SAML ForceAuthn

For users with SAML integrations, the Clerk dashboard now supports configuring the ForceAuthn on a per-connection basis.

This is especially important on shared or multi-user devices where a previous user may still have an active SSO session at the Identity Provider (IdP). When ForceAuthn is enabled, Clerk includes the ForceAuthn=true parameter on the SAML AuthnRequest so the IdP will ignore any existing SSO session and require the user to re‑authenticate (password, MFA, etc.). This prevents the next person on the same machine from silently inheriting access due to someone else’s logged-in IdP session.

Expectations

Existing SAML connections are unchanged—ForceAuthn remains off by default to preserve current sign‑in behavior. If you enable it, users will be prompted to re‑authenticate at the IdP on every SSO sign‑in for that connection.

How to enable

In the Clerk Dashboard, navigate to the SSO Connections⁠ page

1. Select your SAML connection
2. Select the Advanced tab
3. Enable Force authentication
4. Save