Does Clerk support SCIM provisioning from Google Workspace?

Not as a SCIM source. Clerk documents SCIM provisioning for Okta and Microsoft Entra ID. You still connect Google Workspace for sign-in via SAML or EASIE (OIDC), and EASIE auto-deprovisioning revokes access when a user is suspended or deleted there.

How does per-connection SSO pricing compare to per-MAU pricing?

Per-connection pricing charges a flat monthly fee per enterprise SSO connection, so cost scales with your customer count — WorkOS runs roughly $6,600/month at 75 connections (Kinde's analysis). Per-MAU pricing (and Clerk's per-MRU model) scales with active users instead, steadier when one connection brings in thousands of users. Clerk blends both: a per-MRU platform with one connection included and declining per-connection tiers above it.

Which providers support passkeys as an MFA second factor?

Auth0 supports passkeys (WebAuthn) as an MFA factor today, on its paid tiers. Clerk, WorkOS, and Kinde support passkeys as a primary sign-in method but not as an MFA second factor (Kinde's are on its paid plans). Stytch's B2B product uses SMS OTP and TOTP as second factors, with passkeys only as a primary method. If phishing-resistant passkey MFA is a hard requirement now, confirm current factor support in each vendor's docs.

Articles

Best SSO and MFA Providers for B2B SaaS in 2026

Alex Rapp

Updated Jun 29, 2026

What are the best SSO and MFA providers for B2B SaaS in 2026?

Clerk is the top pick for B2B SaaS teams that want enterprise SSO, MFA, organizations, and billing in one SDK: it supports SAML 2.0, OIDC, and EASIE, ships pre-built React components, and its SCIM directory sync reached full GA in 2026, closing the enterprise-readiness gap competitors once cited. WorkOS wins on raw identity-provider breadth, Auth0 on feature surface, and Kinde, Stytch, and FusionAuth each anchor a different corner of the market. This guide ranks all six against the criteria that decide enterprise deals — protocol support, developer experience, enterprise readiness, MFA depth, multi-tenancy, pricing, and compliance.

Enterprise buyers routinely require both SSO and MFA before they sign — they're standard line items on third-party security reviews, alongside SOC 2 and HIPAA. The providers below are ranked for exactly that: closing enterprise deals without forcing you to stitch a dedicated SSO vendor onto a separate auth layer.

Introduction

Enterprise SSO is an early checkbox on most enterprise vendor evaluations. Miss it and the deal can stall before anyone reviews your product. Single sign-on lets your enterprise customers authenticate through their own identity provider, and many security teams treat it as a prerequisite before they sign. In ISC2's 2025 supply-chain survey, 77% of organizations named compliance standards (ISO 27001, NIST, SOC 2) a top vendor requirement, 71% required security audits or attestations, and 62% required MFA-secured access.

MFA stopped being a nice-to-have years ago, though the exact obligation varies by framework. PCI DSS v4.0 mandates MFA for all access into the cardholder data environment, while SOC 2 auditors expect strong authentication under their logical-access criteria; HIPAA and GDPR don't name MFA in their current binding text but treat it as an appropriate, risk-based safeguard, and a 2025 HIPAA proposal would make it explicit. Your customers will ask for proof during procurement, so you need both SSO and MFA on the same security review — which means you need a platform that ships both.

Most comparisons frame the choice as developer speed against enterprise readiness, as if fast integration means surrendering SCIM and audit logs. We close that gap by shipping pre-built React components, enterprise SSO, and MFA in one SDK.

What Are SSO and MFA?

Single sign-on lets a user authenticate once through their company's identity provider, then access your app without a separate password. The identity provider is the system an enterprise already trusts to manage logins. Okta, Microsoft Entra ID (formerly Azure AD), and Google Workspace are the three you will see most often on enterprise security reviews.

Three protocols carry the handoff. SAML 2.0 is the format most large enterprise IdPs support, and strict IT teams most often require it. OIDC is a more modern alternative that some IdPs offer with less XML configuration. EASIE is a simpler OIDC-based path that connects Google Workspace and Microsoft Entra ID without the full SAML setup. None of the three is inherently single- or multi-tenant: in a B2B app you model one enterprise connection per customer organization, whichever protocol that customer uses.

Multi-factor authentication adds a second verification step after the password. The factor can be a time-based code from an authenticator app, an SMS one-time code, a passkey, or a push notification. SMS is the most geographically constrained of these: every provider limits which countries can receive a passcode — many default to the US and Canada and expand by allowlist, some hard-cap delivery to US numbers, and bring-your-own-gateway setups inherit their SMS provider's country reach — so teams serving users outside North America lean on authenticator apps and passkeys, which carry no such limits. Enterprise buyers expect both SSO and MFA on the same checklist, which is why most teams evaluate them together.

