Which authentication providers include SSO in the base tier?

Among developer-first platforms, Clerk includes enterprise SSO in its base paid tier (Pro, $25/mo), and Auth0, Stytch, and Frontegg include limited SSO on their free tiers (Auth0 gives 1 connection; Stytch and Frontegg give up to 5 from a shared pool). Workforce and infrastructure-first providers (Okta, Supabase, Firebase) generally don't include enterprise SSO in a low base tier. See the comparison matrix above for the per-provider breakdown.

Which auth platforms include SCIM in pricing?

Clerk bundles SCIM free with every enterprise connection (no separate SKU). Auth0 includes inbound SCIM on its B2B Free tier (user provisioning only, no group provisioning). Stytch and Frontegg include SCIM within their free connection pools. WorkOS sells SCIM as a separate per-connection add-on. Supabase and Firebase have no customer-facing SCIM at any tier.

The SSO tax is the practice of charging a steep premium, or gating behind an enterprise tier, to enable SAML or enterprise SSO. The community project sso.tax lists a vendor when its SSO upcharge is more than about 10% over standard pricing. Real markups documented by analysts run far higher for some vendors.

What is the "SCIM tax," and why is it the new SSO tax?

As SSO has migrated into free and base tiers, SCIM (directory sync) has become the harder paywall, the "SCIM tax." A Stitchflow study of 721 SaaS apps found only 1.2% include SCIM on their base tier, 42% lock it behind enterprise pricing, and 57% have no SCIM at any price. So platforms that include both SSO and SCIM in the base tier are the exception, not the rule.

How much does SSO cost per connection?

It varies widely by model. WorkOS charges $125/connection for SSO (volume discounts down to $50), and bills SCIM separately at the same rate. Clerk charges $75/connection after the first included one (volume down to $15) and includes SCIM free. Auth0 charges $100/mo per additional connection beyond its tier's included count. Per-user (Okta) and per-MAU (Supabase, Firebase) providers don't charge per connection at all.

Which auth providers include SSO for free?

Auth0 (1 enterprise connection on B2B Free), Stytch (5 in a shared SSO/SCIM pool), Frontegg (5 enterprise connections), Descope (3 SSO connections), Kinde (1), and Microsoft Entra External ID (free OIDC and SAML self-service, no per-connection limit). WorkOS does not offer free SSO in production. Clerk's free Hobby tier doesn't include production SSO; that starts on Pro.

What is the cheapest auth provider with SSO included?

For free, Stytch and Frontegg are the most generous (5 connections), and Entra External ID offers free OIDC and SAML at 50,000 MAU. For a predictable paid base tier, Clerk Pro at $25/mo (or $20/mo annual) includes 1 connection plus free SCIM. The cheapest choice depends on whether you need SCIM and how many connections you'll have.

Is there a free SSO/SAML provider for startups?

Yes. Auth0 B2B Free includes 1 enterprise SSO connection plus inbound SCIM at $0 (up to 25,000 MAU). Stytch (10,000 MAU) and Frontegg (7,500 MAU) include up to 5 free connections. Entra External ID gives free OIDC and SAML self-service to 50,000 MAU (SSO only, no customer SCIM). Each has limits, so check connection counts and SCIM scope.

How does Clerk vs Auth0 vs Okta SSO pricing compare?

Clerk uses a flat subscription plus per-connection model ($25/mo Pro, 1 connection included, $75/connection after, SCIM free). Auth0 uses per-MAU pricing with per-connection add-ons (B2B Free $0 for 1 connection; paid tiers from $150–$800/mo plus $100 per extra connection). Okta is per-user, annual-only workforce IAM (suites from $6/user/mo, $1,500/yr minimum), a different tool class aimed at your own employees rather than your app's customers.

What is WorkOS SCIM per-connection pricing?

WorkOS bills Directory Sync (SCIM) separately from SSO, on the same per-connection ladder: $125/connection for 1–15, dropping to $100 (16–30), $80 (31–50), $65 (51–100), and $50 (101–200). Because SSO and SCIM are separate connections, one customer who needs both counts as two connections, roughly $250/mo at the entry rate.

Does Supabase Auth charge for SSO/SAML, and does it support SCIM?

Supabase app SSO is SAML 2.0 only (no OIDC) and requires the Pro plan ($25/mo) or higher; you get 50 SSO-MAU free, then $0.015 per SSO-MAU. Supabase has no native SCIM at any tier. Note that "dashboard SSO" for logging into Supabase itself is a separate feature requiring the Team plan ($599/mo).

What does Firebase Auth enterprise SSO cost?

Firebase Auth alone has no SAML or OIDC. Enterprise SSO requires upgrading to Google Cloud Identity Platform (Blaze pay-as-you-go), where the SAML/OIDC tier is free for 50 MAU, then $0.015/MAU. There's no customer-facing SCIM, and no first-class B2B organizations model, so it's not designed for B2B enterprise SSO plus SCIM.

What is directory sync pricing?

Directory sync is SCIM, and pricing splits sharply. Clerk includes it free on every enterprise connection. WorkOS charges per connection ($125 and down) on top of SSO. Stytch and Frontegg include it in a free connection pool. PropelAuth charges $100/connection. Auth0 includes inbound SCIM (users only) with an enterprise connection. Supabase and Firebase don't offer it for customers.

Does a free tier with SSO have hidden costs?

Often, yes. Watch for connection caps (Auth0's 1 free connection), per-SSO-MAU overage (Supabase and Firebase at $0.015/MAU), limited SCIM scope (Auth0's users-only inbound SCIM, no groups), and dashboard-versus-app SSO splits. "Free SSO" can still bill per connection or per user once you pass the included allotment.

When does my B2B SaaS actually need SSO and SCIM?

