Organization-level enterprise SSO

Clerk provides enterprise single sign-on (SSO) through a feature called enterprise connections. You can enable enterprise connections for specific organizations, allowing members to authenticate through their company's identity provider using SAML or OIDC protocols.

When users sign up or sign in using an organization's enterprise connection, Clerk automatically adds them as members of that organization and assigns them the default role. This process is known as Just-in-Time (JIT) provisioning.

When to use enterprise SSO

Enterprise SSO works well when customers require centralized authentication through their Identity Provider. This approach fits scenarios where:

• Enterprise customers have security requirements that mandate IdP-based authentication
• IT teams need to manage user provisioning from a central location
• Organizations want to maintain existing identity management workflows

If you need manual control over who joins and their roles, use invitations. If you want automatic enrollment without IdP requirements, use verified domains.

Common onboarding flows

The timing of when you set up enterprise SSO depends on how customers adopt your product. The two common approaches are to create the organization and configure SSO before users sign in (top-down) or to let users start individually and add SSO later (bottom-up).

Organization created first (top-down approach)

This flow is common for enterprise sales where the relationship is established before users access the application.

1. Create an organization for your customer through the Clerk Dashboard.
2. Collaborate with the customer's IT administrator to obtain the necessary configuration details.
3. Configure the enterprise SSO connection for the organization.
4. Invite users to the organization, who can then sign in using enterprise SSO.

User-initiated setup (bottom-up approach)

This flow is common when individual users try the product before company-wide adoption.

1. An end user signs up to evaluate your application, starting with an individual account.
2. After adopting the application, the user creates an organization for their company.
3. Configure enterprise SSO for the organization through the Clerk Dashboard.
4. All subsequent users from that organization can now sign in using enterprise SSO.

Add an enterprise SSO connection for an organization

Clerk supports enterprise SSO via SAML or via the OpenID Connect (OIDC) protocol, either through EASIE or by integrating with any OIDC-compatible provider.

To add an enterprise SSO connection for an organization, follow the appropriate guide based on the platform you want to use, such as the Google SAML guide. When configuring the connection in the Clerk Dashboard, there will be an option to select the Organization for which you want to enable this connection. If you don't select an organization, Clerk will add the connection for your entire application.

Enforce enterprise SSO by domain

Clerk enforces enterprise SSO connections on a per-domain basis in organizations, enabling flexible access management:

• Configure enterprise SSO for your primary domain (e.g., company.com) to enforce enterprise SSO authentication for employees.
• Add additional domains without enterprise SSO for external collaborators (e.g., contractors, consultants).
• Each domain in an organization can have different authentication requirements.

Remove a member from your organization

Users who joined through an enterprise connection cannot leave the organization on their own. You can remove them through the Clerk Dashboard, the Backend API, or by another member with the manage members permission.

Removed users will automatically rejoin the organization on their next sign-in unless you also remove them from the IdP or disconnect the enterprise connection.

Move an enterprise connection to a different organization

When you reassign an enterprise connection to a new organization, existing members stay in the original organization. They will automatically join the new organization the next time they sign in.

To remove these users from the original organization, use either the Backend API or the Clerk Dashboard.

Next steps

Now that you've set up enterprise SSO, you can:

• Learn more about enterprise connections for advanced configuration options
• Understand JIT provisioning to customize how users are automatically added to organizations
• Configure verified domains for users who don't use SSO
• Invite specific users to your organization
• Set up roles and permissions to control what SSO users can access
• Configure default roles for users joining via SSO