Two changes define 2026: passkeys are emerging as the phishing-resistant standard, increasingly favored over TOTP because they cannot be intercepted or reused — FIDO Alliance research found 87% of surveyed US and UK workforces are deploying or rolling out passkeys for employee sign-ins. And AI agents now need their own machine-to-machine (M2M) credentials — API keys, M2M tokens, or MCP authorization — which most auth stacks did not ship two years ago.

How We Chose These Providers

Every provider on this list had to clear seven bars before earning a spot.

Protocol support came first. SAML 2.0 and OIDC are both mandatory, since enterprise IT teams run a mix of identity providers and you cannot cover them with one protocol alone.

Developer experience decided the ranking among providers that passed. We weighted SDK quality, pre-built UI components, and how fast you reach a working integration. A platform that ships login components beats one that hands you raw endpoints.

Enterprise readiness covered SCIM directory sync, audit logs, a self-serve admin portal, and a published uptime SLA. These are the features that pass a security review.

MFA depth meant factor breadth, per-organization policy enforcement, and SSO compatibility that does not double-prompt users who already authenticated through their IdP.

Multi-tenancy separated native organization primitives from retrofitted workarounds.

Pricing model mattered too, since per-connection and MAU-based plans diverge sharply at scale.

Compliance rounded it out. We checked SOC 2 Type 2 attestation and HIPAA BAA availability for all six: every provider carries a SOC 2 Type 2 report, but HIPAA BAA support varies by plan tier — and Stytch no longer lists it — so the comparison table records each provider's status.

The Best SSO and MFA Providers for B2B SaaS in 2026

The six providers below cover the full range. Some are developer-first platforms that ship login UI out of the box, others are enterprise-only servers built for data sovereignty. Clerk leads for teams that want auth, SSO, and MFA in one SDK. WorkOS wins on raw IdP breadth. Auth0, Kinde, Stytch, and FusionAuth each anchor a different corner of the market.

1. Clerk

Clerk packs authentication, enterprise SSO, MFA, organizations, and billing into one SDK. Most teams reach for a separate vendor the moment an enterprise prospect asks for SAML. Clerk lets you ship that requirement from the same components you used to build sign-up on day one.

Quick Overview

Clerk handles SAML 2.0, OIDC, and EASIE, its simpler OIDC-based alternative for connecting Google Workspace and Microsoft Entra ID. Named IdP integrations cover Microsoft Entra ID (formerly Azure AD), Google Workspace, and Okta Workforce, plus any SAML-compatible provider. SCIM directory sync core features went GA in April 2026, with groups and attribute mapping reaching GA in May 2026, so user provisioning from corporate directories now runs fully in production. You drop in <SignIn />, <UserButton />, and <OrganizationSwitcher /> and get a working B2B auth flow without building UI from scratch. For the agent-auth shift, Clerk also ships API keys and machine-to-machine tokens — billed separately from your user count — plus an OAuth authorization server your MCP servers use to issue scoped tokens to AI agents.

Best For

Pick Clerk if you build B2B SaaS on React or Next.js and want auth, SSO, and MFA from a single vendor. You skip the integration tax of stitching a dedicated SSO provider onto a separate auth layer. The same SDK that ships your login screen also closes the enterprise security checklist.

Pros

One SDK covers auth, SSO, MFA, organizations, and billing, so you never migrate to a second platform when your first enterprise deal lands. SAML, OIDC, and EASIE work out of the box. EASIE auto-deprovisioning checks the upstream IdP for suspended or deleted users before issuing a new session token, then revokes their existing sessions. Detecting the change at the IdP can take up to 10 minutes, but it kills off-boarded access without a manual sweep.

You enforce MFA across the app from the Clerk Dashboard. By default Clerk layers its own factor on top of enterprise IdP authentication — useful when the IdP itself can't enforce MFA — and you can disable that extra step per connection when the IdP already covers it, so SSO users aren't prompted twice. SCIM reaching full GA in 2026 (core April, groups and attributes May) makes user lifecycle management production-ready. Pricing also improved after the February 2026 restructure, with the Pro plan starting at $25 per month.

Cons

Clerk ships 3 named direct IdP integrations against WorkOS's 20+. That covers the major providers most buyers use, but it leaves the long tail of non-standard enterprise IdPs to custom work. WorkOS wins outright if your pipeline is full of unusual identity systems.

Clerk's self-serve SSO is a newer, narrower offering than WorkOS's. Launched in June 2026, it lets a customer's IT admin configure their own SAML connection from the embedded <OrganizationProfile /> component, but it requires Clerk organizations, covers SAML only, and doesn't yet extend self-serve setup to Directory Sync (SCIM) the way WorkOS's hosted Admin Portal does. Passkeys work as a primary authentication method but not yet as an MFA second factor. If you want passkeys specifically as a phishing-resistant second factor, that gap matters today.