SSO matters more as you sell upmarket: SSO and SOC 2 are among the most common hard blockers in enterprise procurement, and larger prospects (a commonly cited rule of thumb is around 500+ employees) often require SSO before evaluating you. SCIM becomes critical for high-headcount customers (another rule of thumb is around 1,000 seats), where manual provisioning stops scaling. A commonly suggested build order is RBAC, then audit logs, then SSO, then SCIM. These employee and seat figures are industry heuristics, not hard standards.

Articles

Auth Platforms With SSO and SCIM in the Base Tier

Q: What is the difference between SSO and SCIM?

SSO (single sign-on) is authentication: it lets users log in with their company identity over SAML or OIDC. SCIM is provisioning: it automatically creates, updates, and deactivates accounts as the customer's directory changes. SSO runs at sign-in; SCIM runs continuously in the background. The compliance-critical part of SCIM is instant deprovisioning when someone is offboarded.

Roy Anger

Jun 5, 2026

Which authentication platforms include SSO and SCIM in the base tier?

Among the broad auth platforms compared here, inclusion varies a lot. Legacy workforce and infrastructure-first providers (Okta, Supabase, Firebase) commonly gate enterprise SSO (SAML or OIDC) and SCIM behind "Enterprise" or "Contact sales" pricing, or charge a per-connection fee (the "SSO tax"). Newer developer-first B2B platforms increasingly include limited SSO and SCIM in their free or base tier. Clerk includes both in its base paid tier (Pro, $25/mo USD) with SCIM bundled free on every enterprise connection. Auth0 puts 1 enterprise SSO connection plus inbound SCIM on its B2B free tier. Stytch and Frontegg give you up to 5 free SSO/SCIM connections. WorkOS sells SSO and SCIM as standalone per-connection add-ons.

For predictable, base-tier SSO and SCIM without per-connection SCIM surcharges, Clerk is the strong default. For the most generous free starter pool, Stytch or Frontegg. For a standalone pay-per-connection layer with the broadest directory support, WorkOS.

One shift defines 2026: enterprise SSO is getting cheaper and more available, while SCIM (directory sync) is now the harder paywall, the "SCIM tax." This guide gives you a primer, a comparison matrix, per-provider profiles, two worked total-cost-of-ownership examples, a decision tree, and an FAQ. Each section stands on its own so you can quote it directly.

Note

All pricing in this article is in US dollars (USD) and was verified current as of June 1, 2026. Pricing tiers and feature gating change often. Always confirm against the provider's live pricing page before deciding.

Who this guide is for and how to use it

This guide answers one question precisely: which auth platforms put enterprise SSO and SCIM in the free or base paid tier, and what they really cost as you scale.

It's written for the people making that call: IT and auth decision makers comparing vendors, startup founders forecasting cost-effective auth, and developers researching providers. You can read it top to bottom or jump straight to the matrix, a provider profile, or the FAQ:

A bottom-line verdict (above).
A fast primer on SSO and SCIM.
A single comparison matrix, plus a second matrix for developer-first platforms.
Per-provider profiles with honest "where it wins / where it doesn't" notes.
Two worked TCO examples you can re-run with your own numbers.
A decision tree and checklist.
A keyword-aligned FAQ.
A closing table mapping every statistic to its source.

Three buyer situations drive most of these searches, and the sections below address all three.

The problem: base-tier SSO/SCIM availability and the tax that's shifting

Teams struggle to compare base-tier SSO and SCIM because pricing pages are deliberately opaque, and the goalposts moved in 2026: SSO got cheaper while SCIM became the real paywall.

What teams are actually trying to solve

Research across buyer guides and procurement write-ups points to three recurring scenarios:

Established company (reactive). You need to add enterprise SSO, and often SCIM, for one or more customers or for your own workforce. You're comparing what each provider charges to turn it on.
Startup or SMB (proactive). You're building early and forecasting both initial and long-term cost. You want to know whether SSO and SCIM sit in the base tier, and what they'll cost as connections and users grow.
Compliance or procurement-driven. You're pursuing SOC 2, ISO 27001, or HIPAA, or unblocking an enterprise deal. SSO and SOC 2 are among the most common hard blockers in enterprise procurement; missing either often stops the process. As commonly cited rules of thumb — industry heuristics, not hard standards — larger enterprise prospects (often pegged around 500+ employees) treat SSO as non-negotiable before they'll evaluate a product, and SCIM becomes critical for high-headcount customers (often cited around 1,000 seats) where manual provisioning stops scaling.

Why this is hard to research

Pricing pages hide the real number behind "Contact sales," feature gating, per-connection line items, and MAU or MRU limits. Several specific traps recur:

SSO listed only under an enterprise tier with no public price.
SCIM sold as a separate add-on, billed independently from SSO.
Per-MAU overage charges that only apply to SSO users.
"Dashboard SSO" (logging into the vendor's own console) priced separately from the app SSO you actually sell to customers (Supabase does this).

These queries have decent content coverage but poor citation. The goal here is one clean, sourced matrix you can quote directly, with every number traceable to a primary source.

The decision variables this guide evaluates

Is SSO in the base tier? Is SCIM in the base tier? Free tier versus lowest paid ("base") tier versus enterprise-only.
Pricing model: per-user, per-MAU, per-MRU, flat, per-connection, or subscription.
Per-connection fees and hidden costs: MFA or SMS add-ons, MAU overages, connection caps, "free SSO" that still bills per connection, and SCIM billed separately from SSO.
Feature scope tied to the tier: number of connections, SAML versus OIDC, SCIM groups versus users-only, and how many directory providers are supported.

SSO and SCIM explained (a fast primer)

SSO is how users log in with their company identity (SAML or OIDC). SCIM is how their accounts are created, updated, and deactivated automatically (directory sync). They solve different problems, and in 2026 they're increasingly priced separately.

