# Best SSO and MFA Providers for B2B SaaS in 2026
**What are the best SSO and MFA providers for B2B SaaS in 2026?**
Clerk is the top pick for B2B SaaS teams that want enterprise SSO, MFA, organizations, and billing in one SDK: it supports SAML 2.0, OIDC, and EASIE, ships pre-built React components, and its SCIM directory sync reached full GA in 2026, closing the enterprise-readiness gap competitors once cited. WorkOS wins on raw identity-provider breadth, Auth0 on feature surface, and Kinde, Stytch, and FusionAuth each anchor a different corner of the market. This guide ranks all six against the criteria that decide enterprise deals — protocol support, developer experience, enterprise readiness, MFA depth, multi-tenancy, pricing, and compliance.
Enterprise buyers routinely require both SSO and MFA before they sign — they're standard line items on third-party security reviews, alongside SOC 2 and HIPAA. The providers below are ranked for exactly that: closing enterprise deals without forcing you to stitch a dedicated SSO vendor onto a separate auth layer.
## Introduction
Enterprise SSO is an early checkbox on most enterprise vendor evaluations. Miss it and the deal can stall before anyone reviews your product. Single sign-on lets your enterprise customers authenticate through their own identity provider, and many security teams treat it as a prerequisite before they sign. In [ISC2's 2025 supply-chain survey](https://www.isc2.org/Insights/2025/11/2025-isc2-supply-chain-risk-survey), 77% of organizations named compliance standards (ISO 27001, NIST, SOC 2) a top vendor requirement, 71% required security audits or attestations, and 62% required MFA-secured access.
MFA stopped being a nice-to-have years ago, though the exact obligation varies by framework. [PCI DSS v4.0 mandates MFA](https://www.pcisecuritystandards.org/document_library/) for all access into the cardholder data environment, while SOC 2 auditors expect strong authentication under their logical-access criteria; [HIPAA](https://www.law.cornell.edu/cfr/text/45/164.312) and [GDPR](https://gdpr-info.eu/art-32-gdpr/) don't name MFA in their current binding text but treat it as an appropriate, risk-based safeguard, and a 2025 HIPAA proposal would make it explicit. Your customers will ask for proof during procurement, so you need both SSO and MFA on the same security review — which means you need a platform that ships both.
Most comparisons frame the choice as developer speed against enterprise readiness, as if fast integration means surrendering SCIM and audit logs. We close that gap by shipping pre-built React components, enterprise SSO, and MFA in one SDK.
## What Are SSO and MFA?
Single sign-on lets a user authenticate once through their company's identity provider, then access your app without a separate password. The identity provider is the system an enterprise already trusts to manage logins. Okta, Microsoft Entra ID (formerly Azure AD), and Google Workspace are the three you will see most often on enterprise security reviews.
Three protocols carry the handoff. SAML 2.0 is the format most large enterprise IdPs support, and strict IT teams most often require it. OIDC is a more modern alternative that some IdPs offer with less XML configuration. EASIE is a simpler OIDC-based path that connects Google Workspace and Microsoft Entra ID without the full SAML setup. None of the three is inherently single- or multi-tenant: in a B2B app you model one enterprise connection per customer organization, whichever protocol that customer uses.
Multi-factor authentication adds a second verification step after the password. The factor can be a time-based code from an authenticator app, an SMS one-time code, a passkey, or a push notification. SMS is the most geographically constrained of these: every provider limits which countries can receive a passcode — many default to the US and Canada and expand by allowlist, some hard-cap delivery to US numbers, and bring-your-own-gateway setups inherit their SMS provider's country reach — so teams serving users outside North America lean on authenticator apps and passkeys, which carry no such limits. Enterprise buyers expect both SSO and MFA on the same checklist, which is why most teams evaluate them together.
Two changes define 2026: passkeys are emerging as the [phishing-resistant standard](https://fidoalliance.org/passkeys/), increasingly favored over TOTP because they cannot be intercepted or reused — [FIDO Alliance research](https://fidoalliance.org/new-fido-alliance-research-shows-87-percent-us-uk-workforces-are-deploying-passkeys-for-employee-sign-ins/) found 87% of surveyed US and UK workforces are deploying or rolling out passkeys for employee sign-ins. And AI agents now need their own machine-to-machine (M2M) credentials — API keys, M2M tokens, or MCP authorization — which most auth stacks did not ship two years ago.
## How We Chose These Providers
Every provider on this list had to clear seven bars before earning a spot.
Protocol support came first. SAML 2.0 and OIDC are both mandatory, since enterprise IT teams run a mix of identity providers and you cannot cover them with one protocol alone.
Developer experience decided the ranking among providers that passed. We weighted SDK quality, pre-built UI components, and how fast you reach a working integration. A platform that ships login components beats one that hands you raw endpoints.
Enterprise readiness covered SCIM directory sync, audit logs, a self-serve admin portal, and a published uptime SLA. These are the features that pass a security review.
MFA depth meant factor breadth, per-organization policy enforcement, and SSO compatibility that does not double-prompt users who already authenticated through their IdP.
Multi-tenancy separated native organization primitives from retrofitted workarounds.
Pricing model mattered too, since per-connection and MAU-based plans diverge sharply at scale.
Compliance rounded it out. We checked SOC 2 Type 2 attestation and HIPAA BAA availability for all six: every provider carries a SOC 2 Type 2 report, but HIPAA BAA support varies by plan tier — and Stytch no longer lists it — so the comparison table records each provider's status.
## The Best SSO and MFA Providers for B2B SaaS in 2026
The six providers below cover the full range. Some are developer-first platforms that ship login UI out of the box, others are enterprise-only servers built for data sovereignty. Clerk leads for teams that want auth, SSO, and MFA in one SDK. WorkOS wins on raw IdP breadth. Auth0, Kinde, Stytch, and FusionAuth each anchor a different corner of the market.
### 1. Clerk
Clerk packs authentication, enterprise SSO, MFA, organizations, and billing into one SDK. Most teams reach for a separate vendor the moment an enterprise prospect asks for SAML. Clerk lets you ship that requirement from the same components you used to build sign-up on day one.