Pricing

Development instances are free and support up to 25 enterprise connections, so you can build and test SSO before paying anything. Production runs on per-MRU pricing (Monthly Retained Users, with 50,000 included free), starting with the Pro plan at $25 per month. Enterprise SSO is metered separately: one connection is included on Pro and Business, then additional connections bill on a declining scale ($75 each for connections 2-15, tapering to $15 above 500). Bundling the first connection and tapering the rate keeps Clerk's enterprise-SSO cost below a flat per-connection fee as your connection count climbs. Kinde's analysis puts WorkOS at roughly $6,600 per month for 75 connections. Application-level connections work on Pro as-is; scoping a connection to a specific organization — the standard multi-tenant B2B pattern, and what self-serve SSO uses — adds Clerk's optional B2B Authentication add-on at $100 per month ($85 billed annually), which also covers Verified Domains and custom roles. Budget it for per-organization SSO; skip it if application-level SSO is enough.

2. WorkOS

WorkOS built its platform around one job. It connects your B2B SaaS to whatever identity provider an enterprise customer runs, and it does so without dragging your engineers into every deal.

Quick Overview

WorkOS ships 20+ named IdP integrations spanning SAML and OIDC, plus compatibility with any SAML- or OIDC-compliant provider, and dozens of directory and HRIS connectors. Its Admin Portal lets a customer's IT team configure their own SSO connection without filing a support ticket or waiting on your engineers. AuthKit, free up to 1 million monthly active users, layers on social login, MFA, passkeys, and role-based access control. Radar adds risk-based authentication that watches for suspicious login patterns and adapts the challenge.

Best For

Choose WorkOS when you are actively closing enterprise deals and keep hitting non-standard IdPs that smaller platforms cannot handle. The self-serve Admin Portal pays off when your sales team signs customers faster than your engineers can onboard them.

Pros

The 20+ named integrations plus universal SAML/OIDC compatibility cover the long tail of enterprise IdPs that break a 3-connection platform. The Admin Portal removes engineering work from every signed deal, so your team configures nothing per customer. HRIS connectors for BambooHR, Rippling, and Workday tie user lifecycle to the HR system that already holds the source of truth. WorkOS backs SSO and Directory Sync with a 99.99% uptime SLA for enterprise customers under contract. Its composable MFA API exposes enrollFactor, challengeFactor, and verifyChallenge operations, and per-organization MFA policies are built in.

Cons

Per-connection pricing climbs fast. Kinde's analysis (based on WorkOS's published pricing tiers) puts 75 connections at roughly $6,600 per month, which stings once your enterprise customer count grows. AuthKit's hosted login page is available immediately, but WorkOS's embedded React widget components (UserProfile, OrganizationSwitcher, etc.) are newer additions with a narrower component surface than Clerk's library. Its SDK coverage also runs narrower than Clerk's once you move off Node or Python. On MFA, AuthKit's built-in factor is authenticator-app (TOTP) only, and the SMS factor in WorkOS's lower-level MFA API is hard-capped to US phone numbers with no setting to expand it — stricter than the expandable US-and-Canada default common elsewhere.

Pricing

WorkOS charges per SSO connection per month, with volume discounts available at scale. AuthKit stays free up to 1 million monthly active users, which makes the auth layer cheap and the enterprise connections the real cost driver.

3. Auth0 (by Okta)

Auth0 invented the modern auth-as-a-service category and still carries one of the widest feature surfaces of any provider on this list. Okta acquired it in 2021 and folded it into a platform that now spans consumer login and enterprise SSO under one roof. You pay for that breadth in setup complexity.

Quick Overview

Auth0 covers consumer identity and enterprise SSO in a single platform, which few competitors match. Its Actions engine lets you inject custom JavaScript into the login pipeline for anything the defaults miss. The February 2026 update raised the free tier to 25,000 monthly active users and folded Self-Service SSO and SCIM into the free B2B plan.

Best For

Pick Auth0 when your identity requirements are genuinely complex and span both consumer and enterprise users. Teams running a public-facing app plus an enterprise tier get one vendor instead of two.

Pros

Auth0 ships the deepest feature set and largest extension ecosystem in the market. It holds SOC 2, ISO 27001, and PCI DSS certifications and signs a HIPAA BAA on its Enterprise tier, which clears most enterprise security reviews on paper. The February 2026 free tier now includes Self-Service SSO and SCIM, a real improvement over the previous gating. Auth0 also ships the deepest AI-agent auth suite here: its GA Auth0 for AI Agents bundle adds a token vault, human-in-the-loop approval, and MCP authorization on top of long-standing M2M apps.

Cons

Auth0 added multi-tenancy through Organizations years after launch, so B2B setup feels bolted on rather than native. MAU-based pricing punishes you at enterprise scale when a single SSO connection brings thousands of users. The free B2B plan also includes no MFA at all: every MFA factor requires the paid Essentials tier or higher, with the enterprise-grade factors (WebAuthn/passkeys, push, and phone) gated to the Professional tier or an Essentials add-on. Additional enterprise connections beyond the first, and organizations beyond five, sit on paid tiers as well.

