feat(ui): <ConfigureSSO /> POC

[LauraBeatris]

Description

⚠️ proof of concept for the upcoming state of <ConfigureSSO />, it contains a rough UI/UX but allows the end-user to create a connection e2e

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	May 7, 2026 3:59pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: fc4519f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8491

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8491

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8491

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8491

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8491

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8491

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8491

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8491

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8491

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8491

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8491

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8491

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8491

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8491

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8491

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8491

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8491

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8491

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8491

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8491

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8491

commit: 0e44641

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: dd85c774-eb80-4edd-a160-6e15f87fd7e7

📥 Commits

Reviewing files that changed from the base of the PR and between 8a5cdf2 and fc4519f.

⛔ Files ignored due to path filters (1)

• packages/ui/src/icons/duotone-at-symbol.svg is excluded by !**/*.svg

📒 Files selected for processing (16)

• packages/clerk-js/src/core/resources/User.ts
• packages/clerk-js/src/core/resources/__tests__/User.test.ts
• packages/localizations/src/en-US.ts
• packages/shared/src/types/localization.ts
• packages/ui/src/components/ConfigureSSO/ConfigureSSO.tsx
• packages/ui/src/components/ConfigureSSO/ConfigureSSOContext.tsx
• packages/ui/src/components/ConfigureSSO/steps/ConfigureCreateAppStep.tsx
• packages/ui/src/components/ConfigureSSO/steps/ConfirmationStep.tsx
• packages/ui/src/components/ConfigureSSO/steps/ProvideEmailStep.tsx
• packages/ui/src/components/ConfigureSSO/steps/SelectProviderStep.tsx
• packages/ui/src/components/ConfigureSSO/steps/StepLayout.tsx
• packages/ui/src/components/ConfigureSSO/steps/TestConfigurationStep.tsx
• packages/ui/src/components/ConfigureSSO/steps/VerifyDomainStep.tsx
• packages/ui/src/components/ConfigureSSO/steps/index.ts
• packages/ui/src/elements/contexts/index.tsx
• packages/ui/src/icons/index.ts

✅ Files skipped from review due to trivial changes (1)

• packages/ui/src/components/ConfigureSSO/steps/index.ts

🚧 Files skipped from review as they are similar to previous changes (4)

• packages/localizations/src/en-US.ts
• packages/clerk-js/src/core/resources/tests/User.test.ts
• packages/ui/src/components/ConfigureSSO/steps/ConfirmationStep.tsx
• packages/ui/src/components/ConfigureSSO/ConfigureSSOContext.tsx

---

📝 Walkthrough

Walkthrough

This PR implements a complete multi-step SSO configuration wizard for enterprise users. It updates the backend API contract for enterprise connection payloads to use flat prefixed field names (saml_, oidc_) instead of nested structures. The UI introduces a six-step wizard: provider selection, conditional email provision, email domain verification via OTP, app configuration with IdP metadata validation, SSO testing via polling, and final confirmation with enable/disable controls. State flows through a ConfigureSSOContext that manages selected provider, enterprise connection data, and CRUD/revalidation handlers. Each step handles its own error state and uses shared helpers like handleError for consistency. Localization types and strings support the new email verification step.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• clerk/javascript#8468: Related ConfigureSSO wizard implementation changes affecting the same step components and wizard orchestration structure.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat(ui): <ConfigureSSO /> POC' is clear, specific, and directly describes the main change: a proof-of-concept implementation of the ConfigureSSO component, which is the central focus of the changeset.
Description check	✅ Passed	The description relates to the changeset by explaining that this is a proof-of-concept for the ConfigureSSO component that enables end-to-end connection creation, which aligns with the implementation of multiple wizard steps and supporting features across the codebase.
Docstring Coverage	✅ Passed	Docstring coverage is 80.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/ui/src/components/ConfigureSSO/ConfigureSSO.tsx`:
- Around line 148-179: The wizard incorrectly skips the ProvideEmail step when
any user.emailAddresses exist; update ConfigureSSOWizard flow to require/select
a domain-specific email instead: replace the hasEmailAddress boolean with logic
that checks for an email matching the target/work domain (or introduce explicit
state like selectedEmail / targetEmail) and only skip rendering the ProvideEmail
step if a matching domain email is found; ensure ProvideEmail sets selectedEmail
and pass that selectedEmail (instead of reading user.emailAddresses or primary)
into VerifyDomainStep so VerifyDomainStep verifies the chosen target email for
the enterprise connection.