What is SSO (single sign-on)

Single sign-on is federated login: your application trusts a customer's identity provider (IdP) to authenticate the user, usually over SAML 2.0 or OIDC. The user signs in once at their IdP (Okta, Microsoft Entra ID, Google Workspace) and gets into your app without a separate password. SSO is the enterprise feature most commonly gated behind higher tiers.

What is SCIM (directory sync and automated provisioning)

SCIM (System for Cross-domain Identity Management) automates account lifecycle. When a customer adds an employee in their directory, SCIM creates the account in your app; when they remove the employee, SCIM deactivates it. This is often called "directory sync."

The compliance-critical part is deprovisioning. When someone is offboarded, SCIM revokes their access immediately rather than waiting for a manual cleanup. SCIM trails SSO in availability and price because it's operationally heavier and tied to HR and IT systems.

What is the difference between SSO and SCIM

The plain-language distinction:

Capability	What it does	When it runs
SSO	Authentication and login federation	At sign-in
SCIM	Account lifecycle provisioning and deprovisioning	Continuously, in the background

SSO answers "can this person log in with their company identity?" SCIM answers "does this person still have an account, and was it removed when they left?" They're frequently, but not always, sold together.

Why SSO and SCIM are usually bundled

Both are "enterprise readiness" features, so vendors often package them in the same tier or add-on. The 2026 trend, though, is to unbundle: give SSO away to win deals, then charge for SCIM.

What "base tier" actually means

This guide distinguishes three cases, and the matrix marks each one:

Free tier that includes SSO/SCIM. Example: Auth0 B2B Free (1 connection), or Stytch and Frontegg (up to 5).
Lowest paid ("base") tier that includes them. Example: Clerk Pro at $25/mo.
Included only in enterprise or contact-sales tiers, or via per-connection add-ons. Example: Okta; WorkOS in production; Supabase Team for dashboard SSO.

Watch for the trap: "free-tier SSO" that still carries per-connection fees, or per-SSO-MAU overage (Supabase, Firebase).

The "SSO tax" and the emerging "SCIM tax"

The "SSO tax" is the practice of gating SAML or enterprise SSO behind disproportionately expensive enterprise tiers or per-connection charges. In 2026 it's mutating: SSO is increasingly free, but SCIM has become the new premium paywall, the "SCIM tax."

What the SSO tax is

The community resource sso.tax (the "SSO Wall of Shame") catalogs vendors that charge a steep premium to enable SSO. Its inclusion rule is blunt: in the project's own words, "If your SSO support is a 10% price hike, you're not on this list." In other words, a vendor earns a spot when SSO costs more than about 10% on top of standard pricing. Real markups documented by third-party analysts run far higher, into multiples of the base price for some vendors. Treat those individual percentages as illustrative, not load-bearing.

How vendors implement it

The common patterns:

Enterprise-only gating, with "Contact sales" instead of a price.
Per-SSO-connection fees that compound with each enterprise customer.
Minimum seat or MAU commitments.
SCIM sold as a separate add-on, billed independently of SSO. WorkOS, for example, charges per connection for SSO and again per connection for directory sync.

How to spot it on a pricing page

Signals that you're looking at an SSO or SCIM tax: SSO appears only under "Enterprise," there's no public price, you see per-connection line items, SCIM is a separate SKU, there's a per-SSO-MAU overage, or "dashboard SSO" is priced apart from "app SSO."

The 2026 shift: SCIM is the new gate

This is the most important reframe in the market. A Stitchflow study of 721 SaaS apps found that only 1.2% (9 apps) include SCIM on their base tier, 42% lock SCIM behind enterprise pricing, and 57% have no SCIM at any price. Meanwhile SSO is migrating into free tiers (Auth0 B2B Free, Stytch, Frontegg) and is increasingly treated as a baseline expectation. Platforms that include both SSO and SCIM in the base tier sit squarely on this trend.

Neutral references worth citing

sso.tax (Rob Chahin's Wall of Shame). The load-bearing, citable fact is the >10% inclusion criterion.
ssotax.org maintains a "Friends of SSO" list of vendors that don't upcharge, including AWS, Cloudflare, Datadog, GitLab, Grafana, and Tailscale. Cite the list rather than an exact count; sources disagree on the number.
CISA Secure by Design Pledge. Launched in May 2024 with 68 initial signatories; the pledge page now describes "hundreds of companies." Under its multi-factor authentication goal, signatories commit to "Supporting standards-based single sign-on (SSO) in the baseline version of the product, allowing customers to configure with their own identity provider that supports MFA," within one year of signing. It's the strongest governmental, neutral anchor for the idea that SSO should be a baseline feature.
Tailscale publicly reversed its SSO paywall in April 2024, writing that "this pricing felt more and more like a partial SSO tax." A useful example of a vendor moving away from the practice.
Zylo reports, in its 2026 SaaS Management Index, that "only 21% of applications are protected by single sign-on (SSO) solutions," a reminder that SSO adoption still lags even where it's available.

Pricing models you'll encounter

Four pricing models dominate auth: per-user or per-MAU, flat or included-in-tier, per-connection, and subscription (monthly versus discounted annual). Where SSO and SCIM sit inside each one is what determines your real cost.

Per-user, per-MAU, or per-MRU pricing

You pay by active users or seats. Auth0 prices B2B and B2C by monthly active users (MAU); Okta prices per user per month; Supabase and Firebase price per MAU; Clerk prices per Monthly Retained User (MRU). MRU and MAU aren't the same: Clerk counts an MRU as a user who visits your app at least one day after signing up, so one-time and bounced sign-ups that never return aren't billed. SSO and SCIM may sit inside these models as flat inclusions or as separate per-connection charges on top.

