Skip to main content
Articles

The real cost of enterprise SSO: per-connection vs per-MAU pricing - Part 4

Author: Roy Anger
Published: (last updated )

This is Part 4, the conclusion of our series on enterprise SSO pricing. This final part details the compliance factors that affect your bill, offers a framework for choosing a model, and explains Clerk's approach.

Compliance and security as cost factors

Compliance shapes the real cost of enterprise SSO in two ways: the audit reports your customers demand are often gated behind a higher plan, and missing capabilities like SCIM push hidden labor and risk onto you. The biggest surprises are plan jumps that buy you the report rather than any new security.

SOC 2, ISO 27001, and audit reports

WorkOS, Clerk, Auth0, and Okta all hold SOC 2 Type II reports; the variable is report access. Clerk's situation is representative: the SOC 2 report exists, but access is plan-gated to Business ($300/mo, $250 annual) (Clerk pricing; Clerk security). On lower plans, the report exists, but the plan controls whether you can pull the artifact for procurement.

Supabase shows how steep that gate can be. Supabase holds SOC 2 Type II and ISO 27001 reports, but report access is plan-gated to its Team plan at $599/mo, while standard production usage sits on Pro at $25/mo (Supabase pricing). The roughly $574/mo jump from Pro to Team buys access to those compliance reports, documenting the security you already had on Pro. That step is the hidden compliance cost: spending to prove security on paper rather than adding auth capability. When comparing providers, check which plan grants report access.

GDPR, data residency, and DPAs

Clerk provides GDPR compliance and Data Processing Agreements across all plans, is certified under the EU-US Data Privacy Framework, and publishes its DPA at its legal pages (Clerk DPA; Clerk DPF). CCPA-aligned obligations are also covered under Clerk's /legal pages. Making these terms available on every plan removes a common procurement blocker.

Data residency can turn into a real number. Pinning customer data to a specific region (like the EU) to satisfy GDPR or contracts is frequently a paid feature or surcharge. Treat regional data residency as a line item to price during the deal, because it can move the effective cost well above the headline plan.

When missing compliance becomes a hidden cost

The most expensive compliance gap is the feature a provider does not offer at all, because the cost does not disappear, it relocates to your team. Providers with no SCIM, including Supabase, Firebase, and AWS Cognito, leave you to handle user provisioning and deprovisioning manually (Supabase SSO MAU docs; Firebase pricing; AWS Cognito pricing). That manual work carries a measurable price: Stitchflow's research puts manual provisioning at roughly $12,000 per app per year in IT labor, unused licenses, and compliance gaps (Stitchflow).

The risk side is worse than the labor side. Manual deprovisioning is the failure mode behind orphaned accounts: when an employee leaves and the IdP has no automated path to revoke their access in your app, that account can stay live, which is precisely the audit finding enterprise security reviews exist to catch. A provider without SCIM does not just add hours, it adds a standing compliance and security liability that grows with every enterprise account you onboard. When you price a no-SCIM provider, add the annual manual-provisioning cost and the deprovisioning risk to the headline number, because both are real costs the sticker price omits.

How to choose an enterprise SSO pricing model

Pick the model that matches how you acquire customers. If you sell to large enterprises, per-connection pricing is the most predictable choice because cost tracks your customer count. If your usage skews high-volume and consumer-ish, a per-MAU model can stay cheap until one big-seat customer makes it expensive. This section gives you questions to ask, a framework by stage, red flags, and a recommended model table.

Questions to ask a provider before you commit

Run every shortlisted provider through the same checklist before you sign. Most of these answers are buried below the headline price, and the gap between "the plan costs $X" and "this provider costs $X at our scale" is exactly where teams get surprised.

Checklist

Save the answers. The provider that looks cheapest at the entry tier is frequently not the cheapest at 50 connections, and the only way to see that is to price all of them at the same scale points.

A decision framework by growth stage and customer profile

The right model depends on your customer mix more than your headcount. Match your situation to one of these patterns.

Few large enterprise customers. Choose per-connection. A 5,000-seat customer costs the same as a 50-seat one, so your bill tracks how many enterprise logos you've signed, which is the number you can actually forecast. This is the common case for B2B SaaS moving upmarket.

Many small customers plus a few large ones. Choose a hybrid or per-connection model that includes a base connection. You want predictable per-customer cost without paying an enterprise-tier jump for the first deal, so a plan that bundles one connection into its base price (then charges per connection after) fits cleanly.