In `@packages/ui/src/components/ConfigureSSO/steps/ConfigureCreateAppStep.tsx`:
- Around line 42-60: The auto-create path can leave
hasAttemptedCreateRef.current true on failure causing an unrecoverable spinner;
update the effect around createEnterpriseConnection (which uses
hasAttemptedCreateRef, setIsCreating, card.setError) so that on rejection you
clear/reset hasAttemptedCreateRef.current (or set a local failed flag) and set
an error state via card.setError (or another piece of state) to surface a retry
UI; ensure the render branch that currently checks !enterpriseConnection shows
an error/retry when hasAttemptedCreateRef indicates a failed attempt (instead of
always rendering the spinner) and keep setIsCreating(false) on both success and
failure.

In `@packages/ui/src/components/ConfigureSSO/steps/TestConfigurationStep.tsx`:
- Around line 37-39: The current code launches a test via
user.createEnterpriseConnectionTestRun and then polls for any successful run,
which allows old runs to incorrectly mark the step complete and cannot detect a
specific run failure; capture the run id returned by
createEnterpriseConnectionTestRun (store it alongside setTestUrl), then change
the polling logic (the code that currently calls
getEnterpriseConnectionTestRuns) to query the specific run by id (or filter by
runId) and inspect that run's terminal status, proceeding only when that run's
status is "success" and treating "failure" as a terminal error (stop spinner and
surface an error) so that only the newly created run controls completion of
TestConfigurationStep.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 4ba31d44-1f6e-4de6-b1a7-150bfc68c86f

📥 Commits

Reviewing files that changed from the base of the PR and between d7317c1 and 0e44641.

⛔ Files ignored due to path filters (1)

• packages/ui/src/icons/duotone-at-symbol.svg is excluded by !**/*.svg

📒 Files selected for processing (25)

• .changeset/lucky-tables-learn.md
• packages/clerk-js/src/core/clerk.ts
• packages/clerk-js/src/core/resources/User.ts
• packages/clerk-js/src/core/resources/__tests__/User.test.ts
• packages/localizations/src/en-US.ts
• packages/shared/src/internal/clerk-js/warnings.ts
• packages/shared/src/types/localization.ts
• packages/ui/src/components/ConfigureSSO/ConfigureSSO.tsx
• packages/ui/src/components/ConfigureSSO/ConfigureSSOContext.tsx
• packages/ui/src/components/ConfigureSSO/steps/ConfigureCreateAppStep.tsx
• packages/ui/src/components/ConfigureSSO/steps/ConfirmationStep.tsx
• packages/ui/src/components/ConfigureSSO/steps/ProvideEmailStep.tsx
• packages/ui/src/components/ConfigureSSO/steps/SelectProviderStep.tsx
• packages/ui/src/components/ConfigureSSO/steps/StepLayout.tsx
• packages/ui/src/components/ConfigureSSO/steps/TestConfigurationStep.tsx
• packages/ui/src/components/ConfigureSSO/steps/VerifyDomainStep.tsx
• packages/ui/src/components/ConfigureSSO/steps/index.ts
• packages/ui/src/components/ConfigureSSO/wizard/ConfigureSSOWizard.tsx
• packages/ui/src/components/ConfigureSSO/wizard/ConfigureSSOWizardContext.tsx
• packages/ui/src/components/ConfigureSSO/wizard/index.ts
• packages/ui/src/components/ConfigureSSO/wizard/types.ts
• packages/ui/src/customizables/elementDescriptors.ts
• packages/ui/src/elements/contexts/index.tsx
• packages/ui/src/icons/index.ts
• packages/ui/src/internal/appearance.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Don't skip the add-email path just because the user has some email address.

