Self-serve SSO

By default, enterprise SSO connections are configured by your team in the Clerk Dashboard. For every customer that needs SSO, someone on your side creates the connection, exchanges metadata with the customer's IT admin, tests it, and activates it. As your enterprise motion scales, that becomes a bottleneck. Self-serve SSO lets you delegate that configuration to your customers' IT admins, without giving them Dashboard access.

How it works

When you enable self-serve SSO for an Organization, a Security tab appears in that Organization's <OrganizationProfile />. An admin with the org:sys_entconns permission can set up the connection end-to-end from there:

• Domains: Add one or more domains and verify ownership of each with a DNS TXT record.
• Connection: Pick an identity provider and supply its configuration, with setup instructions embedded inline. Okta, Google Workspace, Microsoft Entra ID, and custom SAML are supported.
• Test: Run a test sign-in to confirm the connection works end-to-end.
• Activate: Turn the connection on once the test passes.

The connection is scoped to the Organization it's configured in and behaves like any other enterprise connection once it's live: users with a matching email domain sign in through the configured provider.

Get started

Self-serve SSO is available to applications using Organizations and is enabled per Organization. In the Clerk Dashboard⁠, select an Organization, open its Settings, and turn on Allow this organization to set up SSO under Self-serve SSO. The Security tab then surfaces wherever your app renders <OrganizationProfile />.

For setup details and requirements, refer to the self-serve SSO documentation.