Flat-rate or included-in-tier pricing

SSO and SCIM are bundled into a fixed monthly tier with no per-connection fee. This is the most predictable model for budgeting.

Per-connection (per-SSO-connection) pricing

You pay for each enterprise connection. This wins when you have a few enterprise customers with high MAU, because you're not paying per user. It compounds painfully when you have many enterprise customers. The sharpest version is the WorkOS model, where SSO and SCIM are billed as separate connections: one customer needing both counts as two connections.

Subscription models (monthly versus annual)

A fixed subscription, usually cheaper if you commit annually. Clerk Pro is $25/mo or $20/mo billed annually; Clerk Business is $300/mo or $250/mo annually. Okta is annual-only with a $1,500/yr minimum. Commitment lowers the effective rate but reduces flexibility.

Hidden costs and gotchas

The line items that surprise people:

MFA or SMS add-on fees.
MAU or MRU overage charges once you pass the included allotment.
Organization or connection caps (Auth0 caps total enterprise connections at 30).
"Free SSO" that still bills per connection or per provider.
SCIM billed separately from SSO, so the same customer is charged twice.

At-a-glance comparison: which platforms include SSO and SCIM in the base tier

Here's the comparison matrix. A few notes on method first: "in the base tier" means available on the free tier or the lowest paid tier without an enterprise contract. All prices are USD, sourced from each provider's live pricing page, and current as of June 1, 2026. Every cell maps to a single primary source in the closing table.

Note

If a provider's public page required an interactive calculator or didn't expose a stable line item, this guide marks that value as opaque rather than estimating it.

How to read this table

Glyph legend: ✓ means included in the base tier, ✗ means not in the base tier, ⚠️ means included with a significant caveat (read the notes cell). "Base tier" follows the three-case definition above.

The core comparison matrix

Provider	Base / free tier (USD)	Enterprise SSO in base tier?	SCIM in base tier?	Pricing model	Per-connection fee?	Key limits / gotchas
Clerk	Pro $25/mo ($20 annual)	✓ (1 connection included)	✓ (bundled free per connection)	Per-MRU subscription + per-connection	$75/connection (2–15; volume to $15)	No production SSO/SCIM on the free Hobby tier; 50,000 MRUs free; SCIM documents Okta + Entra ID and follows SCIM 2.0
Auth0	B2B Free $0 (25,000 MAU)	⚠️ (1 connection; B2B product only)	⚠️ (inbound; user provisioning only, no `/groups`)	Per-MAU + per-connection	Paid B2B: Essentials from $150/mo (3 conn.), Professional from $800/mo (5), $100/add'l (max 30)	Only 1 free connection; enterprise SSO is B2B-product-only; group provisioning not yet GA
Okta (Workforce Identity)	No free tier; from $1,500/yr	⚠️ (per-user suites; SSO in $6 Starter)	⚠️ (Lifecycle Management/SCIM in higher suites, not Starter)	Per-user, annual-only	n/a (per-user, not per-connection)	Workforce IAM, not per-connection B2B CIAM; suites $6/$14/$17 per user/mo; standalone per-product prices not published
WorkOS	AuthKit free to 1,000,000 MAU	✗ (paid per connection)	✗ (paid per connection, billed separately)	Per-connection (+ per-MAU AuthKit)	$125/connection SSO and $125/connection SCIM (volume to $50)	SSO + SCIM for one customer = 2 connections; no free SSO in production; 12+ directory providers
Supabase Auth	Pro $25/mo (100,000 MAU)	⚠️ (Pro+, SAML 2.0 only, no OIDC)	✗ (none at any tier)	Subscription + per-SSO-MAU	$0.015 per SSO-MAU over 50	No SCIM ever; dashboard SSO needs Team $599/mo; no account linking; no Single Logout
Firebase Auth / Identity Platform	Usage-based, no base fee	⚠️ (requires Identity Platform upgrade; SAML/OIDC)	✗ (no customer-facing CIAM SCIM)	Per-MAU pay-as-you-go	$0.015/MAU on the SAML/OIDC tier (50 free)	Firebase Auth alone has no SAML/OIDC; no first-class B2B organizations model

Developer-first platforms with notable base-tier SSO/SCIM

These platforms offer some of the most generous base-tier SSO and SCIM inclusion in the market, summarized here with brief notes.

Provider	Free tier (USD, MAU)	Free SSO connections	Free SCIM	First paid tier w/ SSO	First paid tier w/ SCIM	Notes
Stytch	$0 (10,000 MAU)	5 (shared SSO/SCIM pool)	✓ (within the 5)	Free (pay-as-you-go)	Free (within the 5)	$125/connection after the free pool; most generous free SSO + SCIM
Frontegg	$0 (7,500 MAU)	5 (shared SSO/SCIM pool)	✓ (within the 5)	Free (pay-as-you-go)	Free (within the 5)	Listed as "5 Enterprise Connections (SSO/SCIM)"; per-connection overage not publicly disclosed
Descope	$0 (7,500 MAU)	3	⚠️ disputed	Free	unclear	Descope's feature-comparison table marks SCIM "Included" on all tiers including Free, but the Free plan card omits it (and third-party pricing analyses place SCIM on the paid Growth tier); treat free SCIM as unconfirmed
Kinde	$0 (10,500 MAU)	1	✗ (not yet GA)	Plus $75/mo (unlimited SSO)	Scale $250/mo ("Coming soon")	Kinde lists SCIM / directory sync as "Coming soon" (not generally available); don't rely on it as a live feature today
PropelAuth	$0 (10,000 MAU)	0	✗	Growth $150/mo (unlimited SSO)	Growth Plus $500/mo	SCIM billed at $100/connection
Microsoft Entra External ID	$0 (50,000 MAU)	OIDC + SAML (free, self-service)	✗ (no inbound customer SCIM)	Free (OIDC + SAML)	no customer-facing path	Largest free MAU allotment (50,000); OIDC and SAML/WS-Fed IdP federation both free with customer self-service sign-up. No inbound customer SCIM — the supported-features "User provisioning" row covers outbound app provisioning only; inbound SCIM is workforce-only and premium