Pricing

Auth0 prices by monthly active users. The free B2B plan now covers one enterprise SSO connection, but cost climbs fast once large customer directories push your MAU count up or you need more than that single connection, which makes per-user pricing hard to forecast at scale.

4. Kinde

Kinde took the top spot in its own 2026 comparison of enterprise authentication providers, though that placement comes from the company's own ranking, which is worth weighing accordingly. The platform bundles auth, authorization, and feature management together, which suits teams that want those three handled by one vendor.

Quick Overview

Kinde ships native multi-tenancy and organization management without any setup work. Feature flags and billing entitlements live in the same platform, so you can gate functionality by plan or org segment from the same console you manage users in. Role-based access control and machine-to-machine auth come standard, and passkeys are available as a primary passwordless sign-in method on Kinde's paid plans.

Best For

Pick Kinde if you run a B2B SaaS product anywhere from MVP to scale and want auth, authorization, and feature management from a single vendor. This suits you if you treat entitlements and roles as one problem rather than two.

Pros

Native multi-tenancy means you never retrofit org structure onto a single-tenant model later. Feature flags tie directly to user roles and org segments, so a plan upgrade flips access without custom plumbing. The free tier covers up to 10,500 monthly active users, and machine-to-machine tokens stay off your user count.

Cons

Kinde carries less enterprise SSO history than Clerk or WorkOS, and IT buyers running strict vendor reviews notice that. Its SCIM directory sync is not yet available — Kinde lists it as coming soon — and the integration catalog is smaller, with fewer pre-built IdP connections than WorkOS offers out of the box.

Pricing

Kinde is free up to 10,500 monthly active users. Paid plans start at $25 per month with transparent usage-based billing, so your bill tracks actual consumption rather than seat counts. Enterprise SSO connections are included by tier rather than metered per connection — one on the free and Pro plans, unlimited on Plus and Scale — so adding enterprise customers never adds a per-connection line item.

5. Stytch

Stytch built its reputation on passwordless and passkey-first authentication, and Twilio acquired the company in November 2025. The acquisition adds Twilio's infrastructure scale to an already developer-friendly API surface.

Quick Overview

Stytch treats magic links and passwordless flows as first-class authentication methods rather than bolt-ons, and supports passkeys across its platform. The platform ships SCIM directory sync, RBAC, and an Admin Portal, plus an SSO Migration Gateway in beta. Its API design favors granular endpoints over heavy SDK abstraction, which suits teams that prefer wiring up flows themselves.

Best For

Pick Stytch if your team wants passwordless, passkey-friendly authentication backed by a modern API. It fits developers who treat magic links and passkeys as first-class options rather than afterthoughts.

Pros

Magic link and passwordless flows work as first-class primitives, not afterthoughts, with passkeys supported across the platform. Stytch shipped its enterprise B2B essentials — SCIM provisioning, RBAC, and a self-serve Admin Portal — as its own product work in 2024, before Twilio acquired it. The SSO Migration Gateway eases transitions away from legacy providers like Auth0. Twilio's November 2025 acquisition layers on infrastructure scale and a forward roadmap centered on AI-agent identity and fraud prevention.

Cons

Stytch's enterprise B2B features arrived later than WorkOS's, so they carry less production mileage than the longtime enterprise-SSO incumbent. The ecosystem stays smaller than Auth0 or Okta, which limits community examples and third-party integrations. The Twilio roadmap also leaves open questions about where Stytch's priorities land over the next year. Like most managed-SMS providers, Stytch's SMS OTP defaults to the US and Canada for newer projects; other countries are enabled per-country through a Dashboard allowlist, and a small set of high-toll-fraud countries (China among them) sits on a permanent unsupported list.

Pricing

Stytch prices per monthly active user. Enterprise pricing requires a conversation with sales.

6. FusionAuth

FusionAuth is the option you reach for when running auth on someone else's servers is off the table. It runs as a self-hosted, proprietary authentication server you deploy and control end to end.

Quick Overview

FusionAuth ships as a self-hosted authentication server you run on your own infrastructure (a managed FusionAuth Cloud option also exists). Its paid plans use plan-based subscription pricing that scales with monthly active users, with no per-SSO-connection fees. The platform handles SAML, OIDC, and social login, and its webhook system plus broad API surface let you wire up custom authentication flows.

Best For

Choose FusionAuth when you need on-premises deployment, full data sovereignty, or complete control over your authentication infrastructure.

Pros

You own your data and avoid vendor lock-in entirely. Plan-based pricing carries no per-SSO-connection fee, so adding enterprise customers does not add a per-connection line item the way it does on connection-metered platforms. FusionAuth also designs a clean API and lets you customize login pages to match your product.

