feat(ui): add Configure manually path to ConfigureSSO submit-config sub-step

[iagodahlem]

Description

Adds the Configure manually path to the SAML config submission sub-step of <__experimental_ConfigureSSO />'s Configure step, and reshapes the sub-step so the per-mode bodies are isolated, the cert field routes errors inline, and Configure-again from the Confirmation step lands users on an editable, pre-populated form.

Segmented control + per-mode panels

The sub-step body now sits behind a two-mode SegmentedControl and the per-mode JSX is split into MetadataUrlPanel and ManualEntryPanel render components (internal to ConfigureStep.tsx). State stays lifted in SubmitSamlConfigSubStep — useFormControl hooks, cert file, mode, card state, mutation, Continue handler, and Step.Footer all live in the orchestrator. Panels receive their fields and cert state as props.

1. Add via metadata (default for fresh setups) — single Metadata URL input. Continue posts { saml: { idpMetadataUrl } }.
2. Configure manually — three fields:
   • Sign on URL — text input wired through a new idpSsoUrl FieldId.
   • Issuer — text input wired through a new idpEntityId FieldId.
   • Signing certificate — file picker behind a new idpCertificate FieldId. A hidden <input type="file" accept=".pem,.key,.crt,.cer,.cert"> is triggered by the visible Upload/Replace button. When a file is selected, the cert row swaps to a filename label plus a small remove button that clears the selection and resets the input value (so re-picking the same file refires the change). The accept list mirrors the Clerk Dashboard's existing SAML connection form.

Continue is gated to the selected mode's required fields. In manual mode, the handler reads the cert via File.text() and posts { saml: { idpSsoUrl, idpEntityId, idpCertificate } } through the same user.updateEnterpriseConnection call wrapped in useReverification.

Cert errors route inline

The cert field is a real useFormControl-backed field with its own FieldId. The cert section renders inside Field.Root / Field.LabelRow / Field.Label / Field.Feedback, matching the surrounding inputs. Backend errors keyed idp_certificate route inline below the cert UI via handleError([signOnUrlField, issuerField, certFileField], card.setError). Fresh interaction (file pick or remove) clears stale field-level feedback via clearFeedback(). The field's value stays empty — we only use the field for label rendering and error state, not value tracking.

Configure-again pre-fill

When the user lands on the Configure step with an existing enterpriseConnection.samlConnection (typically via goToStep('configure') from the Confirmation step's Configure again button), the form populates:

• signOnUrlField and issuerField initialize from samlConnection.idpSsoUrl / idpEntityId.
• The segmented control defaults to Configure manually when prior config exists, otherwise Add via metadata.
• The cert row defaults to a Replace file button when samlConnection.idpCertificate is present. Continue stays enabled without requiring a fresh upload; the manual PATCH conditionally includes idpCertificate only when a new file was selected so the backend retains the existing cert on submit.
• The Metadata URL field is intentionally not pre-filled — metadata submission is a one-shot flow and matches the Dashboard's posture of always starting fresh.

Locale keys

Live under configureSSO.configureStep.samlOkta:

• modes.* for the segmented control labels and aria-label.
• submitSamlConfig.title for the "Fill in your Okta SAML application details" section heading.
• manual.* for the per-mode description, field labels, placeholders, and the Upload file / Replace file / Remove file copy.

Also tightens the metadata-mode tab label from "Add via metadata URL" to "Add via metadata" to match Figma.

Linear: ORGS-1535

Follow-ups (separate PR)

• Custom SAML provider variant (ORGS-1536) — generic SAML instructional copy across all 4 Configure sub-steps, switching by connection.provider. The Custom SAML manual path will reuse the segmented control, panel split, cert field, and Continue handler shipped here.
• Field validations — client-side URL format checks. Today the PR matches the Dashboard's "trust user, backend rejects" posture; only required-empty is enforced (via the canSubmit gate, no inline message).
• Tests — unit coverage for the Configure step (mode switching, cert state lifecycle, Continue payloads per mode, error routing, Configure-again pre-fill, initial-step deriving) ships alongside the broader ConfigureSSO test pass after the Custom SAML PR lands.

