Skip to content

feat(shared,backend,clerk-js): Add SAML certificate validity fields#9077

Merged
LauraBeatris merged 4 commits into
mainfrom
laura/add-saml-validity-fields
Jul 2, 2026
Merged

feat(shared,backend,clerk-js): Add SAML certificate validity fields#9077
LauraBeatris merged 4 commits into
mainfrom
laura/add-saml-validity-fields

Conversation

@LauraBeatris

@LauraBeatris LauraBeatris commented Jul 2, 2026

Copy link
Copy Markdown
Member

Description

This PR updates the SAML connection resource to include SAML certificate validity fields recently introduced in FAPI/BAPI

Checklist

  • pnpm test runs as expected.
  • pnpm build runs as expected.
  • (If applicable) JSDoc comments have been added or updated for any package exports
  • (If applicable) Documentation has been updated

Type of change

  • 🐛 Bug fix
  • 🌟 New feature
  • 🔨 Breaking change
  • 📖 Refactoring / dependency upgrade / documentation
  • other:

Summary by CodeRabbit

  • New Features
    • SAML enterprise connections now include IdP certificate validity timestamps (issue time and expiration time).
    • These fields are exposed consistently in both enterprise connection and SAML connection data across backend and JavaScript SDK responses.
  • Bug Fixes
    • Ensured the certificate validity fields are correctly mapped when reading from and returning enterprise connection details.

@LauraBeatris LauraBeatris self-assigned this Jul 2, 2026
@changeset-bot

changeset-bot Bot commented Jul 2, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: dd5127a

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 23 packages
Name Type
@clerk/clerk-js Minor
@clerk/backend Minor
@clerk/shared Minor
@clerk/chrome-extension Patch
@clerk/electron Patch
@clerk/expo Patch
@clerk/astro Patch
@clerk/express Patch
@clerk/fastify Patch
@clerk/hono Patch
@clerk/nextjs Patch
@clerk/nuxt Patch
@clerk/react-router Patch
@clerk/tanstack-react-start Patch
@clerk/testing Patch
@clerk/expo-passkeys Patch
@clerk/headless Patch
@clerk/localizations Patch
@clerk/msw Patch
@clerk/react Patch
@clerk/ui Patch
@clerk/vue Patch
@clerk/swingset Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: ca7a909d-ec2e-412b-997d-67a48e4f4ede

📥 Commits

Reviewing files that changed from the base of the PR and between 636b322 and dd5127a.

📒 Files selected for processing (10)
  • .changeset/little-lights-press.md
  • packages/backend/src/api/__tests__/EnterpriseConnectionApi.test.ts
  • packages/backend/src/api/__tests__/SamlConnectionApi.test.ts
  • packages/backend/src/api/resources/EnterpriseConnection.ts
  • packages/backend/src/api/resources/JSON.ts
  • packages/backend/src/api/resources/SamlConnection.ts
  • packages/clerk-js/src/core/resources/EnterpriseConnection.ts
  • packages/clerk-js/src/core/resources/__tests__/Organization.test.ts
  • packages/clerk-js/src/core/resources/__tests__/User.test.ts
  • packages/shared/src/types/enterpriseConnection.ts

Disabled knowledge base sources:

  • Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.


📝 Walkthrough

Walkthrough

This PR adds idpCertificateIssuedAt and idpCertificateExpiresAt fields to SAML enterprise connections across @clerk/shared, @clerk/backend, and @clerk/clerk-js, and updates the related tests and changeset metadata.

Changes

SAML IdP Certificate Timestamps

Layer / File(s) Summary
Shared type definitions for IdP certificate fields
packages/shared/src/types/enterpriseConnection.ts
EnterpriseSamlConnectionNestedJSON and EnterpriseSamlConnectionNestedResource gain idp_certificate_issued_at/idpCertificateIssuedAt and idp_certificate_expires_at/idpCertificateExpiresAt; EnterpriseConnectionResource gets inline property docs.
Backend SamlConnection resource and JSON mapping
packages/backend/src/api/resources/SamlConnection.ts, packages/backend/src/api/resources/JSON.ts, packages/backend/src/api/__tests__/SamlConnectionApi.test.ts
SamlConnectionJSON, constructor, and fromJSON carry the new timestamps; list and create tests assert the mapped values.
Backend EnterpriseConnection resource and JSON mapping
packages/backend/src/api/resources/EnterpriseConnection.ts, packages/backend/src/api/resources/JSON.ts, packages/backend/src/api/__tests__/EnterpriseConnectionApi.test.ts
EnterpriseConnectionSamlConnectionJSON, constructor, and fromJSON carry the new timestamps; the enterprise connection test fixture and assertions are updated.
clerk-js nested SAML mapping
packages/clerk-js/src/core/resources/EnterpriseConnection.ts, packages/clerk-js/src/core/resources/__tests__/Organization.test.ts, packages/clerk-js/src/core/resources/__tests__/User.test.ts
samlNestedFromJSON and samlNestedToJSON map the new fields, and the org/user fixtures include them.
Changeset entry
.changeset/little-lights-press.md
Marks @clerk/clerk-js, @clerk/backend, and @clerk/shared as minor and describes the new certificate validity window fields.