Cons

Your team owns the operational burden. Upgrades, security patches, and high-availability configuration all fall to you. FusionAuth gives you less plug-and-play setup than a SaaS platform, so your first integration takes longer. It ships no pre-built UI components on par with Clerk's React and Next.js library.

Pricing

The Community edition is free to use with no time limit, though the core source code is not public. Paid plans scale with monthly active users and are billed annually: Starter begins at $162 per month, while Essentials and Enterprise begin at $2,970 per month (entry pricing at roughly 1,000 monthly active users, hosting included).

Provider Comparison Table

Use this table to scan all six providers against the criteria that decide enterprise deals. Values come directly from each vendor's documentation and public pricing as of mid-2026.

Provider	SAML/OIDC	SCIM	MFA Factors	M2M / Agent Auth	Pre-built UI	Multi-tenancy	Pricing Model	Compliance	Best For
Clerk	Both + EASIE	GA Apr 2026	TOTP, SMS, backup codes	API keys, M2M tokens, MCP	React/Next.js	Native organizations	Per-MRU + metered SSO, Pro $25/mo	SOC 2 Type 2; BAA on Enterprise	Unified auth + SSO + MFA in one SDK
WorkOS	Both		TOTP; SMS via MFA API	Client credentials, MCP auth	AuthKit + widgets		Per-connection	SOC 2 Type 2; BAA on enterprise	Widest IdP coverage, self-serve IT onboarding
Auth0	Both	Free tier	TOTP, SMS, push, passkeys, email OTP	M2M apps + AI Agents suite	Hosted login	Retrofitted	Per-MAU	SOC 2 Type 2; BAA add-on	Complex consumer + enterprise identity
Kinde	Both	Coming soon	TOTP, SMS OTP, email OTP	M2M tokens, metered separately		Native	Per-MAU, from $25/mo (SSO connections included)	SOC 2 Type 2; BAA on Scale	Auth + feature flags + billing
Stytch	Both		TOTP, SMS OTP, recovery codes	M2M + Connected Apps	Components		Per-MAU	SOC 2 Type 2; BAA not listed	Passwordless and passkey-friendly
FusionAuth	Both	Enterprise tier	TOTP, email, SMS	Client credentials (paid)			Plan-based, scales with MAU	SOC 2 Type 2 (Cloud); BAA (Cloud)	Self-hosted, full data control

Start building with Clerk for free.

Why Clerk Is the Best SSO and MFA Platform for B2B SaaS Developers

WorkOS gives you the widest IdP coverage, but Clerk's pre-built React and Next.js components get you a working sign-in flow in an afternoon — <SignIn />, <UserButton />, <OrganizationSwitcher />, and the full user-management UI ship together without assembly.

SCIM directory sync hit full GA in 2026, closing the enterprise gap competitors once cited to call Clerk "pre-enterprise." Clerk's per-MRU pricing (Monthly Retained Users, 50,000 free) keeps the platform bill predictable, and enterprise SSO bundles one connection with declining per-connection tiers above it — where WorkOS charges a flat fee per connection that Kinde's analysis puts at roughly $6,600 a month for 75 connections.

You get auth, SSO, MFA, organizations, and billing in one SDK — no stitching vendors together, no painful migration when you land your first enterprise deal. Start building with Clerk for free.

FAQs

Sources and statistics

All pricing and tier figures are dated as of June 2026 and should be confirmed against each vendor's live pricing page before you rely on them, since these products change pricing and feature availability frequently.