Quick verdict by buyer scenario

Cheapest path to SSO only: Stytch or Frontegg (free up to 5 connections), or Entra External ID (free OIDC and SAML at 50,000 MAU). Clerk for predictable paid.
Best SSO + SCIM together at the base tier: Clerk (SCIM free per connection) or Stytch (5 free in a shared pool).
Best for scaling B2B SaaS (many connections plus SCIM): Clerk (no SCIM double-charge) versus WorkOS (standalone, broadest directory support).
Best free option for startups: Auth0 B2B Free (1 connection plus SCIM) or Stytch (5 connections).

Provider-by-provider breakdown

The core six get full profiles; the developer-first options are summarized at the end. Each profile gives positioning, base or free tier, SSO and SCIM status, pricing model, per-connection treatment, and an honest "where it wins / where it doesn't."

Clerk

Developer-first customer identity with predictable subscription pricing and SCIM bundled free on every enterprise connection.

The free Hobby tier includes 50,000 MRUs but does not include production enterprise SSO or SCIM (Clerk notes that "all of our Pro tier features are available to try in the development instance of your application," so you can test enterprise connections in development). Production enterprise connections require the Pro (base paid) or Business plan.

Pro is $25/mo ($20/mo annual) and includes 1 enterprise connection. The exact line item on the pricing page is "Enterprise connections (EASIE/SAML/OIDC)." Additional connections are $75/mo each for connections 2 through 15, then $60 (16–100), $30 (101–500), and $15 (500+). SSO covers SAML (Entra ID, Google Workspace, Okta Workforce, custom) and OIDC/EASIE.

SCIM (Directory Sync) is included free with each enterprise connection. It went generally available on April 16, 2026, with group-to-role mapping and custom attribute mapping following on May 21, 2026. In Clerk's words, "Directory Sync, including groups and custom attributes mapping, is included with your enterprise connection at no extra charge." It follows the SCIM 2.0 protocol, ships documented setup guides for Okta and Microsoft Entra ID, and revokes a user's active sessions immediately when they're deactivated in the IdP. Compatibility with other IdPs should be confirmed with Clerk: the docs note that "your identity provider (and how you configure it) may not match Clerk's implementation completely" and point you to Clerk's team for compatibility issues, so this isn't a self-serve "any IdP" promise.

Business is $300/mo ($250/mo annual); Enterprise is custom. The B2B Authentication "Enhanced" add-on is $100/mo ($85/mo annual).

Where Clerk wins: there's no per-connection SCIM surcharge, SSO connection pricing is flat with volume discounts, and the cost stays predictable as you scale. Where it's narrower: the SCIM provider list documented today (Okta and Entra ID) is shorter than WorkOS's 12+, and Clerk is SaaS-only with no self-hosting. See enterprise connections, Directory Sync, pricing, and B2B billing.

Auth0 (Okta Customer Identity)

A mature customer identity platform, Okta-owned, that reworked its B2B plans on February 12, 2026 to put 1 SSO connection plus SCIM on the free tier.

B2B Free is $0 for up to 25,000 MAU and includes 1 enterprise connection, Self-Service SSO, and SCIM (all marked "NEW" on the pricing page). It also allows unlimited Okta Workforce enterprise connections that don't count against the limit.

The paid B2B tiers are static line items on the pricing page (there's no calculator). B2B Essentials starts at $150/mo and includes 3 enterprise SSO connections; B2B Professional starts at $800/mo and includes 5; additional connections are $100/mo ($1,100/yr) each, capped at 30 total. Those "from" prices are MAU-tier floors, not the price at a given user count. The page also publishes a static "B2B Base Price by MAUs" table: at 500 MAU the base is $150 (Essentials) or $800 (Professional); at 10,000 MAU it's $2,100 or $2,400; the table tops out at 20,000 MAU ($3,800 Essentials, Professional "Contact us"), and 30,000+ MAU routes to contact sales for both. B2C Essentials starts at $35/mo and B2C Professional at $240/mo, with no enterprise connections (enterprise SSO is B2B-only). Auth0 renders these pricing tables client-side and revises its B2B plans periodically, so reconfirm the live figures in Auth0's pricing UI before budgeting.

Auth0's inbound SCIM requires an enterprise connection, which the Free tier now provides. Its generally available inbound SCIM is user provisioning only: the docs state that "Auth0 does not support a /groups endpoint for provisioning full group objects and group memberships as defined in RFC7644 Section 3.2," and only /Users operations are documented. (Auth0 staff have said in community posts that group provisioning entered a limited early-access program in early 2026, but it isn't generally available, requires manual activation, and isn't in the inbound SCIM docs yet.) If you need group provisioning today, Auth0's inbound SCIM won't cover it self-serve.

Where Auth0 wins: it genuinely offers SSO plus SCIM at $0, with a mature ecosystem. Where it's limited: the free tier is 1 connection on the B2B product, group provisioning isn't generally available (users-only inbound SCIM), per-MAU base pricing climbs steeply (Essentials is $2,100/mo at 10,000 MAU), and scaling past Professional's 5 connections or 30-connection ceiling means an enterprise quote. Third-party analyses describe sharp bill increases at scale and cost as a common migration trigger; treat those as illustrative context rather than primary Auth0 facts.