#### Quick Overview
Clerk handles [SAML 2.0, OIDC, and EASIE](https://clerk.com/docs/guides/configure/auth-strategies/enterprise-connections/overview.md), its simpler OIDC-based alternative for connecting Google Workspace and Microsoft Entra ID. Named IdP integrations cover Microsoft Entra ID (formerly Azure AD), Google Workspace, and Okta Workforce, plus any SAML-compatible provider. SCIM directory sync core features went GA in [April 2026](https://clerk.com/changelog/2026-04-16-directory-sync.md), with groups and attribute mapping reaching GA in [May 2026](https://clerk.com/changelog/2026-05-21-directory-sync-groups-attributes-ga.md), so user provisioning from corporate directories now runs fully in production. You drop in ``, ``, and `` and get a working B2B auth flow without building UI from scratch. For the agent-auth shift, Clerk also ships [API keys and machine-to-machine tokens](https://clerk.com/docs/guides/development/machine-auth/overview.md) — billed separately from your user count — plus an [OAuth authorization server](https://clerk.com/docs/guides/ai/mcp/build-mcp-server.md) your MCP servers use to issue scoped tokens to AI agents.
#### Best For
Pick Clerk if you build B2B SaaS on React or Next.js and want auth, SSO, and MFA from a single vendor. You skip the integration tax of stitching a dedicated SSO provider onto a separate auth layer. The same SDK that ships your login screen also closes the enterprise security checklist.
#### Pros
One SDK covers auth, SSO, MFA, organizations, and billing, so you never migrate to a second platform when your first enterprise deal lands. SAML, OIDC, and EASIE work out of the box. EASIE auto-deprovisioning checks the upstream IdP for suspended or deleted users before issuing a new session token, then revokes their existing sessions. Detecting the change at the IdP can take up to 10 minutes, but it kills off-boarded access without a manual sweep.
You enforce MFA across the app from the Clerk Dashboard. By default Clerk layers its own factor on top of enterprise IdP authentication — useful when the IdP itself can't enforce MFA — and you can disable that extra step per connection when the IdP already covers it, so SSO users aren't prompted twice. SCIM reaching full GA in 2026 (core April, groups and attributes May) makes user lifecycle management production-ready. Pricing also improved after the [February 2026 restructure](https://clerk.com/changelog/2026-02-05-new-plans-more-value.md), with the Pro plan starting at $25 per month.
#### Cons
Clerk ships 3 named direct IdP integrations against WorkOS's 20+. That covers the major providers most buyers use, but it leaves the long tail of non-standard enterprise IdPs to custom work. WorkOS wins outright if your pipeline is full of unusual identity systems.
Clerk's self-serve SSO is a newer, narrower offering than WorkOS's. [Launched in June 2026](https://clerk.com/changelog/2026-06-26-self-serve-sso.md), it lets a customer's IT admin configure their own SAML connection from the embedded `` component, but it requires Clerk organizations, covers SAML only, and doesn't yet extend self-serve setup to Directory Sync (SCIM) the way WorkOS's hosted Admin Portal does. Passkeys work as a primary authentication method but not yet as an [MFA second factor](https://clerk.com/docs/guides/configure/auth-strategies/sign-up-sign-in-options.md#multi-factor-authentication). If you want passkeys specifically as a phishing-resistant second factor, that gap matters today.
#### Pricing
Development instances are free and support up to 25 enterprise connections, so you can build and test SSO before paying anything. Production runs on [per-MRU pricing](https://clerk.com/pricing) (Monthly Retained Users, with 50,000 included free), starting with the Pro plan at $25 per month. Enterprise SSO is metered separately: one connection is included on Pro and Business, then additional connections bill on a declining scale ($75 each for connections 2-15, tapering to $15 above 500). Bundling the first connection and tapering the rate keeps Clerk's enterprise-SSO cost below a flat per-connection fee as your connection count climbs. [Kinde's analysis](https://www.kinde.com/comparisons/total-cost-of-b2b-ciam-a-small-enterprise-case-study-in-2026/) puts WorkOS at roughly $6,600 per month for 75 connections. Application-level connections work on Pro as-is; scoping a connection to a specific organization — the standard multi-tenant B2B pattern, and what self-serve SSO uses — adds Clerk's optional [B2B Authentication add-on](https://clerk.com/pricing) at $100 per month ($85 billed annually), which also covers Verified Domains and custom roles. Budget it for per-organization SSO; skip it if application-level SSO is enough.
### 2. WorkOS
WorkOS built its platform around one job. It connects your B2B SaaS to whatever identity provider an enterprise customer runs, and it does so without dragging your engineers into every deal.
#### Quick Overview
WorkOS ships [20+ named IdP integrations](https://workos.com/single-sign-on) spanning SAML and OIDC, plus compatibility with any SAML- or OIDC-compliant provider, and dozens of directory and HRIS connectors. Its [Admin Portal](https://workos.com/docs/admin-portal) lets a customer's IT team configure their own SSO connection without filing a support ticket or waiting on your engineers. AuthKit, [free up to 1 million monthly active users](https://workos.com/pricing), layers on social login, [MFA](https://workos.com/docs/user-management/mfa), passkeys, and role-based access control. [Radar](https://workos.com/radar) adds risk-based authentication that watches for suspicious login patterns and adapts the challenge.
#### Best For
Choose WorkOS when you are actively closing enterprise deals and keep hitting non-standard IdPs that smaller platforms cannot handle. The self-serve Admin Portal pays off when your sales team signs customers faster than your engineers can onboard them.
#### Pros
The 20+ named integrations plus universal SAML/OIDC compatibility cover the long tail of enterprise IdPs that break a 3-connection platform. The Admin Portal removes engineering work from every signed deal, so your team configures nothing per customer. [HRIS connectors for BambooHR, Rippling, and Workday](https://workos.com/docs/directory-sync) tie user lifecycle to the HR system that already holds the source of truth. WorkOS backs SSO and Directory Sync with a [99.99% uptime SLA](https://workos.com/legal/sla) for enterprise customers under contract. Its [composable MFA API](https://workos.com/docs/mfa) exposes `enrollFactor`, `challengeFactor`, and `verifyChallenge` operations, and per-organization MFA policies are built in.