hasEmailAddress only checks user.emailAddresses.length, so users who are already signed in with a personal address bypass ProvideEmail. VerifyDomainStep then reuses the current primary/unverified address, which means this flow can't collect and verify the work-domain email required for the enterprise connection. That breaks the end-to-end Configure SSO path for a common account shape; the wizard needs to track/select an email for the target domain rather than treating “any email exists” as sufficient.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/ui/src/components/ConfigureSSO/ConfigureSSO.tsx` around lines 148 -
179, The wizard incorrectly skips the ProvideEmail step when any
user.emailAddresses exist; update ConfigureSSOWizard flow to require/select a
domain-specific email instead: replace the hasEmailAddress boolean with logic
that checks for an email matching the target/work domain (or introduce explicit
state like selectedEmail / targetEmail) and only skip rendering the ProvideEmail
step if a matching domain email is found; ensure ProvideEmail sets selectedEmail
and pass that selectedEmail (instead of reading user.emailAddresses or primary)
into VerifyDomainStep so VerifyDomainStep verifies the chosen target email for
the enterprise connection.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Make the auto-create failure path recoverable.

If createEnterpriseConnection() fails here, hasAttemptedCreateRef stays true while enterpriseConnection stays undefined, so the branch at Line 108 keeps rendering the spinner forever and the user has no retry path. The same dead-end happens if this step is reached without the prerequisites needed to start creation. Please render an error/retry state when creation cannot proceed, instead of treating !enterpriseConnection as "still loading".

Also applies to: 108-119

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/ui/src/components/ConfigureSSO/steps/ConfigureCreateAppStep.tsx`
around lines 42 - 60, The auto-create path can leave
hasAttemptedCreateRef.current true on failure causing an unrecoverable spinner;
update the effect around createEnterpriseConnection (which uses
hasAttemptedCreateRef, setIsCreating, card.setError) so that on rejection you
clear/reset hasAttemptedCreateRef.current (or set a local failed flag) and set
an error state via card.setError (or another piece of state) to surface a retry
UI; ensure the render branch that currently checks !enterpriseConnection shows
an error/retry when hasAttemptedCreateRef indicates a failed attempt (instead of
always rendering the spinner) and keep setIsCreating(false) on both success and
failure.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Track the specific test run instead of polling for any prior success.

This step marks the check as complete as soon as getEnterpriseConnectionTestRuns(..., { status: ['success'] }) returns any row, so an older successful run on the same connection will enable Continue immediately even if the URL created here was never used. The inverse case is broken too: a newly failed run is indistinguishable from “still waiting”, so the user can sit on the spinner forever after a bad test. Please tie the poll to the run started at Line 38 and inspect that run’s terminal status before enabling progression.

Also applies to: 59-67

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/ui/src/components/ConfigureSSO/steps/TestConfigurationStep.tsx`
around lines 37 - 39, The current code launches a test via
user.createEnterpriseConnectionTestRun and then polls for any successful run,
which allows old runs to incorrectly mark the step complete and cannot detect a
specific run failure; capture the run id returned by
createEnterpriseConnectionTestRun (store it alongside setTestUrl), then change
the polling logic (the code that currently calls
getEnterpriseConnectionTestRuns) to query the specific run by id (or filter by
runId) and inspect that run's terminal status, proceeding only when that run's
status is "success" and treating "failure" as a terminal error (stop spinner and
surface an error) so that only the newly created run controls completion of
TestConfigurationStep.

[LauraBeatris]

!snapshot