Skip to Content
Clerk logo

Clerk Docs

Ctrl + K
Go to clerk.com

Enterprise SSO via SAML

Clerk supports Enterprise SSO via the SAML protocol, enabling you to create authentication strategies for an Identity Provider (IdP). With Enterprise SSO, users can sign in seamlessly using their IdP's credentials and have their user data synchronized with Clerk. You can learn more about the process in the SAML SSO authentication flows and Account linking guides, or you can jump straight into integrating an IdP with Clerk. Currently, Clerk offers direct integrations with Microsoft Azure AD, Google Workspace, and Okta Workforce as IdPs. However, you can also integrate with any other IdP that supports the SAML protocol.

Sync user attributes during sign in

During SAML SSO and after a user has successfully authenticated, the IdP provides Clerk with the corresponding user data. After each successful sign in, Clerk handles keeping the user data up-to-date based on the response of the SAML provider. This means that if a user's data changes on the IdP side, Clerk will automatically update the user's data in the Clerk database.

To disable this behavior:

  1. Navigate to the Clerk Dashboard(opens in a new tab).
  2. In the navigation sidebar, select User & Authentication > Enterprise Connections(opens in a new tab).
  3. Select the SAML connection you want to disable the sync for.
  4. Select the Advanced tab.
  5. Toggle off the Sync user attributes during Sign in option.

Allow subdomains

Authenticating via SAML SSO requires the user's email address domain to match the exact domain the SAML connection has been configured with. By default, subdomains are not supported. For example, a user with the email address john@sales.example.com would not be able to use a SAML connection with the example.com domain in order to authenticate.

To support SAML SSO with subdomains,

  1. Navigate to the Clerk Dashboard(opens in a new tab).
  2. In the navigation sidebar, select User & Authentication > Enterprise Connections(opens in a new tab).
  3. Select the SAML connection you want to disable the sync for.
  4. Select the Advanced tab.
  5. Toggle on the Allow subdomains option.

To enable the Allow subdomains option, your SAML connection domain must be an eTLD+1.

Frequently asked questions (FAQ)

I've enabled other strategies but they don't work

A Clerk application can have multiple authentication strategies, but a domain that enables Enterprise SSO can not. Once Enterprise SSO is enabled for a domain, there can be no other authentication methods for that specific domain. This is in line with an organization's intent to manage their users' identity from one place. This will allow your Clerk application to enable Enterprise SSO connections for certain domains while others use non-Enterprise SSO methods depending on each organization's needs.

Will SAML work for my existing users?

Yes, SAML will work for your existing users as well! If you enable SAML, any existing users with an email address that matches the SAML Connection domain will have to authenticate on the IdP side and an Enterprise Account will be linked to their existing account.

What happens if I have multi-factor enabled at Clerk?

This will work: Once the user comes back from the IdP, they will need to go through the extra factors of authentication. This is in case you need to add extra factors on top of what your IdP supports (or in case they don't). You can choose to not enable this feature if you wish.

What happens if I delete the SAML connection? Will my users be deleted?

The users will not be deleted, so your application will not break. However, they will need to use another strategy such as password, email OTP, etc., to authenticate themselves moving forward.

Does Clerk support IdP-initiated SSO?

Yes, Clerk supports both SP-initiated and IdP-initiated SSO flows.

How much does it cost?

For production instances, each active connection costs $50 per month. SAML connections require the Pro plan and the Enhanced Authentication Add-on. Please see pricing(opens in a new tab) for those costs, and the costs of other add-ons or features.

For development instances, SAML connections will always be free, but capped to 5.

Can I get a bulk discount?

Yes, reach out to support(opens in a new tab) to work out a custom plan.

Last updated on April 2, 2024

What did you think of this content?

Clerk © 2024