Clerk launches EASIE SSO and eliminates SSO fees

Since we started Clerk, it’s been clear that enterprise SSO is a tremendous disappointment to users, developers, and IT admins alike. Despite being crucial to enterprise security, and despite the high fees usually associated with the feature, there has been a severe underinvestment in the experience for all stakeholders.

That’s why we’re absolutely delighted to share EASIE SSO with the world today. It’s enterprise SSO with a healthy dose of Clerk’s signature simplicity, baked right into our dashboard and <SignIn/> component. We're leveraging Google and Microsoft OIDC for their ease of setup, then adding a thin layer of enterprise SSO capabilities on top, including:

• Enrollment based on a user's email domain
• Mandatory sign-in through the enterprise's choice of Google or Microsoft OIDC
• Just-in-time provisioning during sign-in
• Automatic deprovisioning and session revocation

Plus, we’re eliminating usage-based SSO connection fees (previously $50/mo each) to make enterprise SSO more accessible than ever, including SAML SSO connections!

EASIE SSO can be enabled through the SSO Connections page of your dashboard: just enter the enterprise's email domain and choose if they should sign in with Google or Microsoft… Clerk will handle the rest!

Why EASIE SSO?

SSO is vital for enterprise security, but existing solutions are complex and frustrating for all parties. We've met countless developers who try to mimic enterprise SSO behavior by forcing authentication through Google or Microsoft and then verifying the email domain. This is easier than “real SSO,” but often carries security oversights:

• Verifying the email domain alone doesn't confirm that the user signed in through the correct tenant, and can be exploited through a tenant swap attack
• When a user is deactivated through the Google or Microsoft admin console, their sessions are not revoked, so terminated teammates can continue accessing tools and services as long as they don’t sign out

EASIE SSO is a thin layer on top of OIDC that solves these security challenges, while retaining the simple setup of verifying users based on email domain. There is no need to manage per-enterprise credentials like SAML metadata files or one-off OIDC secrets.

The technical details and future plans for EASIE SSO are maintained on easie.dev as an open specification, and we encourage others to implement the strategy even if they are not using Clerk.

The future of enterprise SSO

It’s clear that enterprise SSO has been sitting at a crossroads. While there is unanimous agreement of its benefits, the challenges associated have limited its adoption to only the most security-conscious and cost-insensitive enterprise software buyers.

Clerk believes in a future where the benefits of enterprise SSO are realized far more frequently, among both the largest and smallest businesses. We’re confident this future can be achieved, and we expect EASIE SSO and the elimination of SSO connection fees to be a leap forward in the right direction.

If you are also interested in creating this future, we would love to hear from you! To connect with the EASIE team, please email easie@clerk.dev.