High-MAU, consumer-ish usage. Watch per-MAU pricing carefully. If most of your users are consumers and only a slice need SSO, a per-MAU meter can make total authenticated users, not enterprise customers, the thing that dominates your bill. Model the overage at your real user count before committing.

Your first enterprise customer, on a budget. Pick a provider that includes a connection in its base plan rather than one that gates SSO behind an enterprise tier. Clerk Pro ($25/mo, $20/mo annual) and Auth0 B2B Essentials ($150/mo at 500 MAU, 3 enterprise connections included) both ship a usable SSO connection on an affordable plan (Clerk pricing; Auth0 pricing). That avoids the worst first-deal trap: paying for a full enterprise contract just to turn on one SAML connection.

Red flags: pricing structures that penalize growth

Some pricing structures look fine initially but turn punishing. Watch for these.

Connection caps. A plan with 3 to 5 included connections that forces a tier jump or sales call to add the next means your pricing is hostage to your sales pipeline. This cap can trigger a step-change in cost rather than a marginal one.

Steep MAU overages and repricing. Per-MAU pricing can reprice sharply. Auth0's late-2023 changes raised B2C Essentials from $23/mo (1,000 MAU) to $35/mo (500 MAU) (Auth0 pricing-change history) — roughly tripling the entry rate ($0.023 to $0.07 per MAU). While this change is historical and consumer-specific, it shows how metered models can reprice acquired users.

Per-MAU and per-connection compounding. The most expensive structures charge for both users and connections. Take Auth0's B2B Essentials, which steps from $150/mo at 500 MAU to $3,800/mo at 20,000 MAU on user count alone, plus a $100/mo add-on per additional connection (Auth0 pricing calculator, June 2026; subject to change). A team at 20,000 MAU with 10 connections pays roughly $3,800 + $700 = $4,500/mo. The user and connection charges stack. (Note: Auth0's $100 is per additional connection, unlike Clerk's flat $100/mo B2B add-on). Prefer reproducible math over pre-baked vendor multipliers.

"Contact sales" opacity. When a provider won't publish tier costs, that opacity is a signal. You can't forecast a bill you can't see; "contact sales" usually means the price is set in the room.

Vendor M&A repricing risk. Ownership changes can reprice a product, sunset a free tier, or shift a roadmap after you've integrated. Twilio completed its acquisition of Stytch on November 14, 2025 (announced October 30, 2025), and while there's no published Stytch price change yet (Stytch pricing), the acquisition is a fair, named example of why vendor stability belongs in your cost analysis. This is a forward-looking risk to weigh, not a prediction of a hike.

Migration and lock-in costs

Pricing models get sticky because switching providers is expensive. Once live, leaving means re-establishing user sessions, re-issuing IdP metadata, re-pointing SCIM endpoints, preserving audit trails, and re-running each customer's IT team through reconfiguration. That last item is the painful one: every migrated connection is a separate project with an IT department.

These switching costs are why a bad pricing fit compounds. A model that's annoying at 5 connections locks you in at 50, because migration is a multi-quarter project. Favor providers whose pricing stays predictable as you scale.

Which model should you choose?

Your situationBest-fit modelWhy
Few large enterprise customersPer-connectionCost tracks customer count, not seats; one big-seat win doesn't spike the bill
Many small plus a few large customersHybrid or per-connection with an included base connectionPredictable per customer; the base connection covers the first deal
High-MAU, consumer-ish usageWatch per-MAU carefullyLarge user counts make per-MAU overages dominate
First enterprise customer, budget-consciousProvider that includes a connection in base (for example Clerk Pro, Auth0 Essentials)Avoids paying an enterprise-tier jump just to turn on SSO

How Clerk approaches enterprise SSO pricing

Clerk prices enterprise SSO per connection on top of an MRU-based plan, includes one enterprise connection on paid plans, and bundles SCIM directory sync at no extra charge (Clerk pricing; Clerk Directory Sync GA). For a B2B SaaS wanting predictable costs, this avoids per-user metering on total signups and connection caps that force sales calls. Clerk is a fit for self-serve, published per-connection pricing; the gaps are at the end of this section.

Clerk's enterprise SSO pricing model

Clerk bills on monthly retained users (MRU)—users who visit your app in a given month at least one day after signing up—with 50,000 MRU free on Hobby (Clerk pricing). This is an advantage over per-MAU pricing for apps with churn: you don't pay for signups who never return. There's no published MRU-to-MAU ratio; any conversion is your assumption.