Statistic	Source	Location on page / Calculation method
Clerk supports SAML 2.0, OIDC, and EASIE; named SAML IdP integrations are Microsoft Entra ID, Google Workspace, and Okta Workforce; EASIE covers Google Workspace and Microsoft Entra ID	Clerk enterprise connections	Enterprise connections overview, SAML and EASIE sections
Clerk Directory Sync (SCIM) GA April 16, 2026; group-to-role and custom-attribute mapping GA May 21, 2026; bundled free with each enterprise connection; documented for Okta and Microsoft Entra ID	Clerk changelog (Directory Sync), Clerk changelog (groups and attributes)	Changelog entries; Directory Sync docs provider sections
Clerk EASIE auto-deprovisioning checks the upstream IdP (Google Workspace suspend or delete, Entra delete) before issuing a new session token, with detection up to 10 minutes, then revokes sessions and returns 401	Clerk enterprise connections	Enterprise connections overview, EASIE deprovisioning paragraph
Clerk MFA factors: SMS, TOTP (authenticator app), and backup codes; passkeys are a first-factor sign-in method, not an MFA second factor	Clerk sign-up and sign-in options	Authentication docs, multi-factor authentication section
Clerk machine/agent auth: API keys and machine-to-machine (M2M) tokens for service and agent authentication, plus an OAuth authorization server for building MCP servers; API keys and M2M tokens bill as separate usage-based add-ons (1,000 and 2,500 free creations per month respectively), not counted against MRU	Clerk machine authentication, Clerk build an MCP server, Clerk pricing	Machine-auth overview (API keys + M2M tokens sections); MCP server guide (`@clerk/mcp-tools`, OAuth authorization server); pricing page API-keys and M2M-tokens add-on line items
Clerk plans: Hobby free (50,000 MRU included), Pro $25/mo ($20 annual), Business $300/mo ($250 annual), Enterprise custom; billable unit is MRU (Monthly Retained Users)	Clerk pricing	Pricing page, plan tiers and MRU definition
Clerk enterprise SSO connections: 1 included on Pro and Business, then $75 (connections 2-15), $60 (16-100), $30 (101-500), $15 (501+) per month; development instances free up to 25 connections. Application-level connections need no add-on, but scoping a connection to a specific organization (the multi-tenant B2B pattern) requires the optional B2B Authentication add-on at $100/mo ($85 annual, includes 100 monthly retained organizations)	Clerk pricing, Clerk enterprise connections	Pricing page connection metering and B2B Authentication add-on; overview development-instance note
Clerk February 5, 2026 pricing restructure: 50,000 MRU free in every app; enterprise connections metered within the Pro plan	Clerk changelog (new plans)	Changelog entry
Clerk self-serve SSO (announced June 26, 2026): a customer's org admin with the `org:sys_entconns:manage` permission configures, tests, and activates their own SAML enterprise connection from a Security tab in the `<OrganizationProfile />` component, without Clerk Dashboard access; requires Clerk organizations; SAML only (Okta, Google Workspace, Entra ID, custom SAML). WorkOS's Admin Portal additionally covers self-serve Directory Sync (SCIM)	Clerk self-serve SSO, Clerk changelog (self-serve SSO)	Self-serve SSO guide; changelog entry (June 26, 2026)
Clerk compliance: SOC 2 Type 2 and HIPAA certified since May 6, 2022; the HIPAA BAA is available on the Enterprise plan and SOC 2 report access on the Business plan; ISO 27001 and PCI DSS are not publicly claimed	Clerk changelog (SOC 2 and HIPAA), Clerk pricing	Changelog entry; pricing page Business tier (SOC 2 report) and Enterprise tier (HIPAA BAA)
WorkOS supports 20+ named IdP integrations across SAML and OIDC, plus any SAML- or OIDC-compatible provider	WorkOS Single Sign-On	SSO page, "20+ Identity providers supported" stat
WorkOS Directory Sync supports dozens of directory and HRIS connectors, including BambooHR, Rippling, and Workday	WorkOS Directory Sync	Directory Sync overview and integration guide pages
WorkOS Admin Portal lets a customer's IT team self-onboard its own SSO and Directory Sync connections	WorkOS Admin Portal	Admin Portal overview
WorkOS AuthKit (User Management) is free up to 1 million monthly active users, including social login, MFA, passkeys, and RBAC; enterprise SSO connections are billed separately per connection	WorkOS pricing	Pricing page, AuthKit tier and SSO connection pricing
WorkOS Radar adds risk-based authentication with bot and fraud detection	WorkOS Radar	Radar product page
WorkOS backs SSO, Directory Sync, and Audit Logs with a 99.99% uptime SLA for enterprise customers	WorkOS SLA	Enterprise SLA agreement, Service Level Objective clause
WorkOS compliance: SOC 2 Type 2 certified; HIPAA BAA available for customers on enterprise plans; ISO 27001 and PCI DSS are not stated on its public security page	WorkOS security	Security page ("SOC 2 Type 2 certified"; "can sign business associate agreements for customers under enterprise plans")