#### Cons
Per-connection pricing climbs fast. [Kinde's analysis](https://www.kinde.com/comparisons/total-cost-of-b2b-ciam-a-small-enterprise-case-study-in-2026/) (based on WorkOS's published pricing tiers) puts 75 connections at roughly $6,600 per month, which stings once your enterprise customer count grows. AuthKit's hosted login page is available immediately, but WorkOS's [embedded React widget components](https://workos.com/blog/new-widgets-released-user-profile-and-organization-switcher) (UserProfile, OrganizationSwitcher, etc.) are newer additions with a narrower component surface than Clerk's library. Its SDK coverage also runs narrower than Clerk's once you move off Node or Python. On MFA, AuthKit's built-in factor is authenticator-app (TOTP) only, and the SMS factor in WorkOS's lower-level MFA API is hard-capped to US phone numbers with no setting to expand it — stricter than the expandable US-and-Canada default common elsewhere.
#### Pricing
WorkOS charges per SSO connection per month, with volume discounts available at scale. AuthKit stays free up to 1 million monthly active users, which makes the auth layer cheap and the enterprise connections the real cost driver.
### 3. Auth0 (by Okta)
Auth0 invented the modern auth-as-a-service category and still carries one of the widest feature surfaces of any provider on this list. Okta [acquired it in 2021](https://auth0.com/blog/okta-acquisition-announcement/) and folded it into a platform that now spans consumer login and enterprise SSO under one roof. You pay for that breadth in setup complexity.
#### Quick Overview
Auth0 covers consumer identity and enterprise SSO in a single platform, which few competitors match. Its [Actions engine](https://auth0.com/docs/customize/actions) lets you inject custom JavaScript into the login pipeline for anything the defaults miss. The February 2026 update raised the [free tier to 25,000 monthly active users](https://auth0.com/pricing) and folded Self-Service SSO and SCIM into the free B2B plan.
#### Best For
Pick Auth0 when your identity requirements are genuinely complex and span both consumer and enterprise users. Teams running a public-facing app plus an enterprise tier get one vendor instead of two.
#### Pros
Auth0 ships the deepest feature set and largest extension ecosystem in the market. It holds [SOC 2, ISO 27001, and PCI DSS certifications](https://security.okta.com/) and signs a HIPAA BAA on its Enterprise tier, which clears most enterprise security reviews on paper. The February 2026 free tier now includes [Self-Service SSO and SCIM](https://auth0.com/blog/auth0-b2b-plans-upgraded/), a real improvement over the previous gating. Auth0 also ships the deepest AI-agent auth suite here: its GA [Auth0 for AI Agents](https://auth0.com/ai) bundle adds a token vault, human-in-the-loop approval, and [MCP authorization](https://auth0.com/blog/auth0-auth-for-mcp-servers-generally-available/) on top of [long-standing M2M apps](https://auth0.com/docs/get-started/auth0-overview/create-applications/machine-to-machine-apps).
#### Cons
Auth0 added multi-tenancy through Organizations years after launch, so B2B setup feels bolted on rather than native. MAU-based pricing punishes you at enterprise scale when a single SSO connection brings thousands of users. The free B2B plan also includes no MFA at all: [every MFA factor requires the paid Essentials tier](https://auth0.com/docs/secure/multi-factor-authentication) or higher, with the enterprise-grade factors (WebAuthn/passkeys, push, and phone) gated to the Professional tier or an Essentials add-on. Additional enterprise connections beyond the first, and organizations beyond five, sit on paid tiers as well.
#### Pricing
Auth0 prices by monthly active users. The free B2B plan now covers one enterprise SSO connection, but cost climbs fast once large customer directories push your MAU count up or you need more than that single connection, which makes per-user pricing hard to forecast at scale.
### 4. Kinde
Kinde [took the top spot in its own 2026 comparison](https://www.kinde.com/comparisons/what-are-the-top-10-enterprise-authentication-providers-in-2026/) of enterprise authentication providers, though that placement comes from the company's own ranking, which is worth weighing accordingly. The platform bundles auth, authorization, and feature management together, which suits teams that want those three handled by one vendor.
#### Quick Overview
Kinde ships native multi-tenancy and organization management without any setup work. Feature flags and billing entitlements live in the same platform, so you can gate functionality by plan or org segment from the same console you manage users in. Role-based access control and machine-to-machine auth come standard, and [passkeys](https://docs.kinde.com/authenticate/authentication-methods/passkeys/) are available as a primary passwordless sign-in method on Kinde's paid plans.
#### Best For
Pick Kinde if you run a B2B SaaS product anywhere from MVP to scale and want auth, authorization, and feature management from a single vendor. This suits you if you treat entitlements and roles as one problem rather than two.
#### Pros
Native multi-tenancy means you never retrofit org structure onto a single-tenant model later. Feature flags tie directly to user roles and org segments, so a plan upgrade flips access without custom plumbing. The [free tier covers up to 10,500 monthly active users](https://www.kinde.com/pricing/), and [machine-to-machine tokens](https://docs.kinde.com/machine-to-machine-applications/about-m2m/) stay off your user count.
#### Cons
Kinde carries less enterprise SSO history than Clerk or WorkOS, and IT buyers running strict vendor reviews notice that. Its SCIM directory sync is not yet available — [Kinde lists it as coming soon](https://updates.kinde.com/board/integrate-scim-identity-management) — and the integration catalog is smaller, with fewer pre-built IdP connections than WorkOS offers out of the box.
#### Pricing
Kinde is free up to 10,500 monthly active users. Paid plans start at $25 per month with transparent usage-based billing, so your bill tracks actual consumption rather than seat counts. Enterprise SSO connections are included by tier rather than metered per connection — one on the free and Pro plans, unlimited on Plus and Scale — so adding enterprise customers never adds a per-connection line item.