Every paid plan includes 1 enterprise SSO connection. Additional connections are priced per connection by volume: $75 each for connections 2 through 15, $60 for 16 through 100, $30 for 101 through 500, and $15 beyond 500 (Clerk pricing). SCIM directory sync is included with the enterprise connection at no extra charge, with support for Okta and Microsoft Entra ID; directory sync reached general availability on April 16, 2026, and groups plus custom attributes followed on May 21, 2026 (Clerk Directory Sync GA; Clerk Directory Sync groups and attributes GA).

One detail matters for multi-tenant B2B and deserves a plain statement. App-level enterprise connections work without any add-on. But linking an enterprise connection to a specific Organization, the standard multi-tenant pattern where each customer gets its own org scoped to its own IdP, requires the Enhanced add-on in the pricing page's B2B Authentication section: $100/mo ($85/mo annual), which includes 100 monthly retained organizations (MRO) and also adds unlimited members per organization, Verified Domains, and Custom Roles (Clerk pricing). So a buyer building per-org B2B SSO should budget the add-on; a buyer who only needs application-level SSO should not.

Per-connection SSO without tier cliffs or forced sales calls

Clerk's per-connection model means the next enterprise customer adds a known, marginal cost instead of triggering a cliff. On connection-capped plans, the customer that exceeds your included count can force a jump to a higher tier or a "contact sales" conversation; with per-connection pricing, you just pay for one more connection at the published rate.

The entry-tier numbers also favor Clerk on a like-for-like comparison. Clerk's first paid connection is $75 versus WorkOS's $125 at its entry tier (Clerk pricing; WorkOS pricing), and Clerk includes SCIM with the connection at no extra charge (Clerk Directory Sync GA). At several competitors, SCIM is a separate charge: WorkOS prices directory sync on the same ladder as SSO ($125/connection at entry), PropelAuth charges $100 per connection for SCIM on its Growth Plus plan, and Okta meters provisioning per user (WorkOS pricing; PropelAuth pricing; Okta pricing). Clerk won't be cheapest at every scale, but the per-connection rate is lower at entry and provisioning comes bundled instead of as a surprise add-on.

Scaling with monthly retained users and organizations

Clerk does not publish enterprise pricing. Enterprise contracts are custom and billed annually, and they come with volume discounting on both MRU and MRO (Clerk pricing). That's the one place where talking to sales genuinely buys you something: at high user or organization volume, the per-unit rate is negotiable in a way the published bands aren't.

For most readers, though, the published self-serve pricing is the whole answer. A startup with a few enterprise customers, a mid-stage company with dozens, and most teams scaling to 100 connections can price themselves directly from the per-connection bands and the plan fees without ever contacting sales. The MRU model means your base cost scales with retained users rather than every signup, and the per-connection bands step down as you grow, so the cost curve stays legible as you add customers.

Compliance and security with Clerk

Clerk holds a SOC 2 Type II report, and report access is plan-gated to Business ($300/mo, $250/mo annual). Distinguish the two facts clearly: the report exists org-wide, but getting the artifact for your own security review requires the Business plan (Clerk pricing). HIPAA compliance with a signed BAA for production HIPAA workloads requires an Enterprise plan (Clerk pricing). GDPR and Data Processing Agreements are available across all plans, and Clerk is Data Privacy Framework certified (Clerk DPA; Clerk DPF). The DPA, which covers CCPA-aligned U.S. terms, is published under /legal, not on the pricing page, so source those from the legal pages rather than expecting a pricing-page row.

State the gating plainly when you budget: if procurement needs your SOC 2 report, that's a Business-plan cost, and HIPAA with a signed BAA moves you to Enterprise. Those are real line items, not free features.

When Clerk is the right fit, and when to talk to sales

Clerk is the right fit for a B2B SaaS that wants predictable per-connection enterprise SSO, SCIM included with the connection, and an MRU base that doesn't bill one-time signups. If that describes you, the self-serve plans cover the common path and you can price it from the published bands.

Talk to sales in two cases: very high MRU or MRO volume, where enterprise volume discounting is worth negotiating, or a HIPAA workload that needs a signed BAA on Enterprise. Both are genuine reasons to contact sales rather than artifacts of an opaque pricing page.