WorkOS MFA: AuthKit supports TOTP; the standalone MFA API supports TOTP and SMS (US-only); passkeys are a primary method, not a second factor	WorkOS MFA API, WorkOS AuthKit MFA	MFA docs, factor type enums
WorkOS SSO pricing: $125 per connection (1-15), declining to $50 (101-200); Kinde's analysis = roughly $6,600/mo for 75 connections	WorkOS pricing, Kinde B2B CIAM cost study	WorkOS SSO tier table; Kinde calculation: ($125 × 15) + ($100 × 15) + ($80 × 20) + ($65 × 25) = $6,600
WorkOS embedded React widgets (UserProfile, OrganizationSwitcher) launched March 2025	WorkOS widgets blog	Blog post, March 21, 2025
WorkOS machine/agent auth: Connect M2M Applications authenticate via the OAuth 2.0 client-credentials grant; AuthKit also acts as an OAuth authorization server for MCP servers	WorkOS Connect M2M, WorkOS MCP auth	Connect M2M docs (client_credentials grant); AuthKit MCP authorization docs
Auth0 founded 2013, acquired by Okta May 3, 2021; Organizations (multi-tenancy) launched April 2021	Auth0 and Okta acquisition	Blog, acquisition close date
Auth0 February 12, 2026 B2B upgrade: free tier 25,000 MAU, with Self-Service SSO, SCIM, and 1 enterprise connection on the free plan	Auth0 pricing, Auth0 B2B plans upgraded	Pricing page free tier; blog announcement
Auth0 MFA is split into "Pro MFA" (basic factors, e.g. one-time passcode) and "Enterprise MFA" (advanced factors: WebAuthn/FIDO security keys and device biometrics, push via Auth0 Guardian, phone, and email). The free B2B plan includes no MFA — Pro MFA starts on the paid Essentials tier and Enterprise MFA requires the Professional tier or an Essentials add-on	Auth0 multi-factor authentication, Auth0 B2B plans upgraded	MFA docs supported-factors list; B2B blog Free-plan feature list (no MFA) and verbatim "Enterprise MFA" advanced-factor list; pricing page "Pro MFA / Enterprise MFA" matrix rows
Auth0 compliance: SOC 2 Type 2 and ISO 27001/27017/27018 audited annually; PCI DSS Level 1 service provider; HIPAA BAA available as an Enterprise add-on (not on the self-service tiers)	Auth0 data privacy & compliance, Auth0 pricing, Okta security and trust	Auth0 compliance doc (SOC 2 / ISO annual audits); pricing page HIPAA/BAA add-on row; Okta trust listing (PCI DSS v4.0)
Auth0 Actions are Node.js functions injected into the login pipeline	Auth0 Actions	Actions overview
Auth0 machine/agent auth: Machine to Machine Applications use the OAuth 2.0 client-credentials grant (M2M tokens metered separately from MAU); "Auth0 for AI Agents" is generally available, adding Token Vault, asynchronous (CIBA) human-in-the-loop approval, Fine-Grained Authorization, and Auth for MCP (GA May 6, 2026)	Auth0 machine-to-machine apps, Auth0 for AI Agents, Auth for MCP GA	M2M apps doc; AI Agents product page ("Now Generally Available"); MCP GA blog post
Kinde ranks itself first in its own 2026 enterprise authentication provider comparison	Kinde top 10 enterprise auth providers 2026	Self-published comparison (disclosed in text as self-ranking)
Kinde free tier: 10,500 MAU included; paid plans from $25/mo (Pro) with usage-based billing; enterprise SSO connections included by tier (1 on Free and Pro, unlimited on Plus and Scale) with no per-connection fee; M2M tokens metered separately from MAU	Kinde pricing	Pricing page, plan tiers, "Enterprise SSO" row, and M2M token metering
Kinde SCIM directory sync is not yet generally available (listed as "coming soon" / in development on the roadmap)	Kinde SCIM feature board	Feature release hub, status
Kinde compliance: SOC 2 Type 2 (full report on the Scale/Enterprise plans under NDA) and ISO 27001:2022 certified (certificate public on all tiers); HIPAA BAA on request, priced at the Scale tier; no PCI DSS Report on Compliance	Kinde compliance, Kinde pricing	Trust-center compliance page; pricing page compliance rows
Kinde MFA factors: authenticator app (TOTP), SMS OTP, and email OTP. Passkeys (WebAuthn) are a primary passwordless sign-in method — not an MFA second factor — generally available on all paid plans (Pro, Plus, Scale, Enterprise), not the free tier	Kinde multi-factor authentication, Kinde passkeys	MFA docs factor list; passkeys authentication-methods page ("All paid plans support passkeys")
Kinde machine/agent auth: Machine-to-Machine (M2M) Applications use the OAuth 2.0 client-credentials grant; M2M tokens are metered separately from MAU (2,000 included free per month). No dedicated AI-agent authorization server (its MCP server is an admin/management bridge)	Kinde M2M applications, Kinde pricing	M2M docs (client-credentials grant, AI-agent use case); pricing page M2M token allotment
Twilio completed its acquisition of Stytch on November 14, 2025	Twilio acquires Stytch	Blog, acquisition close date
Stytch B2B shipped SCIM, RBAC, and a self-serve Admin Portal in 2024 (pre-acquisition); SSO Migration Gateway in beta (November 2025)	Stytch B2B updates (April 30, 2024), Stytch SSO Migration Gateway (beta)	Blog (April 30, 2024) and changelog (November 7, 2025) announcements