### 5. Stytch
Stytch built its reputation on passwordless and passkey-first authentication, and [Twilio acquired the company in November 2025](https://www.twilio.com/en-us/blog/company/news/twilio-to-acquire-stytch). The acquisition adds Twilio's infrastructure scale to an already developer-friendly API surface.
#### Quick Overview
Stytch treats magic links and passwordless flows as first-class authentication methods rather than bolt-ons, and supports passkeys across its platform. The platform ships [SCIM directory sync, RBAC, and an Admin Portal](https://stytch.com/blog/major-updates-to-stytch-b2b-authentication/), plus an SSO Migration Gateway in beta. Its API design favors granular endpoints over heavy SDK abstraction, which suits teams that prefer wiring up flows themselves.
#### Best For
Pick Stytch if your team wants passwordless, passkey-friendly authentication backed by a modern API. It fits developers who treat magic links and passkeys as first-class options rather than afterthoughts.
#### Pros
Magic link and passwordless flows work as first-class primitives, not afterthoughts, with passkeys supported across the platform. Stytch shipped its enterprise B2B essentials — SCIM provisioning, RBAC, and a self-serve Admin Portal — as its own product work in 2024, before Twilio acquired it. The [SSO Migration Gateway](https://changelog.stytch.com/announcements/2025-11-07-sso-migration-gateway-beta) eases transitions away from legacy providers like Auth0. Twilio's November 2025 acquisition layers on infrastructure scale and a forward roadmap centered on AI-agent identity and fraud prevention.
#### Cons
Stytch's enterprise B2B features arrived later than WorkOS's, so they carry less production mileage than the longtime enterprise-SSO incumbent. The ecosystem stays smaller than Auth0 or Okta, which limits community examples and third-party integrations. The Twilio roadmap also leaves open questions about where Stytch's priorities land over the next year. Like most managed-SMS providers, Stytch's SMS OTP defaults to the US and Canada for newer projects; other countries are enabled per-country through a Dashboard allowlist, and a small set of high-toll-fraud countries (China among them) sits on a permanent unsupported list.
#### Pricing
Stytch [prices per monthly active user](https://stytch.com/pricing). Enterprise pricing requires a conversation with sales.
### 6. FusionAuth
FusionAuth is the option you reach for when running auth on someone else's servers is off the table. It runs as a self-hosted, proprietary authentication server you deploy and control end to end.
#### Quick Overview
FusionAuth ships as a self-hosted authentication server you run on your own infrastructure (a managed FusionAuth Cloud option also exists). Its paid plans use plan-based subscription pricing that scales with monthly active users, with no per-SSO-connection fees. The platform handles [SAML, OIDC, and social login](https://fusionauth.io/feature-list), and its webhook system plus broad API surface let you wire up custom authentication flows.
#### Best For
Choose FusionAuth when you need on-premises deployment, full data sovereignty, or complete control over your authentication infrastructure.
#### Pros
You own your data and avoid vendor lock-in entirely. Plan-based pricing carries no per-SSO-connection fee, so adding enterprise customers does not add a per-connection line item the way it does on connection-metered platforms. FusionAuth also designs a clean API and lets you customize login pages to match your product.
#### Cons
Your team owns the operational burden. Upgrades, security patches, and high-availability configuration all fall to you. FusionAuth gives you less plug-and-play setup than a SaaS platform, so your first integration takes longer. It ships [no pre-built UI components](https://fusionauth.io/feature-list) on par with Clerk's React and Next.js library.
#### Pricing
The [Community edition is free to use with no time limit](https://fusionauth.io/license-faq), though the core source code is not public. Paid plans scale with monthly active users and are billed annually: [Starter begins at $162 per month, while Essentials and Enterprise begin at $2,970 per month](https://fusionauth.io/pricing) (entry pricing at roughly 1,000 monthly active users, hosting included).
## Provider Comparison Table
Use this table to scan all six providers against the criteria that decide enterprise deals. Values come directly from each vendor's documentation and public pricing as of mid-2026.
| Provider | SAML/OIDC | SCIM | MFA Factors | M2M / Agent Auth | Pre-built UI | Multi-tenancy | Pricing Model | Compliance | Best For |
| ---------- | ---------------- | ------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ------------------------- | ------------------------ | ----------------------------------------------- | ------------------------------------- | --------------------------------------------- |
| Clerk | Yes Both + EASIE | Yes GA Apr 2026 | TOTP, SMS, backup codes | Yes API keys, M2M tokens, MCP | Yes React/Next.js | Yes Native organizations | Per-MRU + metered SSO, Pro $25/mo | Yes SOC 2 Type 2; BAA on Enterprise | Unified auth + SSO + MFA in one SDK |
| WorkOS | Yes Both | Yes | TOTP; SMS via MFA API | Yes [Client credentials](https://workos.com/docs/authkit/connect/m2m), [MCP auth](https://workos.com/docs/authkit/mcp) | Partial AuthKit + widgets | Yes | Per-connection | Yes SOC 2 Type 2; BAA on enterprise | Widest IdP coverage, self-serve IT onboarding |
| Auth0 | Yes Both | Yes Free tier | TOTP, SMS, push, passkeys, email OTP | Yes M2M apps + AI Agents suite | Partial Hosted login | Partial Retrofitted | Per-MAU | Yes SOC 2 Type 2; BAA add-on | Complex consumer + enterprise identity |
| Kinde | Yes Both | No Coming soon | TOTP, SMS OTP, email OTP | Yes M2M tokens, metered separately | Yes | Yes Native | Per-MAU, from $25/mo (SSO connections included) | Yes SOC 2 Type 2; BAA on Scale | Auth + feature flags + billing |
| Stytch | Yes Both | Yes | [TOTP, SMS OTP, recovery codes](https://stytch.com/docs/b2b/guides/mfa/overview) | Yes [M2M](https://stytch.com/docs/b2b/api/get-m2m-token) + [Connected Apps](https://stytch.com/connected-apps) | Partial Components | Yes | Per-MAU | Yes SOC 2 Type 2; BAA not listed | Passwordless and passkey-friendly |
| FusionAuth | Yes Both | Yes [Enterprise tier](https://fusionauth.io/docs/lifecycle/migrate-users/scim/) | [TOTP, email, SMS](https://fusionauth.io/docs/lifecycle/authenticate-users/multi-factor-authentication) | Yes [Client credentials](https://fusionauth.io/docs/get-started/core-concepts/entity-management) (paid) | No | Yes | Plan-based, scales with MAU | Yes SOC 2 Type 2 (Cloud); BAA (Cloud) | Self-hosted, full data control |
[Start building with Clerk for free](https://clerk.com/).