Estimated code review effort: 2 (Simple) | ~10 minutes

Suggested reviewers: jacekradko, SarahSoutoul

Poem

A rabbit hops where SAML fields grow bright,
Two tiny timestamps keep the cert in sight. 🐰
Issued, expired, now in the flow,
JSON and types both let it show.
Hop hop hooray, the changes glow!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: adding SAML certificate validity fields across shared, backend, and clerk-js.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch

Comment @coderabbitai help to get the list of available commands.

@vercel

vercel Bot commented Jul 2, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-js-sandbox Ready Ready Preview, Comment Jul 2, 2026 7:11pm
swingset Ready Ready Preview, Comment Jul 2, 2026 7:11pm

Request Review

@pkg-pr-new

pkg-pr-new Bot commented Jul 2, 2026

Copy link
Copy Markdown

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@9077

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@9077

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@9077

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@9077

@clerk/electron

npm i https://pkg.pr.new/@clerk/electron@9077

@clerk/electron-passkeys

npm i https://pkg.pr.new/@clerk/electron-passkeys@9077

@clerk/eslint-plugin

npm i https://pkg.pr.new/@clerk/eslint-plugin@9077

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@9077

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@9077

@clerk/express

npm i https://pkg.pr.new/@clerk/express@9077

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@9077

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@9077

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@9077

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@9077

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@9077

@clerk/react

npm i https://pkg.pr.new/@clerk/react@9077

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@9077

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@9077

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@9077

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@9077

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@9077

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@9077

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@9077

commit: dd5127a

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

API Changes Report

Generated by Break Check on 2026-07-02T19:13:12.113Z

Summary

Metric Count
Packages analyzed 19
Packages with changes 2
🔴 Breaking changes 2
🟡 Non-breaking changes 0
🟢 Additions 10

Warning
2 breaking change(s) detected - Major version bump required

🤖 This report was reviewed by claude-sonnet-4-6.

🔴 Breaking changes index (2)

Every breaking change, up front. Full diffs are in the package sections below.

Package Subpath Change
@clerk/backend . EnterpriseConnectionSamlConnection.undefined
@clerk/backend . SamlConnection.undefined

@clerk/backend

Current version: 3.10.0
Recommended bump: MAJOR → 4.0.0

🔴 Breaking Changes (2)

Changed: EnterpriseConnectionSamlConnection.undefined

// ... 3 unchanged lines elided ...
      idpEntityId: string, 
      idpSsoUrl: string, 
      idpCertificate: string, 
+     idpCertificateIssuedAt: number, 
+     idpCertificateExpiresAt: number, 
      idpMetadataUrl: string, 
      idpMetadata: string, 
      acsUrl: string, 
// ... 5 unchanged lines elided ...

Static analyzer: Breaking change in constructor EnterpriseConnectionSamlConnection.undefined: Parameter idpMetadataUrl type changed: stringnumber; Parameter idpMetadata type changed: stringnumber; Parameter syncUserAttributes type changed: booleanstring; Parameter allowSubdomains type changed: booleanstring; Required parameter allowSubdomains was added; Required parameter allowIdpInitiated was added

🤖 AI review (confirmed) (95%): Two new required parameters (idpCertificateIssuedAt: number and idpCertificateExpiresAt: number) were inserted before the existing parameters in the constructor, shifting all subsequent positional arguments — any consumer calling this constructor must update their call sites.

Migration: Insert the two new required arguments idpCertificateIssuedAt (number) and idpCertificateExpiresAt (number) at positions 6 and 7 in every EnterpriseConnectionSamlConnection constructor call.

