feat(clerk-js,ui,shared): route <ConfigureSSO /> through org-scoped enterprise_connections

[iagodahlem]

Description

Backend clerk_go#19109 (merged) promoted the per-org enterprise_connections surface to /v1/organizations/{org_id}/enterprise_connections/*. The /v1/me/enterprise_connections/* paths stay wired but are marked deprecated: true in OpenAPI.

This PR routes the JS SDK consumers through the canonical org-scoped paths.

What changed

@clerk/clerk-js

• Added getEnterpriseConnections, createEnterpriseConnection, updateEnterpriseConnection, deleteEnterpriseConnection, createEnterpriseConnectionTestRun, getEnterpriseConnectionTestRuns on the Organization resource. Paths hit /v1/organizations/{org_id}/enterprise_connections/*; organization_id is omitted from the request body since the URL path is authoritative.
• Extracted the SAML/OIDC flattening helper from User.ts into src/utils/enterpriseConnection.ts (toEnterpriseConnectionBody) and reused it from both User.ts and Organization.ts so the two surfaces can never drift.
• User.ts methods + their /me/* calls are unchanged.

@clerk/shared

• Renamed params types to drop the Me prefix (CreateOrganizationEnterpriseConnectionParams, UpdateOrganizationEnterpriseConnectionParams, provider/SAML/OIDC inputs). The old Me* names are kept as @deprecated aliases for backwards compatibility.
• Added OrganizationResource method signatures for the six new methods.
• Added two new internal hooks in @clerk/shared/react: __internal_useOrganizationEnterpriseConnections and __internal_useOrganizationEnterpriseConnectionTestRuns. They mirror the existing user-scoped hooks but resolve the active organization via useOrganization().

@clerk/ui

• <ConfigureSSO /> now consumes the org-scoped hooks. The provider passes organization.* methods down through context, so the step components (ConfigureStep, ConfirmationStep, TestConfigurationStep, SelectProviderStep) consume the new surface without per-step rewires. useReverification wrapping is preserved on every sensitive mutation.
• TestConfigurationStep previously called user.* directly for test-run reads/writes; it now uses useOrganization() to reach the same methods on organization.

What stays the same

• The existing user.*EnterpriseConnection* methods and their /v1/me/enterprise_connections/* paths are untouched. External SDK consumers that already use them continue to work; backend keeps the deprecated paths wired.
• Public API surface for external consumers gains the new organization.*EnterpriseConnection* methods. The type names CreateMeEnterpriseConnectionParams etc. are now `@deprecated` aliases.

Test plan

• Unit tests: `Organization.test.ts` mirrors `User.test.ts` (6 new tests; 35/35 pass)
• Unit tests: `ConfigureSSO.test.tsx` + step tests updated; all green
• `pnpm -F @clerk/shared typecheck/lint/test` — pass
• `pnpm -F @clerk/clerk-js typecheck/lint` + scoped `vitest run` — pass
• `pnpm -F @clerk/ui typecheck` + `` tests — pass
• E2E QA against staging — Custom SAML connection drives every verb on the org-scoped surface:
  • `GET /v1/organizations/{org_id}/enterprise_connections` (list)
  • `POST /v1/organizations/{org_id}/enterprise_connections` (create, body `provider=saml_custom&name=clerk.dev` — no `organization_id`)
  • `POST /v1/organizations/{org_id}/enterprise_connections/{ec_id}?_method=PATCH` (update, body `saml_idp_metadata_url=...` flattened)
  • `GET .../test_runs`
  • `POST .../test_runs` (createTestRun)
  • `POST .../{ec_id}?_method=DELETE` (delete)
  • Zero requests to `/v1/me/enterprise_connections/*` anywhere in the flow

Linear

ORGS-1597

Out of scope

• Removing the legacy `user.EnterpriseConnection` method bodies (kept indefinitely; backend `/me/*` paths stay wired).
• Ownership-gated POST + `organization_domain_id` requirement (clerk_go#19036, couples with ORGS-1594 / TXT verification).

Checklist

• `pnpm test` runs as expected.
• `pnpm build` runs as expected (typecheck + lint per package).
• JSDoc comments added on new shared types and helpers.
• Documentation updated where needed (no public docs changes required — internal hook surface; `organization.*` method docs can follow up once usage stabilizes).

Type of change

• 🌟 New feature
• 🐛 Bug fix
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	May 27, 2026 6:13pm

[changeset-bot]

🦋 Changeset detected

Latest commit: 4e08a7f

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 20 packages

Name	Type
@clerk/ui	Minor
@clerk/shared	Minor
@clerk/clerk-js	Minor
@clerk/astro	Patch
@clerk/chrome-extension	Patch
@clerk/react	Patch
@clerk/vue	Patch
@clerk/backend	Patch
@clerk/expo-passkeys	Patch
@clerk/expo	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/hono	Patch
@clerk/localizations	Patch
@clerk/msw	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8671

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8671

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8671

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8671

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8671

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8671

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8671

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8671

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8671

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8671

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8671

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8671

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8671

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8671

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8671

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8671

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8671

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8671

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8671

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8671

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8671

commit: 4e08a7f

[LauraBeatris]

Suggested change

	`<ConfigureSSO />` now calls the org-scoped enterprise connections endpoints via `organization.*EnterpriseConnection*` methods. Previously, the wizard called `user.*EnterpriseConnection*` against the `/me/*` paths.
	Internal `<ConfigureSSO />` refactor to call new org-scoped enterprise connections FAPI endpoints, replacing the `/me/` deprecated scope

Changing the copy a bit here to denote that this is an internal change, not important for external consumers

[LauraBeatris]

I think we can keep all on the same changeset, as those endpoints aren't public on the frontend API as well, it's not like developers were relying on the clerk-js resources for it

[LauraBeatris]

Let's rename this comment now to:

// Currently the self-serve SSO UI flow only supports one enterprise connection per organization

Or feel free to adjust as well, FAPI currently returns a list, and we might expand in the future to support multiple connections on the UI.

[LauraBeatris]

Also let's use the automatic generated snapshot naming with pnpm run changeset