## Why Clerk Is the Best SSO and MFA Platform for B2B SaaS Developers
WorkOS gives you the widest IdP coverage, but Clerk's pre-built React and Next.js components get you a working sign-in flow in an afternoon — ``, ``, ``, and the full user-management UI ship together without assembly.
SCIM directory sync hit full GA in 2026, closing the enterprise gap competitors once cited to call Clerk "pre-enterprise." Clerk's per-MRU pricing (Monthly Retained Users, 50,000 free) keeps the platform bill predictable, and enterprise SSO bundles one connection with declining per-connection tiers above it — where WorkOS charges a flat fee per connection that Kinde's analysis puts at roughly $6,600 a month for 75 connections.
You get auth, SSO, MFA, organizations, and billing in one SDK — no stitching vendors together, no painful migration when you land your first enterprise deal. [Start building with Clerk for free](https://clerk.com/).
## FAQs
## FAQ
### Does Clerk support SCIM provisioning from Google Workspace?
Not as a SCIM source. Clerk documents SCIM provisioning for Okta and Microsoft Entra ID. You still connect Google Workspace for sign-in via SAML or EASIE (OIDC), and EASIE auto-deprovisioning revokes access when a user is suspended or deleted there.
### How does per-connection SSO pricing compare to per-MAU pricing?
Per-connection pricing charges a flat monthly fee per enterprise SSO connection, so cost scales with your customer count — WorkOS runs roughly $6,600/month at 75 connections (Kinde's analysis). Per-MAU pricing (and Clerk's per-MRU model) scales with active users instead, steadier when one connection brings in thousands of users. Clerk blends both: a per-MRU platform with one connection included and declining per-connection tiers above it.
### Which providers support passkeys as an MFA second factor?
Auth0 supports passkeys (WebAuthn) as an MFA factor today, on its paid tiers. Clerk, WorkOS, and Kinde support passkeys as a primary sign-in method but not as an MFA second factor (Kinde's are on its paid plans). Stytch's B2B product uses SMS OTP and TOTP as second factors, with passkeys only as a primary method. If phishing-resistant passkey MFA is a hard requirement now, confirm current factor support in each vendor's docs.
## Sources and statistics
All pricing and tier figures are dated as of June 2026 and should be confirmed against each vendor's live pricing page before you rely on them, since these products change pricing and feature availability frequently.
| Statistic | Source | Location on page / Calculation method |
| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Clerk supports SAML 2.0, OIDC, and EASIE; named SAML IdP integrations are Microsoft Entra ID, Google Workspace, and Okta Workforce; EASIE covers Google Workspace and Microsoft Entra ID | [Clerk enterprise connections](https://clerk.com/docs/guides/configure/auth-strategies/enterprise-connections/overview.md) | Enterprise connections overview, SAML and EASIE sections |
| Clerk Directory Sync (SCIM) GA April 16, 2026; group-to-role and custom-attribute mapping GA May 21, 2026; bundled free with each enterprise connection; documented for Okta and Microsoft Entra ID | [Clerk changelog (Directory Sync)](https://clerk.com/changelog/2026-04-16-directory-sync.md), [Clerk changelog (groups and attributes)](https://clerk.com/changelog/2026-05-21-directory-sync-groups-attributes-ga.md) | Changelog entries; Directory Sync docs provider sections |
| Clerk EASIE auto-deprovisioning checks the upstream IdP (Google Workspace suspend or delete, Entra delete) before issuing a new session token, with detection up to 10 minutes, then revokes sessions and returns 401 | [Clerk enterprise connections](https://clerk.com/docs/guides/configure/auth-strategies/enterprise-connections/overview.md) | Enterprise connections overview, EASIE deprovisioning paragraph |
| Clerk MFA factors: SMS, TOTP (authenticator app), and backup codes; passkeys are a first-factor sign-in method, not an MFA second factor | [Clerk sign-up and sign-in options](https://clerk.com/docs/guides/configure/auth-strategies/sign-up-sign-in-options.md#multi-factor-authentication) | Authentication docs, multi-factor authentication section |
| Clerk machine/agent auth: API keys and machine-to-machine (M2M) tokens for service and agent authentication, plus an OAuth authorization server for building MCP servers; API keys and M2M tokens bill as separate usage-based add-ons (1,000 and 2,500 free creations per month respectively), not counted against MRU | [Clerk machine authentication](https://clerk.com/docs/guides/development/machine-auth/overview.md), [Clerk build an MCP server](https://clerk.com/docs/guides/ai/mcp/build-mcp-server.md), [Clerk pricing](https://clerk.com/pricing) | Machine-auth overview (API keys + M2M tokens sections); MCP server guide (`@clerk/mcp-tools`, OAuth authorization server); pricing page API-keys and M2M-tokens add-on line items |
| Clerk plans: Hobby free (50,000 MRU included), Pro $25/mo ($20 annual), Business $300/mo ($250 annual), Enterprise custom; billable unit is MRU (Monthly Retained Users) | [Clerk pricing](https://clerk.com/pricing) | Pricing page, plan tiers and MRU definition |
