Docs

Organization-level SSO

Clerk supports adding SSO connections to organizations, enabling users to sign in with an Identity Provider (IdP) and easily join organizations. There are three types of enterprise connections that are supported: EASIE, SAML, and OIDC.

When users sign in or up using an organization's enterprise connection, they're automatically added as members of that organization and assigned the default role, which can be either member or admin.

Warning

A domain used for enterprise SSO can't be used as a verified domain for the same organization.

Add an organization-level SSO connection

  1. In the Clerk Dashboard, navigate to the SSO Connections page.
  2. Select Add connection and select For specific domains or organizations.
  3. Select a Identity Provider.
  4. Add the Domain for which you want to enable this connection and select an Organization.

Onboarding flows

The two common onboarding flows for organizations with SSO are to either create an organization first or to have users initiate the setup themselves.

Organization created first (top-down approach)

This flow is common for enterprise sales where the relationship is established before users access the application.

  1. Create an organization for your customer through the Clerk Dashboard.
  2. Collaborate with the customer's IT administrator to obtain the necessary configuration details.
  3. Configure the SSO connection for the organization.
  4. Invite users to the organization, who can then sign in using SSO.

User-initiated setup (bottom-up approach)

This flow is common when individual users try the product before company-wide adoption.

  1. An end user signs up to evaluate your application, starting with an individual account.
  2. After adopting the application, the user creates an organization for their company.
  3. Configure SSO for the organization through the Clerk Dashboard.
  4. All subsequent users from that organization can now sign in using enterprise SSO.

Enforcing SSO by domain

SSO connections are enforced on a per-domain basis in organizations, enabling flexible access management:

  • Configure SSO for your primary domain (e.g., company.com) to enforce SSO authentication for employees.
  • Add additional domains without SSO for external collaborators (e.g., contractors, consultants)
  • Each domain in an organization can have different authentication requirements.

Managing memberships

Removing a member from your organization

Users cannot leave the organization themselves, but they can be removed in the Clerk Dashboard, using Clerk's Backend API endpoint, and by another organization member with the manage members permission (org:sys_memberships:manage). However, the user will be added back to the organization on next sign in, unless they are removed from the IdP or the enterprise connection is no longer associated with the organization.

Updating organization from existing enterprise connection

When transitioning an enterprise connection to a new organization, existing members will remain part of the original organization. However, they will automatically join the new organization upon their next sign-in.

To remove members from the original organization, you have two options: utilize Clerk's Backend API or manage memberships directly through the Clerk Dashboard.

Feedback

What did you think of this content?
Edit this page on GitHub

Last updated on