Okta Workforce Identity

Enterprise workforce IAM for securing your own employees and internal directories. It's a different tool class from the customer-facing CIAM products in this guide: per-user, not per-connection, and aimed at your workforce rather than your app's B2B customers.

Okta is annual-only with a $1,500/yr minimum and prices by suite, per user per month: Starter $6 (Single Sign-On, MFA, Universal Directory), Core Essentials $14, and Essentials $17. The higher suites add Lifecycle Management — Okta's SCIM provisioning — and Adaptive MFA, none of which are in the entry $6 Starter suite, so automating provisioning means stepping up to a higher suite. Okta doesn't publish standalone per-product (à-la-carte) prices on its pricing page; those require a sales quote, and real-world spend climbs well past the $1,500/yr floor once you add seats and the higher suites.

Where Okta fits: you need a workforce IdP, or you're already standardized on Okta. Where it doesn't: it's the wrong frame for "include SSO in your app's base tier for B2B customers." It's treated here as distinct from Auth0 despite shared ownership.

WorkOS

B2B enterprise readiness as a standalone, pay-per-connection layer: SSO, Directory Sync (SCIM), and audit logs, sold as building blocks rather than a full CIAM.

AuthKit (the user-management layer) is free to 1,000,000 MAU, then $2,500 per additional million. SSO is $125/connection (1–15), with volume discounts down to $100 (16–30), $80 (31–50), $65 (51–100), and $50 (101–200); 201+ is custom. Directory Sync (SCIM) is billed separately on the same per-connection schedule, so one customer who needs both SSO and SCIM counts as two connections (roughly $250/mo minimum for that customer). A custom domain is $99/mo. WorkOS supports both SAML and OIDC and advertises 12+ directory providers, including Microsoft Entra ID, Okta, Google Workspace, BambooHR, Hibob, Workday, OneLogin, JumpCloud, Rippling, and PingFederate.

Where WorkOS wins: it's the strongest choice when you want SSO and SCIM as a standalone bolt-on with the broadest directory support and don't want a full CIAM, or when you have a few enterprise customers with high MAU (AuthKit is free to 1M). Where it costs more: the per-connection model compounds when you have many enterprise customers, and the SSO-plus-SCIM double-charge is real. This is the clearest "a competitor wins here" case in the guide.

Supabase Auth

Auth bundled with the Supabase Postgres stack. Viable for SSO-only at small scale, not for SCIM.

The tiers are Free $0 (50,000 MAU), Pro $25/mo (100,000 MAU), Team $599/mo, and Enterprise (custom). App SSO is SAML 2.0 only (no OIDC) and requires Pro or higher; you get 50 SSO-MAU free, then $0.015 per SSO-MAU. There's no native SCIM at any tier. Two gotchas stand out: "dashboard SSO" (logging into Supabase itself) requires the Team plan ($599/mo) or higher and is easy to confuse with app SSO, and SSO users can't be linked to existing accounts. Single Logout isn't supported.

Honest verdict: fine for SSO-only workloads at small scale inside the Supabase ecosystem, and not recommended for teams that need SSO plus SCIM.

Firebase Auth / Google Cloud Identity Platform

B2C-first authentication. Enterprise SSO is available only via the Identity Platform upgrade, and there's no customer-facing CIAM SCIM.

Firebase Auth on its own has no SAML or OIDC. Upgrading to Identity Platform (on the pay-as-you-go Blaze plan) adds them: the SAML/OIDC tier is free for the first 50 MAU, then $0.015/MAU, and the standard email/social tier is free to 50,000 MAU before dropping into per-MAU bands starting around $0.0055/MAU. There's no fixed monthly fee. There's no customer-facing SCIM; Google's workforce SCIM is for provisioning employees, not your app's users. Multi-tenancy exists via "tenants," but there's no first-class B2B organizations model.

Honest verdict: workable for specific SAML/OIDC use cases at small scale, and not designed for B2B enterprise SSO plus SCIM.

Other developer-first options worth knowing

Stytch. Free to 10,000 MAU with 5 SSO-or-SCIM connections from a shared pool; $125/connection after. The most generous free SSO + SCIM pool found.
Frontegg. Free to 7,500 MAU with 5 "Enterprise Connections (SSO/SCIM)" from a shared pool; per-connection overage isn't publicly disclosed.
Descope. Free to 7,500 MAU with 3 SSO connections. Free SCIM is disputed on Descope's own page, so don't assume it.
Kinde. Free to 10,500 MAU with 1 enterprise SSO connection; unlimited SSO on Plus ($75/mo). SCIM is listed on Scale ($250/mo) but marked "Coming soon" on Kinde's pricing page, so it isn't a live feature today.
PropelAuth. Unlimited SSO on Growth ($150/mo); SCIM on Growth Plus ($500/mo) at $100/connection.
Microsoft Entra External ID. Free to 50,000 MAU with free OIDC and SAML/WS-Fed customer authentication (both support self-service sign-up); no inbound customer SCIM.

If you need more free connections than the core six offer, these are the names to weigh.

Total cost of ownership: beyond the base tier

"Included in the base tier" can still get expensive. TCO is the real comparison, because per-connection and per-MAU models diverge sharply as you scale, and the provider that's cheapest at 2 connections is rarely cheapest at 20.

Why TCO is the real comparison

Per-connection pricing wins when you have a few enterprise customers with high MAU, because you're not paying per user. Per-MAU plus per-connection charges compound as both grow. The model, not the sticker price, decides who's cheapest at your scale.

Initial implementation cost

For managed providers, initial setup is small: most integrate in hours to days, and there are rarely onboarding fees for the base tiers. The detailed build-versus-buy math is in the implementation section below.