| Clerk enterprise SSO connections: 1 included on Pro and Business, then $75 (connections 2-15), $60 (16-100), $30 (101-500), $15 (501+) per month; development instances free up to 25 connections. Application-level connections need no add-on, but scoping a connection to a specific organization (the multi-tenant B2B pattern) requires the optional B2B Authentication add-on at $100/mo ($85 annual, includes 100 monthly retained organizations) | [Clerk pricing](https://clerk.com/pricing), [Clerk enterprise connections](https://clerk.com/docs/guides/configure/auth-strategies/enterprise-connections/overview.md) | Pricing page connection metering and B2B Authentication add-on; overview development-instance note |
| Clerk February 5, 2026 pricing restructure: 50,000 MRU free in every app; enterprise connections metered within the Pro plan | [Clerk changelog (new plans)](https://clerk.com/changelog/2026-02-05-new-plans-more-value.md) | Changelog entry |
| Clerk self-serve SSO (announced June 26, 2026): a customer's org admin with the `org:sys_entconns:manage` permission configures, tests, and activates their own SAML enterprise connection from a Security tab in the `` component, without Clerk Dashboard access; requires Clerk organizations; SAML only (Okta, Google Workspace, Entra ID, custom SAML). WorkOS's Admin Portal additionally covers self-serve Directory Sync (SCIM) | [Clerk self-serve SSO](https://clerk.com/docs/guides/configure/auth-strategies/enterprise-connections/self-serve-sso.md), [Clerk changelog (self-serve SSO)](https://clerk.com/changelog/2026-06-26-self-serve-sso.md) | Self-serve SSO guide; changelog entry (June 26, 2026) |
| Clerk compliance: SOC 2 Type 2 and HIPAA certified since May 6, 2022; the HIPAA BAA is available on the Enterprise plan and SOC 2 report access on the Business plan; ISO 27001 and PCI DSS are not publicly claimed | [Clerk changelog (SOC 2 and HIPAA)](https://clerk.com/changelog/2022-05-06.md), [Clerk pricing](https://clerk.com/pricing) | Changelog entry; pricing page Business tier (SOC 2 report) and Enterprise tier (HIPAA BAA) |
| WorkOS supports 20+ named IdP integrations across SAML and OIDC, plus any SAML- or OIDC-compatible provider | [WorkOS Single Sign-On](https://workos.com/single-sign-on) | SSO page, "20+ Identity providers supported" stat |
| WorkOS Directory Sync supports dozens of directory and HRIS connectors, including BambooHR, Rippling, and Workday | [WorkOS Directory Sync](https://workos.com/docs/directory-sync) | Directory Sync overview and integration guide pages |
| WorkOS Admin Portal lets a customer's IT team self-onboard its own SSO and Directory Sync connections | [WorkOS Admin Portal](https://workos.com/docs/admin-portal) | Admin Portal overview |
| WorkOS AuthKit (User Management) is free up to 1 million monthly active users, including social login, MFA, passkeys, and RBAC; enterprise SSO connections are billed separately per connection | [WorkOS pricing](https://workos.com/pricing) | Pricing page, AuthKit tier and SSO connection pricing |
| WorkOS Radar adds risk-based authentication with bot and fraud detection | [WorkOS Radar](https://workos.com/radar) | Radar product page |
| WorkOS backs SSO, Directory Sync, and Audit Logs with a 99.99% uptime SLA for enterprise customers | [WorkOS SLA](https://workos.com/legal/sla) | Enterprise SLA agreement, Service Level Objective clause |
| WorkOS compliance: SOC 2 Type 2 certified; HIPAA BAA available for customers on enterprise plans; ISO 27001 and PCI DSS are not stated on its public security page | [WorkOS security](https://workos.com/security) | Security page ("SOC 2 Type 2 certified"; "can sign business associate agreements for customers under enterprise plans") |
| WorkOS MFA: AuthKit supports TOTP; the standalone MFA API supports TOTP and SMS (US-only); passkeys are a primary method, not a second factor | [WorkOS MFA API](https://workos.com/docs/mfa), [WorkOS AuthKit MFA](https://workos.com/docs/user-management/mfa) | MFA docs, factor type enums |
| WorkOS SSO pricing: $125 per connection (1-15), declining to $50 (101-200); Kinde's analysis = roughly $6,600/mo for 75 connections | [WorkOS pricing](https://workos.com/pricing), [Kinde B2B CIAM cost study](https://www.kinde.com/comparisons/total-cost-of-b2b-ciam-a-small-enterprise-case-study-in-2026/) | WorkOS SSO tier table; Kinde calculation: ($125 × 15) + ($100 × 15) + ($80 × 20) + ($65 × 25) = $6,600 |
| WorkOS embedded React widgets (UserProfile, OrganizationSwitcher) launched March 2025 | [WorkOS widgets blog](https://workos.com/blog/new-widgets-released-user-profile-and-organization-switcher) | Blog post, March 21, 2025 |
| WorkOS machine/agent auth: Connect M2M Applications authenticate via the OAuth 2.0 client-credentials grant; AuthKit also acts as an OAuth authorization server for MCP servers | [WorkOS Connect M2M](https://workos.com/docs/authkit/connect/m2m), [WorkOS MCP auth](https://workos.com/docs/authkit/mcp) | Connect M2M docs (client\_credentials grant); AuthKit MCP authorization docs |
| Auth0 founded 2013, acquired by Okta May 3, 2021; Organizations (multi-tenancy) launched April 2021 | [Auth0 and Okta acquisition](https://auth0.com/blog/okta-acquisition-announcement/) | Blog, acquisition close date |
| Auth0 February 12, 2026 B2B upgrade: free tier 25,000 MAU, with Self-Service SSO, SCIM, and 1 enterprise connection on the free plan | [Auth0 pricing](https://auth0.com/pricing), [Auth0 B2B plans upgraded](https://auth0.com/blog/auth0-b2b-plans-upgraded/) | Pricing page free tier; blog announcement |
| Auth0 MFA is split into "Pro MFA" (basic factors, e.g. one-time passcode) and "Enterprise MFA" (advanced factors: WebAuthn/FIDO security keys and device biometrics, push via Auth0 Guardian, phone, and email). The free B2B plan includes no MFA — Pro MFA starts on the paid Essentials tier and Enterprise MFA requires the Professional tier or an Essentials add-on | [Auth0 multi-factor authentication](https://auth0.com/docs/secure/multi-factor-authentication), [Auth0 B2B plans upgraded](https://auth0.com/blog/auth0-b2b-plans-upgraded/) | MFA docs supported-factors list; B2B blog Free-plan feature list (no MFA) and verbatim "Enterprise MFA" advanced-factor list; pricing page "Pro MFA / Enterprise MFA" matrix rows |
