Skip to main content
Docs

Organization-level enterprise SSO

Clerk supports enabling enterprise SSO connections for specific organizations. When users sign up or sign in using an organization's enterprise connection, they're automatically added as members of that organization and assigned the default role, which can be either member or admin.

Add an enterprise SSO connection for an organization

Clerk supports enterprise SSO via SAML or via the OpenID Connect (OIDC) protocol, either through EASIE or by integrating with any OIDC-compatible provider.

To add an enterprise SSO connection for an organization, follow the appropriate guide based on the platform you want to use, such as the Google SAML guide. When configuring the connection in the Clerk Dashboard, there will be an option to select the Organization for which you want to enable this connection. If you don't select an organization, the connection will be added for your entire application.

Warning

A domain used for enterprise SSO can't be used as a verified domain for the same organization.

Onboarding flows

The two common onboarding flows for organizations with enterprise SSO are to either create an organization first or to have users initiate the setup themselves.

Organization created first (top-down approach)

This flow is common for enterprise sales where the relationship is established before users access the application.

  1. Create an organization for your customer through the Clerk Dashboard.
  2. Collaborate with the customer's IT administrator to obtain the necessary configuration details.
  3. Configure the enterprise SSO connection for the organization.
  4. Invite users to the organization, who can then sign in using enterprise SSO.

User-initiated setup (bottom-up approach)

This flow is common when individual users try the product before company-wide adoption.

  1. An end user signs up to evaluate your application, starting with an individual account.
  2. After adopting the application, the user creates an organization for their company.
  3. Configure enterprise SSO for the organization through the Clerk Dashboard.
  4. All subsequent users from that organization can now sign in using enterprise SSO.

Enforce enterprise SSO by domain

Enterprise SSO connections are enforced on a per-domain basis in organizations, enabling flexible access management:

  • Configure enterprise SSO for your primary domain (e.g., company.com) to enforce enterprise SSO authentication for employees.
  • Add additional domains without enterprise SSO for external collaborators (e.g., contractors, consultants).
  • Each domain in an organization can have different authentication requirements.

Manage memberships

Remove a member from your organization

When a user is tied to an organization through their enterprise connection, they cannot leave the organization themselves, but they can be removed either in the Clerk Dashboard, using Clerk's Backend API endpoint, or by another organization member with the manage members permission (org:sys_memberships:manage). However, the user will be added back to the organization on next sign-in, unless they are removed from the IdP or the enterprise connection is no longer associated with the organization.

Update an organization from an existing enterprise connection

When transitioning an enterprise connection to a new organization, existing members will remain part of the original organization. However, they will automatically join the new organization upon their next sign-in.

To remove members from the original organization, you have two options: utilize Clerk's Backend API or manage memberships directly through the Clerk Dashboard.

Feedback

What did you think of this content?

Last updated on