How to test

Fresh setup

In a sandbox with the ConfigureSSO wizard, walk through Select Provider → Verify Domain → land on Configure. Advance through sub-steps 1–3, then on the SAML config sub-step:

• Add via metadata tab (default): paste a valid Okta SAML metadata URL → Continue → wizard advances to Test.
• Configure manually tab: fill Sign on URL + Issuer, pick a .pem/.key/.crt/.cer/.cert cert file → Continue stays disabled until all three are present → click Continue → connection is patched with { saml: { idpSsoUrl, idpEntityId, idpCertificate } } → wizard advances to Test.

Click the × on the filename chip → cert state clears and the Upload file button returns. Picking the same file again refires the change.

Configure-again (editing)

From the Confirmation step's Configure again button (goToStep('configure')), land back on the SAML config sub-step:

• Segmented control defaults to Configure manually.
• Sign on URL + Issuer pre-populate from the existing connection.
• Cert row shows Replace file; Continue is enabled without re-uploading. Submitting omits idpCertificate from the payload so the backend keeps the existing cert.
• Pick a new cert file → row swaps to filename chip → Submit replaces the cert with the new one.

Errors

Backend errors keyed idp_sso_url, idp_entity_id, or idp_certificate render inline below the corresponding field; everything else surfaces at the card level.

Base

Branches from main — stacks on top of #8535 (merged).

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	May 14, 2026 7:39pm

[changeset-bot]

🦋 Changeset detected

Latest commit: 5fbd791

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 20 packages

Name	Type
@clerk/localizations	Patch
@clerk/shared	Patch
@clerk/ui	Patch
@clerk/react	Patch
@clerk/astro	Patch
@clerk/backend	Patch
@clerk/chrome-extension	Patch
@clerk/clerk-js	Patch
@clerk/expo-passkeys	Patch
@clerk/expo	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/hono	Patch
@clerk/msw	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch
@clerk/vue	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds a two-mode segmented control to the SAML configuration submission flow in <__experimental_ConfigureSSO />. Users can choose Add via metadata URL (existing flow) or Configure manually (new manual entry fields). It adds new field identifiers (idpEntityId, idpSsoUrl, idpCertificate), extends localization types and en-US strings for the mode selector and manual form, implements mode state and cert-file handling, makes validation and submission mode-dependent, and includes UI and layout refinements for attribute mapping and user assignment.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• clerk/javascript#8535: Modifies the same SubmitSamlConfigSubStep to add IdP metadata URL submission with localization, which this PR extends by introducing the mode selector and manual configuration path branching.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main feature: adding a 'Configure manually' path to the SAML config submission sub-step, which is the primary objective of this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description comprehensively covers the feature changes: adds Configure manually path with segmented control, describes two modes (metadata and manual), details new field IDs, certificate handling, error routing, pre-fill behavior, locale keys, and includes testing guidance.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8553

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8553

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8553

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8553

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8553

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8553

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8553

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8553

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8553

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8553

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8553

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8553

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8553

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8553

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8553

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8553

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8553

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8553

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8553

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8553

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8553

commit: 5fbd791

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/ui/src/components/ConfigureSSO/steps/ConfigureStep.tsx`:
- Around line 551-554: The handleContinue handler currently blocks all submits
when certFile is falsy; change the check so certFile is only required when the
flow is in manual/certificate-upload mode (e.g., gate certFile behind whatever
boolean indicates manual mode instead of unconditionally checking certFile),
keeping enterpriseConnection and canSubmit required for both flows; update any
UI state/props used to detect "metadataUrl" vs "manual" flow (referencing
handleContinue, certFile, enterpriseConnection, canSubmit, and
metadataUrl/manual-mode flag) and add a regression test that simulates the
metadata-mode submission (no certFile) to ensure Continue succeeds when
canSubmit is true.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 8da919c9-9e0a-4d43-b0bc-565b11adf210

📥 Commits

Reviewing files that changed from the base of the PR and between 426519d and 28616cd.

📒 Files selected for processing (1)

• packages/ui/src/components/ConfigureSSO/steps/ConfigureStep.tsx