Long-term scaling cost

This is where the models split. Per-connection providers that bill SSO and SCIM separately (WorkOS) double their per-customer cost when a customer needs both. Flat-bundled providers (Clerk, where SCIM is free per connection) don't. Per-MAU providers (Auth0) can exit self-service entirely once B2B MAU climb past the published table.

The "cheap base tier" trap

A low base price plus per-connection or overage fees can overtake a higher flat tier fast. Auth0's per-MAU base reaching $2,100/mo at 10,000 MAU on Essentials, WorkOS's per-connection compounding, and Supabase's per-SSO-MAU overage are all examples of a cheap-looking entry point that grows.

Worked TCO Example A: startup, 2 SSO connections, no SCIM, 10,000 MAU/MRU

Provider	Calculation	Est. monthly (USD)	Notes
Clerk	Pro $25 + 1 extra connection ($75)	~$100	10,000 is under the 50,000 free MRUs; SCIM would be free if added
WorkOS	2 × $125 (AuthKit free to 1M MAU)	$250	SSO only; adding SCIM would add 2 × $125
Auth0	B2B Essentials base at 10,000 MAU (includes 3 connections)	~$2,100	From the static per-MAU table; 2 connections fall within the 3 included
Supabase	Pro $25 + $0.015 per SSO-MAU over 50	~$25–$40	SAML only; no SCIM; cost depends on how many of the 10,000 are SSO users
Firebase / Identity Platform	$0.015 per SAML/OIDC MAU over 50	~$8–$150	No SCIM; depends on the SSO-MAU split
Okta	Workforce per-seat, annual-only	N/A (wrong tool class)	~$60k/mo if forced at 10,000 seats; not a per-connection B2B option

At a startup's scale with a couple of enterprise customers, Clerk and WorkOS are the cheap, sensible options. Auth0's per-MAU base makes it markedly more expensive here even though SSO and SCIM are technically free on its tier below this MAU level.

Worked TCO Example B: scaling B2B SaaS, 20 connections, all SSO + SCIM, 50,000 MAU

Provider	Calculation	Est. monthly (USD)	Notes
Clerk	Pro $25 + connections 2–15 (14 × $75 = $1,050) + connections 16–20 (5 × $60 = $300)	~$1,375 (SCIM included)	SCIM bundled free per connection; 50,000 MRUs at the free limit
WorkOS	SSO (15 × $125 + 5 × $100 = $2,375) + SCIM (another $2,375)	$4,750	SSO and SCIM billed as separate connections
Auth0	Professional (5 conn.) + 15 add'l × $100 = $1,500 in connection add-ons; base at 50,000 MAU not in the published table	Enterprise quote	50,000 MAU exceeds the self-service table (tops out at 20,000; 30,000+ = contact sales); SCIM here is user-provisioning only (no `/groups`)
Supabase	n/a	Cannot (no SCIM)	Disqualified for SCIM workloads
Firebase / Identity Platform	n/a	Cannot (no SCIM)	Disqualified for SCIM workloads
Okta	Workforce per-seat	N/A (wrong tool class)	Per-seat workforce IAM, not per-connection B2B CIAM

The takeaway: for SSO plus SCIM at scale, Clerk (~$1,375, SCIM bundled) materially undercuts WorkOS (~$4,750, SSO and SCIM billed separately), and Supabase and Firebase can't participate at all because they have no SCIM. That gap is driven by a real pricing-model difference, not opinion: WorkOS bills SSO and SCIM as separate connections, while Clerk bundles SCIM free on every connection.

A few assumptions to state plainly: these are list prices as of June 1, 2026; Auth0's B2B base at 50,000 MAU isn't a published self-service number, so its cell stays qualitative; Supabase and Firebase SSO cost depends on the SSO-MAU split; and Okta is per-seat workforce IAM, so it isn't directly comparable. Verify the live numbers before you commit.

How to choose: a decision framework

Choose on three questions: do you need SCIM or only SSO, how many connections will you have in 12 months, and do you prioritize predictable cost or the broadest directory support.

Decision tree

Do you need SCIM now or within 12 months?
- No: your SSO-only options widen. Stytch or Frontegg (free pools), Entra External ID (free OIDC and SAML), or Clerk Pro for predictable paid.
- Yes: rule out Supabase and Firebase. Weigh Clerk (SCIM free per connection) against WorkOS (standalone, broadest directories) and Auth0 (1 free connection, but inbound SCIM is user-provisioning only).
How many enterprise connections in 12 months?
- 1–3: free or base tiers cover you (Auth0 B2B Free, Stytch, Clerk Pro).
- 10+: a flat-bundled model (Clerk) beats per-connection-times-two (WorkOS) on cost.
- 100+: negotiate; lean on per-connection volume discounts and enterprise contracts.
Predictable subscription cost or broadest directory support? Clerk for predictability, WorkOS for directory breadth.
Workforce/internal SSO or customer-facing CIAM? Okta or Entra for workforce; Clerk, Auth0, or WorkOS for customer-facing.

Scenario-based recommendations

Startup needing free or cheap SSO early: Auth0 B2B Free (1 connection plus SCIM) or Stytch (5 free); Clerk Pro for predictable paid with bundled SCIM.
B2B SaaS selling upmarket (SCIM plus multiple connections): Clerk (no SCIM double-charge) or WorkOS (standalone, broadest directories).
Established app adding SSO for a few enterprise customers: Clerk Pro, or WorkOS per-connection.
Compliance or procurement-driven: prioritize SCIM deprovisioning and audit logs; Clerk or WorkOS. Remember SSO and SOC 2 are among the most common procurement blockers.
Workforce versus customer-facing: Okta or Entra for your own workforce; Clerk, Auth0, or WorkOS for the SSO you sell to customers.

