Enterprise customers don't want another password. They want to log in with their company identity.
SSO via SAML 2.0 or OIDC is a standard enterprise requirement. It means employees use their existing company credentials (Okta, Azure AD, Google Workspace) to log into your product — with access provisioned and deprovisioned by their IT team. We add SSO to existing products in 4–6 weeks using Clerk Enterprise SSO. Fixed-price.
Enterprise prospects requiring SSO before they'll sign, and the existing authentication system doesn't support SAML or OIDC
Enterprise IT departments have one rule about external software: employees must authenticate with their company identity provider. This is not a preference — it's a security requirement. When an employee leaves the company, their access to all connected applications is revoked from a single place (the IdP: Okta, Azure AD, Google Workspace). No SSO means the IT team has to manually track and revoke access to the product for every departing employee — which doesn't get done reliably, leaving orphaned accounts with access to company data.
From the enterprise buyer's perspective: "we can't use your product without SSO" is not a negotiating position, it's a hard requirement. The sales cycle that has been running for 3 months, where the champion is enthusiastic and the pricing negotiation is complete, can die at the IT security review if SSO isn't available.
The technical complexity of SSO implementation depends on how the existing authentication system is structured. Products that currently use Clerk for authentication can add Enterprise SSO via Clerk's built-in SAML/OIDC support — the integration is a Clerk configuration change and a connection management UI, not a full auth system rebuild. Products using custom auth or other auth providers require more involved integration work.
SSO via SAML 2.0 and OIDC added to the existing product, with JIT provisioning and connection management for enterprise customers
Clerk Enterprise SSO integration
For products already using Clerk: Enterprise SSO connections managed in Clerk's dashboard. SAML 2.0 and OIDC support for all major IdPs (Okta, Azure AD, Google Workspace, JumpCloud, OneLogin, Ping Identity).
JIT provisioning
New employees who log in via SSO for the first time have accounts automatically created with the default permissions. No manual account creation step.
Connection management UI
Enterprise account admin UI for setting up and managing their SSO connection. Metadata XML upload for SAML configuration. Test connection flow to validate the setup before going live.
Domain-based SSO routing
Users with an email domain matching an enterprise SSO connection are automatically routed to SSO login. Mixed-mode: employees use SSO, external collaborators use email/password.
SCIM provisioning (optional)
SCIM 2.0 for automated user provisioning and deprovisioning from the customer's IdP. Employees provisioned in Okta appear in the product; employees deprovisioned in Okta lose access automatically.
One honest number to start.
Fixed-scope, fixed-price. The number below is the starting point — final scope is built from your brief.
SSO via SAML 2.0 and OIDC added to the existing product, with JIT provisioning and connection management for enterprise customers
Three steps, every time.
The same repeatable engagement on every project. No surprises, no mystery, no billable ambiguity.
Brief & discovery.
We send you questions, then get on a call. Output: a written scope with every step, feature, and integration listed.
Build & ship.
Fixed schedule, weekly reviews. No scope creep unless you change the scope — and if you do, we reprice it transparently.
Warranty & retainer.
30-day warranty on every launch. Most clients stay on a monthly retainer for ongoing features and maintenance.
Why Fixed-Price Matters Here
SSO has defined technical scope: the protocol support, the connection management UI, JIT provisioning. Fixed price.
Questions, answered.
4–6 weeks for products using Clerk as the existing auth provider. 8–12 weeks for products using custom authentication that requires SAML handling to be built from scratch.
Yes — each enterprise account configures their own SSO connection with their specific IdP metadata. Multiple enterprise customers with different IdPs are all supported simultaneously.
SSO addition via Clerk Enterprise: from $18k. Custom SAML implementation: from $28k. Fixed-price.
Tell Ryel about your project.
Describe what you’re building and what outcome you need. You’ll have a written, fixed-price scope within the week.