Directory (Azure AD) to enable single sign-on (SSO) via SAML for your Clerk application.
Tutorial
Set up an enterprise connection in Clerk
To create a SAML connection in Clerk:
- Navigate to the Clerk Dashboard(opens in a new tab).
- In the navigation sidebar, select User & Authentication > Enterprise Connections(opens in a new tab).
- Select the Create connection button.
- You will be presented with a modal to create a new connection. Fill in the required fields and for the Identity Provider, select Microsoft Azure AD.
- Next, on the Connection page, do not select the Enable connection toggle just yet. You need to fully configure your IdP first before exposing your connection to your users.
- Leave this page open. You will need to come back to it to complete the setup.
Create a new enterprise application in Azure
To create a new enterprise application in Azure:
- Navigate to the Azure Portal(opens in a new tab) and sign in.
- Under the Azure Services section, find and select Enterprise Applications. You may have to go to the All services(opens in a new tab) page and then scroll down to the *Identity section to find it.
- Select the New Application button.
- Select the Create your own application button.
- Fill in the required fields and select the Create button.
Assign selected user or group in Azure
Now that you have created the enterprise application, you need to assign your users/user groups to it. For example, if you were part of the Clerk organization, you would have access to users and groups in the Clerk organization. In this case, you could assign one or more users or entire groups to the enterprise application you just created.
- Under the Getting started section, select Assign users and groups.
- Select the Add user/group button.
- Under Users, select the None Selected link.
- In the search field, enter the user or group of users that you want to assign to the enterprise application.
- Select the check box next to the user or group that you want to assign.
- Select the Select button at the bottom of the page.
- Select the Assign button at the bottom of the page.
Configure single sign-on (SSO) in Azure
After you have assigned the user or group of users to the enterprise application, you need to configure the single sign-on (SSO) settings to enable SAML SSO.
- In the navigation sidebar, select Overview.
- Under the Getting started section, select Set up single sign-on.
- Select SAML as the single sign-on method.
Configure your service provider
To configure your service provider (Clerk), you must add these two fields to your IdP's application:
- Reply URL (Assertion Consumer Service URL) - This is a unique identifier for your SAML connection that your IdP application needs.
- Identifier (Entity ID) - This is your application's URL that your IdP will redirect your users back to after they have authenticated in your IdP.
To fill out the appropriate values for these fields:
- On the Set up Single Sign-On with SAML page, you will see the Basic SAML Configuration section. Select the Edit button. This will open a Basic SAML Configuration modal.
- Go back to the Clerk Dashboard and scroll down to the Service Provider configuration section.
- Copy the Identifier (Entity ID) and the Reply URL (Assertion Consumer Service URL).
- In the Azure Portal, in the Basic SAML Configuration modal, paste these values into their respective fields.
- Select Save at the top of the modal.
Configure your identity provider
- On the Set up Single Sign-On with SAML page, find the SAML Certificates section.
- Copy the App Federation Metadata Url.
- In the Clerk Dashboard, find the Identity Provider configuration section.
- Under the Metadata configuration option, paste the App Federation Metadata Url.
Map Azure claims to Clerk attributes
Mapping the claims in your IdP to the attributes in Clerk ensures that the data from your IdP is correctly mapped to the data in Clerk.
The only Azure claim that is necessary to map is the email address claim. This is the email address that your users will use to log in to your application.
- On the Set up Single Sign-On with SAML page, find the Attributes & Claims section.
- Select the Edit button.
- Select the email address claim (
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
) to edit the field. - Next to Source attribute, select the dropdown and choose
user.userprincipalname
. - Select Save at the top of the page.
Enable the connection for Clerk
To make the connection available for your users to authenticate with:
- In the Clerk Dashboard, scroll to the top of the Connection page.
- Toggle on the Enable connection option.
Last updated on April 2, 2024