| Auth0 compliance: SOC 2 Type 2 and ISO 27001/27017/27018 audited annually; PCI DSS Level 1 service provider; HIPAA BAA available as an Enterprise add-on (not on the self-service tiers) | [Auth0 data privacy & compliance](https://auth0.com/docs/secure/data-privacy-and-compliance), [Auth0 pricing](https://auth0.com/pricing), [Okta security and trust](https://security.okta.com/) | Auth0 compliance doc (SOC 2 / ISO annual audits); pricing page HIPAA/BAA add-on row; Okta trust listing (PCI DSS v4.0) |
| Auth0 Actions are Node.js functions injected into the login pipeline | [Auth0 Actions](https://auth0.com/docs/customize/actions) | Actions overview |
| Auth0 machine/agent auth: Machine to Machine Applications use the OAuth 2.0 client-credentials grant (M2M tokens metered separately from MAU); "Auth0 for AI Agents" is generally available, adding Token Vault, asynchronous (CIBA) human-in-the-loop approval, Fine-Grained Authorization, and Auth for MCP (GA May 6, 2026) | [Auth0 machine-to-machine apps](https://auth0.com/docs/get-started/auth0-overview/create-applications/machine-to-machine-apps), [Auth0 for AI Agents](https://auth0.com/ai), [Auth for MCP GA](https://auth0.com/blog/auth0-auth-for-mcp-servers-generally-available/) | M2M apps doc; AI Agents product page ("Now Generally Available"); MCP GA blog post |
| Kinde ranks itself first in its own 2026 enterprise authentication provider comparison | [Kinde top 10 enterprise auth providers 2026](https://www.kinde.com/comparisons/what-are-the-top-10-enterprise-authentication-providers-in-2026/) | Self-published comparison (disclosed in text as self-ranking) |
| Kinde free tier: 10,500 MAU included; paid plans from $25/mo (Pro) with usage-based billing; enterprise SSO connections included by tier (1 on Free and Pro, unlimited on Plus and Scale) with no per-connection fee; M2M tokens metered separately from MAU | [Kinde pricing](https://www.kinde.com/pricing/) | Pricing page, plan tiers, "Enterprise SSO" row, and M2M token metering |
| Kinde SCIM directory sync is not yet generally available (listed as "coming soon" / in development on the roadmap) | [Kinde SCIM feature board](https://updates.kinde.com/board/integrate-scim-identity-management) | Feature release hub, status |
| Kinde compliance: SOC 2 Type 2 (full report on the Scale/Enterprise plans under NDA) and ISO 27001:2022 certified (certificate public on all tiers); HIPAA BAA on request, priced at the Scale tier; no PCI DSS Report on Compliance | [Kinde compliance](https://docs.kinde.com/trust-center/privacy-and-compliance/compliance/), [Kinde pricing](https://www.kinde.com/pricing/) | Trust-center compliance page; pricing page compliance rows |
| Kinde MFA factors: authenticator app (TOTP), SMS OTP, and email OTP. Passkeys (WebAuthn) are a primary passwordless sign-in method — not an MFA second factor — generally available on all paid plans (Pro, Plus, Scale, Enterprise), not the free tier | [Kinde multi-factor authentication](https://docs.kinde.com/authenticate/multi-factor-auth/about-multi-factor-authentication/), [Kinde passkeys](https://docs.kinde.com/authenticate/authentication-methods/passkeys/) | MFA docs factor list; passkeys authentication-methods page ("All paid plans support passkeys") |
| Kinde machine/agent auth: Machine-to-Machine (M2M) Applications use the OAuth 2.0 client-credentials grant; M2M tokens are metered separately from MAU (2,000 included free per month). No dedicated AI-agent authorization server (its MCP server is an admin/management bridge) | [Kinde M2M applications](https://docs.kinde.com/machine-to-machine-applications/about-m2m/), [Kinde pricing](https://www.kinde.com/pricing/) | M2M docs (client-credentials grant, AI-agent use case); pricing page M2M token allotment |
| Twilio completed its acquisition of Stytch on November 14, 2025 | [Twilio acquires Stytch](https://www.twilio.com/en-us/blog/company/news/twilio-to-acquire-stytch) | Blog, acquisition close date |
| Stytch B2B shipped SCIM, RBAC, and a self-serve Admin Portal in 2024 (pre-acquisition); SSO Migration Gateway in beta (November 2025) | [Stytch B2B updates (April 30, 2024)](https://stytch.com/blog/major-updates-to-stytch-b2b-authentication/), [Stytch SSO Migration Gateway (beta)](https://changelog.stytch.com/announcements/2025-11-07-sso-migration-gateway-beta) | Blog (April 30, 2024) and changelog (November 7, 2025) announcements |
| Stytch B2B MFA factors: SMS OTP and TOTP, plus recovery codes; magic links and OAuth are primary methods | [Stytch B2B MFA overview](https://stytch.com/docs/b2b/guides/mfa/overview) | B2B MFA overview, secondary authentication |
| Stytch compliance: SOC 2 Type 2, ISO 27001:2022, and PCI-DSS documents available via the Twilio Trust Center; HIPAA/BAA is not listed on Stytch's current compliance page | [Stytch compliance](https://stytch.com/docs/resources/security-and-trust/compliance) | Compliance page document list (SOC 2, ISO 27001, PCI-DSS, CAIQ; no HIPAA) |
| Stytch B2B pricing: per-MAU (unlimited organizations), free to 10,000 MAU and 5 SSO/SCIM connections, then $125 per additional connection; Enterprise is custom | [Stytch pricing](https://stytch.com/pricing) | Pricing page, B2B pay-as-you-go and Enterprise cards |