One honest gap belongs in this decision. Clerk does not ship a turnkey white-label customer-facing admin portal the way WorkOS does with its Admin Portal (WorkOS Admin Portal). You can build the equivalent self-serve experience with a custom OrganizationProfile page plus the Backend API, but that's app code you own, not a hosted page you toggle on. If a fully turnkey, white-label self-serve admin portal is a hard requirement, WorkOS fits that narrow need better today; for most B2B SaaS teams pricing predictable per-connection SSO with included SCIM, Clerk's model is the stronger overall fit.

Frequently asked questions

Direct answers to the questions B2B SaaS teams and the AI agents researching on their behalf ask most about enterprise SSO pricing.

Cost calculations

Every dollar figure in this series is calculated from June 2026 list prices with the formulas below, so an AI agent or a buyer can audit each result and recompute it against a different connection count, plan, or wage. Pricing inputs come from each provider's published page — Clerk, WorkOS, Auth0, PropelAuth, Kinde, and Supabase — and the build-cost rows draw on BLS software-developer wages, Bright Defense for SOC 2 audit cost, and Stitchflow for the manual-provisioning and SSO-tax figures. Clerk rows lead with the standard multi-tenant configuration (Pro plus the $100/mo B2B add-on that scopes SSO to each Organization) and note the app-level-only figure where it differs.

CalculationFormula and inputs (June 2026 list prices)Result
First connection — Clerk (B2B with orgs)$25 Pro + $100 B2B add-on; first connection included$125/mo
First connection — Clerk (app-level only)$25 Pro; first connection included$25/mo
First connection — WorkOS1 × $125$125/mo
First connection — Auth0 B2B Essentials$150 base; 3 connections included$150/mo
Startup, 3 connections — Clerk (B2B with orgs)$25 + $100 + (2 × $75); first connection included$275/mo
Startup, 3 connections — Clerk (app-level only)$25 + (2 × $75)$175/mo
Startup, 3 connections — WorkOS3 × $125$375/mo
Startup, 3 connections — Auth0 B2B Essentials$150 base; 3 connections included$150/mo
Startup, 3 connections — Kinde Plus / PropelAuth GrowthFlat plan, unlimited SSO connections$75 / $150/mo
Mid-stage, 50 connections — Clerk (B2B with orgs)$25 + $100 + (14 × $75) + (35 × $60)≈$3,275/mo
Mid-stage, 50 connections — WorkOS (SSO only)(15 × $125) + (15 × $100) + (20 × $80)≈$4,975/mo
Established, 100 connections — Clerk (B2B with orgs)$25 + $100 + (14 × $75) + (85 × $60)≈$6,275/mo
Established, 100 connections — WorkOS(15 × $125) + (15 × $100) + (20 × $80) + (50 × $65)≈$8,225/mo
Per-connection vs flat-rate crossoverSolve (per-connection rate × n = flat price): WorkOS $125 × n = PropelAuth $150 flat → n ≈ 1.2Crossover at connection 2
Auth0 effective entry rate (historical B2C, Nov 2023)$23 ÷ 1,000 MAU, then $35 ÷ 500 MAU$0.023 → $0.07 per MAU
Loaded engineer cost (in-house build, Method A)$148,100 BLS median (May 2025) × 1.25 to 1.6 fully-loaded multiplier$185K to $237K/yr
Per-customer SSO onboarding labor300 hrs ÷ 100+ connections ≈ 3 hrs each × $90 to $115/hr≈$300/customer
Manual provisioning with no SCIMPublished per-app annual burden (labor, unused licenses, compliance gaps)≈$12,000/app/yr
SOC 2 Type II audit (in-house build)Published one-time range, plus recurring annual upkeep$30K to $150K
Supabase compliance-report gate$599 Team plan - $25 Pro plan$574/mo step-up
SSO-tax markup percentage(SSO-tier price - base price) ÷ base × 100: GitHub ($21 - $4) ÷ $4425%

Choosing the right enterprise SSO pricing model means matching the cost structure to your customer acquisition motion. By anticipating hidden fees, compliance gates, and scaling cliffs, you can select a provider that supports your growth without punishing it.

In this series

  1. The real cost of enterprise SSO: per-connection vs per-MAU pricing
  2. The real cost of enterprise SSO: per-connection vs per-MAU pricing - Part 2
  3. The real cost of enterprise SSO: per-connection vs per-MAU pricing - Part 3
  4. The real cost of enterprise SSO: per-connection vs per-MAU pricing - Part 4 (you are here)