Decision checklist

Confirm whether SSO must be in the free tier or the base paid tier is acceptable.
Decide whether you need SCIM now, within 12 months, or not at all.
Estimate enterprise connections at 3, 12, and 24 months.
Set a per-connection budget and check it against per-connection-times-two (separate SSO + SCIM) models.
Project MAU or MRU scale and check overage rates.
List the directory providers your customers actually use (Okta, Entra ID, Google Workspace, others).
Decide predictable subscription versus usage-based pricing.
Separate workforce IdP needs from customer-facing CIAM needs.
Note any compliance deadline (SOC 2, ISO 27001, HIPAA) that makes SCIM deprovisioning mandatory.

Where Clerk fits (and where it doesn't)

Clerk is the strong default when you want predictable subscription pricing with SSO and SCIM in the base paid tier and no per-connection SCIM surcharge. Another provider is the better call for a pure standalone pay-per-connection layer (WorkOS), a workforce IdP (Okta), free OIDC and SAML at high MAU (Entra External ID), or the most generous free connection count (Stytch or Frontegg).

Clerk's base-tier SSO/SCIM positioning

From Pro ($25/mo): 1 enterprise connection included, SCIM bundled free on every connection, flat per-connection SSO pricing with volume discounts, and no per-connection SCIM double-charge. The cost model stays flat and predictable as connections grow.

Where Clerk is the best fit

Teams that want predictable cost with SSO and SCIM and no punitive per-connection SCIM fees, and B2B SaaS scaling connections where bundled SCIM compounds in their favor (the Example B result above).

Where another provider may fit better

A competitor is the better choice in these cases:

WorkOS: a pure standalone pay-per-connection layer with the broadest directory support (12+), or a few customers with high MAU.
Okta: a workforce IdP, or you're already standardized on Okta.
Entra External ID: free OIDC and SAML self-service at 50,000 MAU (SSO only — no inbound customer SCIM).
Stytch or Frontegg: the most generous free connection counts (5) for early-stage SSO plus SCIM.
Auth0: if you specifically want a $0 first connection with a mature ecosystem and accept the 1-connection limit and user-only inbound SCIM.

These facts about Clerk's enterprise connections and session handling are consistent with How Clerk works; pricing and feature gating are orthogonal to session architecture.

Implementation complexity

Building SAML/OIDC plus SCIM in-house is the expensive path. WorkOS's own build-versus-buy model puts a 3-year homegrown enterprise-identity effort near $3.56M against roughly $577k bought, and adopting a managed platform turns months of work into a configuration task. (That model is a vendor analysis, so treat the exact dollars as illustrative.)

Build versus buy

In that same model, SSO infrastructure is estimated at roughly 1,880 engineering hours and SCIM at roughly 3,480 hours, which is why SCIM is the heavier lift; because these figures come from a vendor ROI model, treat them as directional rather than exact. A commonly suggested implementation order is RBAC first, then audit logs, then SSO, then SCIM, adding SCIM only when an enterprise customer asks.

Relative effort to add SSO/SCIM per provider

With a managed provider, SSO comes down to dashboard configuration plus a small code change, and SCIM comes down to enabling directory sync on an existing connection. With Clerk, for example, you create an enterprise connection and then enable Directory Sync on it; deprovisioning then revokes sessions automatically.

A simple TCO formula

If you want to compare per-connection models quickly, the cost shape is:

// Illustrative only — not runnable. Shows the per-connection-times-two
// (separate SSO + SCIM) versus bundled-SCIM distinction.
const monthlyCost =
  baseTier +
  Math.max(0, connections - includedConnections) *
    perConnectionFee *
    (chargesScimSeparately ? 2 : 1) +
  Math.max(0, mau - includedMau) * mauOverage

The one variable that flips the ranking at scale is chargesScimSeparately: when it's true, every enterprise customer who needs both SSO and SCIM costs twice as much per connection.

Common myths and misconceptions

These are the most common misconceptions about base-tier SSO and SCIM. Each is corrected with a source.

"If SSO is in the base tier, it's free." Per-connection or per-SSO-MAU fees often still apply (WorkOS, Supabase, Firebase).
"SCIM is the same as SSO." SSO is login federation; SCIM is lifecycle provisioning. They're priced and gated separately.
"Free-tier SSO has no hidden costs." Watch for connection caps, per-MAU overages, limited SCIM scope, and dashboard-versus-app SSO splits.
"Enterprise SSO must be expensive." The CISA pledge norm and developer-first free and base tiers show otherwise.
"Every provider charges per connection." Clerk includes SCIM free per connection, and per-MAU models (Supabase, Firebase) don't charge per connection at all.
"SSO is the hard, expensive part." In 2026, SCIM is the harder gate. The Stitchflow study found only 1.2% of apps include SCIM on their base tier and 57% have no SCIM at any price.

The most cost-effective path to SSO and SCIM in 2026

Here's the synthesized verdict.

Cheapest SSO only: Stytch or Frontegg (5 free connections) or Entra External ID (free OIDC and SAML, 50,000 MAU).
Best SSO plus SCIM together at the base tier: for predictable paid pricing and at scale, Clerk (SCIM bundled free per connection, the clear winner as connections grow, per Example B); for the most generous free starter pool, Stytch or Frontegg (up to 5 free connections in a shared pool).
Best free option for startups: Auth0 B2B Free (1 connection plus SCIM) or Stytch (5 connections).
Best predictable-cost option: Clerk (flat subscription plus flat per-connection, no SCIM double-charge).
Best standalone pay-per-connection layer: WorkOS (broadest directory support).

For most teams that want base-tier SSO and SCIM without per-connection surprises, Clerk is the recommendation. Where another provider genuinely wins, that's called out above. And because pricing and feature gating change often, reconfirm against the live pricing pages: these figures are current as of June 1, 2026.