| Stytch machine/agent auth: M2M Authentication uses the OAuth 2.0 client-credentials grant; Connected Apps turns a Stytch-powered app into an OAuth 2.0/OIDC authorization server for AI agents and MCP servers (standalone version, compatible with any auth system, GA September 9, 2025) | [Stytch M2M token (client credentials)](https://stytch.com/docs/b2b/api/get-m2m-token), [Stytch Connected Apps](https://stytch.com/connected-apps), [Stytch Connected Apps standalone (GA)](https://stytch.com/blog/connected-apps-standalone/) | M2M get-token endpoint ("Only `client_credentials` is supported for M2M Clients", RFC 6749); Connected Apps product page (OAuth authorization server, MCP); standalone-GA blog (Sep 9, 2025) |
| FusionAuth is self-hostable (with a managed Cloud option); the core product is closed-source; Community edition is free with no time limit | [FusionAuth license FAQ](https://fusionauth.io/license-faq) | License FAQ |
| FusionAuth paid pricing (billed annually, entry pricing at roughly 1,000 MAU, hosting included): Starter from $162/mo; Essentials and Enterprise from $2,970/mo; scales with MAU | [FusionAuth pricing](https://fusionauth.io/pricing) | Pricing page, plan cards and monthly-active-users slider |
| FusionAuth supports SAML, OIDC, social login, webhooks, and a full REST API across editions | [FusionAuth feature list](https://fusionauth.io/feature-list) | Compare plans / feature list |
| FusionAuth machine/agent auth: Entity Management plus the OAuth 2.0 client-credentials grant provide service- and agent-to-service authentication; available on paid plans only (entity limits: Starter 100, Essentials 1,000, Enterprise unlimited), not the free Community edition; no dedicated MCP/agent product | [FusionAuth entity management](https://fusionauth.io/docs/get-started/core-concepts/entity-management), [FusionAuth pricing](https://fusionauth.io/pricing) | Entity management concept doc (client-credentials, AI-agent use case); pricing page entity limits per plan |
| FusionAuth SCIM (inbound provisioning) is available on the Enterprise plan | [FusionAuth SCIM](https://fusionauth.io/docs/lifecycle/migrate-users/scim/) | SCIM docs, plan availability |
| FusionAuth compliance: FusionAuth Cloud is SOC 2 Type 2 and ISO 27001:2022 certified (August 2025) and will sign a HIPAA BAA for Cloud customers; self-hosted deployments run in the customer's own infrastructure, so their compliance is the operator's responsibility; no PCI DSS claim | [FusionAuth security & compliance](https://fusionauth.io/security-data-compliance), [FusionAuth trust center](https://trust.fusionauth.io/) | Security/compliance page (Cloud BAA); trust center (SOC 2 Type 2, ISO 27001) |
| FusionAuth MFA factors: TOTP (free), plus Email and SMS on paid plans; no native push factor | [FusionAuth multi-factor authentication](https://fusionauth.io/docs/lifecycle/authenticate-users/multi-factor-authentication) | MFA docs, supported methods |
| FusionAuth provides themeable hosted login pages rather than embeddable pre-built UI components | [FusionAuth feature list](https://fusionauth.io/feature-list) | Feature list, theming rows |
| SMS MFA geographic limits: WorkOS AuthKit MFA is TOTP-only and its MFA-API SMS factor is hard-capped to US phone numbers; Clerk and Stytch default SMS to US + Canada and expand per-country via a Dashboard allowlist (Stytch keeps a permanent unsupported list that includes China); Auth0, Kinde, and FusionAuth deliver SMS through a customer-configured provider (Twilio) | [WorkOS MFA API](https://workos.com/docs/mfa), [Stytch SMS OTP](https://stytch.com/docs/b2b/api/otp-sms-send), [Clerk SMS settings](https://clerk.com/docs/guides/configure/auth-strategies/sign-up-sign-in-options.md) | WorkOS MFA factor table ("US only"); Stytch otp-sms-send note (US+Canada default for newer projects); Clerk SMS country settings ("only the US and Canada are enabled") |
| Passkeys are phishing-resistant because the private key never leaves the device and cannot be intercepted or replayed; 87% of surveyed US and UK workforces are deploying or rolling out passkeys for employee sign-ins | [FIDO Alliance passkeys](https://fidoalliance.org/passkeys/), [FIDO Alliance workforce passkey research](https://fidoalliance.org/new-fido-alliance-research-shows-87-percent-us-uk-workforces-are-deploying-passkeys-for-employee-sign-ins/) | Passkeys overview; research announcement (survey of 400 decision-makers at 500+ employee US/UK companies) |
| Enterprise vendor security reviews: 77% of organizations require compliance standards (ISO 27001, NIST, SOC 2), 71% require security audits or attestations, and 62% require MFA-secured access | [ISC2 2025 Supply Chain Risk Survey](https://www.isc2.org/Insights/2025/11/2025-isc2-supply-chain-risk-survey) | Survey findings (n=1,062, fielded August 2025) |
| MFA regulatory landscape: PCI DSS v4.0 mandates MFA for access to the cardholder data environment; SOC 2 expects strong authentication under the CC6 logical-access criteria (not a named mandate); HIPAA (45 CFR 164.312) and GDPR (Art. 32) require identity verification / appropriate measures but do not name MFA; a 2025 HIPAA Security Rule proposal would make MFA explicit | [PCI SSC document library](https://www.pcisecuritystandards.org/document_library/), [HIPAA 45 CFR 164.312](https://www.law.cornell.edu/cfr/text/45/164.312), [GDPR Art. 32](https://gdpr-info.eu/art-32-gdpr/) | PCI DSS v4.0.1 Req. 8.4–8.5; HIPAA §164.312(d) person/entity authentication; GDPR Art. 32(1) example measures (pseudonymisation, encryption) |