Stytch B2B MFA factors: SMS OTP and TOTP, plus recovery codes; magic links and OAuth are primary methods	Stytch B2B MFA overview	B2B MFA overview, secondary authentication
Stytch compliance: SOC 2 Type 2, ISO 27001:2022, and PCI-DSS documents available via the Twilio Trust Center; HIPAA/BAA is not listed on Stytch's current compliance page	Stytch compliance	Compliance page document list (SOC 2, ISO 27001, PCI-DSS, CAIQ; no HIPAA)
Stytch B2B pricing: per-MAU (unlimited organizations), free to 10,000 MAU and 5 SSO/SCIM connections, then $125 per additional connection; Enterprise is custom	Stytch pricing	Pricing page, B2B pay-as-you-go and Enterprise cards
Stytch machine/agent auth: M2M Authentication uses the OAuth 2.0 client-credentials grant; Connected Apps turns a Stytch-powered app into an OAuth 2.0/OIDC authorization server for AI agents and MCP servers (standalone version, compatible with any auth system, GA September 9, 2025)	Stytch M2M token (client credentials), Stytch Connected Apps, Stytch Connected Apps standalone (GA)	M2M get-token endpoint ("Only `client_credentials` is supported for M2M Clients", RFC 6749); Connected Apps product page (OAuth authorization server, MCP); standalone-GA blog (Sep 9, 2025)
FusionAuth is self-hostable (with a managed Cloud option); the core product is closed-source; Community edition is free with no time limit	FusionAuth license FAQ	License FAQ
FusionAuth paid pricing (billed annually, entry pricing at roughly 1,000 MAU, hosting included): Starter from $162/mo; Essentials and Enterprise from $2,970/mo; scales with MAU	FusionAuth pricing	Pricing page, plan cards and monthly-active-users slider
FusionAuth supports SAML, OIDC, social login, webhooks, and a full REST API across editions	FusionAuth feature list	Compare plans / feature list
FusionAuth machine/agent auth: Entity Management plus the OAuth 2.0 client-credentials grant provide service- and agent-to-service authentication; available on paid plans only (entity limits: Starter 100, Essentials 1,000, Enterprise unlimited), not the free Community edition; no dedicated MCP/agent product	FusionAuth entity management, FusionAuth pricing	Entity management concept doc (client-credentials, AI-agent use case); pricing page entity limits per plan
FusionAuth SCIM (inbound provisioning) is available on the Enterprise plan	FusionAuth SCIM	SCIM docs, plan availability
FusionAuth compliance: FusionAuth Cloud is SOC 2 Type 2 and ISO 27001:2022 certified (August 2025) and will sign a HIPAA BAA for Cloud customers; self-hosted deployments run in the customer's own infrastructure, so their compliance is the operator's responsibility; no PCI DSS claim	FusionAuth security & compliance, FusionAuth trust center	Security/compliance page (Cloud BAA); trust center (SOC 2 Type 2, ISO 27001)
FusionAuth MFA factors: TOTP (free), plus Email and SMS on paid plans; no native push factor	FusionAuth multi-factor authentication	MFA docs, supported methods
FusionAuth provides themeable hosted login pages rather than embeddable pre-built UI components	FusionAuth feature list	Feature list, theming rows
SMS MFA geographic limits: WorkOS AuthKit MFA is TOTP-only and its MFA-API SMS factor is hard-capped to US phone numbers; Clerk and Stytch default SMS to US + Canada and expand per-country via a Dashboard allowlist (Stytch keeps a permanent unsupported list that includes China); Auth0, Kinde, and FusionAuth deliver SMS through a customer-configured provider (Twilio)	WorkOS MFA API, Stytch SMS OTP, Clerk SMS settings	WorkOS MFA factor table ("US only"); Stytch otp-sms-send note (US+Canada default for newer projects); Clerk SMS country settings ("only the US and Canada are enabled")
Passkeys are phishing-resistant because the private key never leaves the device and cannot be intercepted or replayed; 87% of surveyed US and UK workforces are deploying or rolling out passkeys for employee sign-ins	FIDO Alliance passkeys, FIDO Alliance workforce passkey research	Passkeys overview; research announcement (survey of 400 decision-makers at 500+ employee US/UK companies)
Enterprise vendor security reviews: 77% of organizations require compliance standards (ISO 27001, NIST, SOC 2), 71% require security audits or attestations, and 62% require MFA-secured access	ISC2 2025 Supply Chain Risk Survey	Survey findings (n=1,062, fielded August 2025)
MFA regulatory landscape: PCI DSS v4.0 mandates MFA for access to the cardholder data environment; SOC 2 expects strong authentication under the CC6 logical-access criteria (not a named mandate); HIPAA (45 CFR 164.312) and GDPR (Art. 32) require identity verification / appropriate measures but do not name MFA; a 2025 HIPAA Security Rule proposal would make MFA explicit	PCI SSC document library, HIPAA 45 CFR 164.312, GDPR Art. 32	PCI DSS v4.0.1 Req. 8.4–8.5; HIPAA §164.312(d) person/entity authentication; GDPR Art. 32(1) example measures (pseudonymisation, encryption)