Changed: SamlConnection.undefined

// ... 5 unchanged lines elided ...
      idpEntityId: string | null, 
      idpSsoUrl: string | null, 
      idpCertificate: string | null, 
+     idpCertificateIssuedAt: number, 
+     idpCertificateExpiresAt: number, 
      idpMetadataUrl: string | null, 
      idpMetadata: string | null, 
      acsUrl: string, 
// ... 11 unchanged lines elided ...

Static analyzer: Breaking change in constructor SamlConnection.undefined: Parameter idpMetadataUrl type changed: null|stringnumber; Parameter idpMetadata type changed: null|stringnumber; Parameter acsUrl type changed: stringnull|string; Parameter spEntityId type changed: stringnull|string; Parameter active type changed: booleanstring; Parameter userCount type changed: numberboolean; Parameter syncUserAttributes type changed: booleanstring; Parameter allowSubdomains type changed: booleannumber; Parameter createdAt type changed: numberboolean; Parameter updatedAt type changed: numberboolean; Parameter attributeMapping type changed: import("@clerk/backend").~AttributeMappingnumber; Required parameter updatedAt was added; Required parameter attributeMapping was added

🤖 AI review (confirmed) (95%): Two new required parameters (idpCertificateIssuedAt: number and idpCertificateExpiresAt: number) were inserted before idpMetadataUrl in the constructor, shifting all subsequent positional arguments — the rule-based diff misidentified the shifted parameters as type changes, but the root cause is the same insertion of required positional parameters that breaks all existing constructor call sites.

Migration: Insert the two new required arguments idpCertificateIssuedAt (number) and idpCertificateExpiresAt (number) at positions 8 and 9 (after idpCertificate) in every SamlConnection constructor call.

🟢 Additions (6)

Added: EnterpriseConnectionSamlConnection.idpCertificateExpiresAt

+ readonly idpCertificateExpiresAt: number;

Added property EnterpriseConnectionSamlConnection.idpCertificateExpiresAt

Added: EnterpriseConnectionSamlConnection.idpCertificateIssuedAt

+ readonly idpCertificateIssuedAt: number;

Added property EnterpriseConnectionSamlConnection.idpCertificateIssuedAt

Added: EnterpriseConnectionSamlConnectionJSON.idp_certificate_expires_at

+ idp_certificate_expires_at: number;

Added property EnterpriseConnectionSamlConnectionJSON.idp_certificate_expires_at

Added: EnterpriseConnectionSamlConnectionJSON.idp_certificate_issued_at

+ idp_certificate_issued_at: number;

Added property EnterpriseConnectionSamlConnectionJSON.idp_certificate_issued_at

Added: SamlConnection.idpCertificateExpiresAt

+ readonly idpCertificateExpiresAt: number;

Added property SamlConnection.idpCertificateExpiresAt

Added: SamlConnection.idpCertificateIssuedAt

+ readonly idpCertificateIssuedAt: number;

Added property SamlConnection.idpCertificateIssuedAt


@clerk/shared

Current version: 4.23.0
Recommended bump: MINOR → 4.24.0

Subpath ./types

🟢 Additions (4)

Added: EnterpriseSamlConnectionNestedJSON.idp_certificate_expires_at
+ idp_certificate_expires_at: number;

Added property EnterpriseSamlConnectionNestedJSON.idp_certificate_expires_at

Added: EnterpriseSamlConnectionNestedJSON.idp_certificate_issued_at
+ idp_certificate_issued_at: number;

Added property EnterpriseSamlConnectionNestedJSON.idp_certificate_issued_at

Added: EnterpriseSamlConnectionNestedResource.idpCertificateExpiresAt
+ idpCertificateExpiresAt: number;

Added property EnterpriseSamlConnectionNestedResource.idpCertificateExpiresAt

Added: EnterpriseSamlConnectionNestedResource.idpCertificateIssuedAt
+ idpCertificateIssuedAt: number;

Added property EnterpriseSamlConnectionNestedResource.idpCertificateIssuedAt


Report generated by Break Check

Last ran on dd5127a.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.changeset/little-lights-press.md (1)

7-8: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Changeset summary is truncated mid-sentence.

Line 7 ends abruptly at "...exposing the IdP certificate validity window across" with no continuation — this will publish as an incomplete sentence in the CHANGELOG for @clerk/clerk-js, @clerk/backend, and @clerk/shared.

📝 Suggested fix
-Add `idpCertificateIssuedAt` and `idpCertificateExpiresAt` to SAML enterprise connections, exposing the IdP certificate validity window across
+Add `idpCertificateIssuedAt` and `idpCertificateExpiresAt` to SAML enterprise connections, exposing the IdP certificate validity window across `@clerk/backend`, `@clerk/shared`, and `@clerk/clerk-js`.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.changeset/little-lights-press.md around lines 7 - 8, The changeset summary
is cut off mid-sentence, so the generated changelog entry will publish
incomplete text. Update the summary in the changeset markdown so it reads as a
complete sentence describing the addition of idpCertificateIssuedAt and
idpCertificateExpiresAt for SAML enterprise connections, and make sure the final
wording is fully finished for the affected packages.
🧹 Nitpick comments (1)
packages/backend/src/api/__tests__/SamlConnectionApi.test.ts (1)

166-191: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Add assertions for the new fields in the updateSamlConnection test too.

The mocked response for update also includes idp_certificate_issued_at/idp_certificate_expires_at (via the ...mockSamlConnectionResponse spread), but the test doesn't assert idpCertificateIssuedAt/idpCertificateExpiresAt like the list/create tests do.

✅ Suggested addition
       expect(response.attributeMapping).toEqual({
         userId: 'userId2',
         emailAddress: 'email2',
         firstName: 'firstName2',
         lastName: 'lastName2',
       });
+      expect(response.idpCertificateIssuedAt).toBe(1672531200000);
+      expect(response.idpCertificateExpiresAt).toBe(1704067200000);
     });
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/backend/src/api/__tests__/SamlConnectionApi.test.ts` around lines
166 - 191, The updateSamlConnection test is missing coverage for the new
certificate timestamp fields present in the mocked API response. In the
SamlConnectionApi test suite, update the assertion block for
apiClient.samlConnections.updateSamlConnection to also verify
idpCertificateIssuedAt and idpCertificateExpiresAt, matching the expectations
already used in the list/create tests. Keep the existing assertions for id,
name, organizationId, and attributeMapping, and add the new field checks against
the returned response.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.changeset/little-lights-press.md:
- Around line 7-8: The changeset summary is cut off mid-sentence, so the
generated changelog entry will publish incomplete text. Update the summary in
the changeset markdown so it reads as a complete sentence describing the
addition of idpCertificateIssuedAt and idpCertificateExpiresAt for SAML
enterprise connections, and make sure the final wording is fully finished for
the affected packages.

---

Nitpick comments:
In `@packages/backend/src/api/__tests__/SamlConnectionApi.test.ts`:
- Around line 166-191: The updateSamlConnection test is missing coverage for the
new certificate timestamp fields present in the mocked API response. In the
SamlConnectionApi test suite, update the assertion block for
apiClient.samlConnections.updateSamlConnection to also verify
idpCertificateIssuedAt and idpCertificateExpiresAt, matching the expectations
already used in the list/create tests. Keep the existing assertions for id,
name, organizationId, and attributeMapping, and add the new field checks against
the returned response.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: bc85d8e8-8cfb-41b8-9631-ce424109a13a

📥 Commits

Reviewing files that changed from the base of the PR and between 2f73bdd and 636b322.

📒 Files selected for processing (10)
  • .changeset/little-lights-press.md
  • packages/backend/src/api/__tests__/EnterpriseConnectionApi.test.ts
  • packages/backend/src/api/__tests__/SamlConnectionApi.test.ts
  • packages/backend/src/api/resources/EnterpriseConnection.ts
  • packages/backend/src/api/resources/JSON.ts
  • packages/backend/src/api/resources/SamlConnection.ts
  • packages/clerk-js/src/core/resources/EnterpriseConnection.ts
  • packages/clerk-js/src/core/resources/__tests__/Organization.test.ts
  • packages/clerk-js/src/core/resources/__tests__/User.test.ts
  • packages/shared/src/types/enterpriseConnection.ts

@LauraBeatris LauraBeatris force-pushed the laura/add-saml-validity-fields branch from 636b322 to 801e7a8 Compare July 2, 2026 19:09
@LauraBeatris LauraBeatris force-pushed the laura/add-saml-validity-fields branch from 801e7a8 to dd5127a Compare July 2, 2026 19:10
@LauraBeatris LauraBeatris merged commit 1efc7e5 into main Jul 2, 2026
47 of 48 checks passed
@LauraBeatris LauraBeatris deleted the laura/add-saml-validity-fields branch July 2, 2026 19:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants