SAML, OIDC, SCIM — ready before the next enterprise deal closes.
Clerk, Auth0, WorkOS, or custom. Shipped in 3 weeks on a monthly subscription. Your enterprise procurement team signs off.
Who this is for
B2B SaaS CTO chasing a first enterprise deal where procurement requires SAML SSO by next quarter and the in-house team has no identity expertise.
The pain today
- Enterprise prospect's procurement blocking over SSO requirement
- Current auth is email/password only — no admin-level visibility
- Clerk vs Auth0 vs WorkOS vs custom decision with wrong stakes
- SCIM provisioning asked for but unclear what it means in practice
- Security audit questionnaire expecting SOC 2-style responses
The outcome you get
- SAML + OIDC SSO working with Okta, Azure AD, Google Workspace, OneLogin
- SCIM 2.0 user provisioning so users appear and disappear automatically
- Fallback local login for admins who need break-glass access
- Admin audit log of all authentication events
- Security questionnaire answers ready for procurement review
Clerk vs Auth0 vs WorkOS vs custom
Four paths, different trade-offs. Clerk: modern developer experience, fast to ship, strong for B2C and B2B mixed, SSO add-on around $100/mo-plus-seat. Auth0: the enterprise default, most complete, most expensive, works everywhere including legacy LDAP. WorkOS: purpose-built for B2B enterprise features (SSO, SCIM, audit logs, Directory Sync), cleaner pricing per enterprise customer, integrates into existing auth. Custom: rarely the right answer — re-implementing SAML is a 3-month trap. For most modern SaaS, I recommend Clerk or WorkOS. Auth0 when there's a legacy enterprise integration requirement. Custom essentially never.
SAML vs OIDC vs magic link
SAML: enterprise standard, what Okta and Azure AD speak by default, complex to implement from scratch but easy to adopt through a provider. OIDC (OpenID Connect): modern alternative, cleaner, increasingly supported by enterprise IdPs, default choice for new integrations. Magic link: passwordless email-based login, good for consumer and SMB, not enterprise-appropriate. Most B2B SaaS should support all three: magic link + OIDC for self-service customers, SAML for enterprise customers with Okta/Azure. The identity provider handles the translation — your app sees a unified session regardless of method.
SCIM user provisioning
SCIM (System for Cross-domain Identity Management) is how enterprise IdPs automatically create, update, and deactivate users in your app. When an employee joins, Okta provisions them in your app automatically. When they leave, Okta deprovisions — user can no longer log in. This is critical for compliance (SOC 2 requires timely deprovisioning). SCIM implementation from scratch is nontrivial; through WorkOS or Auth0 it's a configuration step. I wire the SCIM endpoints, test provisioning from Okta and Azure AD, and document the SCIM URL + bearer token your customers' IT teams need.
Enterprise audit and security considerations
Enterprise SSO comes with procurement scrutiny. Expected controls: audit log of all authentication events (login success/failure, MFA, SSO SAML assertion) retained for at least 1 year. Session management (idle timeout, absolute timeout, concurrent session limits). Break-glass admin access that bypasses SSO for emergencies. Signed and encrypted SAML assertions. Security questionnaire answers for SOC 2 equivalents. I include all of this in the standard build and document the control owners so your compliance team can point to specific implementation details when asked. Half of SSO work is the implementation, the other half is the documentation enterprise buyers require.
Pricing
SSO integration fits the Applications Standard tier at $3,499/mo, typically a 3-week first version. Multi-provider SSO (Okta + Azure AD + Google + custom) or complex SCIM edge cases moves to Pro at $4,500/mo. Subscription continues through integration testing with real customer IdPs — this stage often takes 4–8 weeks of back-and-forth with each enterprise customer's IT team. 14-day money-back, cancel anytime, Work Made for Hire. Licensing for the underlying provider (Clerk, Auth0, WorkOS) is separate and billed directly to you.
Case study: bolttech enterprise scale
At bolttech, enterprise partner integrations across 15+ markets meant auth and identity at production grade was table stakes. Unified partner authentication across multiple regulatory regions, audit-logged for every regulatory compliance review, zero-downtime provisioning for new market launches. The same discipline at SaaS scale means smaller teams can close enterprise deals without spending 3 months on auth. Getting auth right once, with a provider that handles SAML and SCIM complexity, compounds over every enterprise deal you close afterward.
Recent proof
A comparable engagement, delivered and documented.
Unified payment orchestration across Asia and Europe
Delivered the payment orchestration platform at bolttech, a $1B+ unicorn, with 40+ integrations across multiple regions.
Frequently asked questions
The questions prospects ask before they book.
- How long does SSO implementation actually take?
- 3 weeks to ship the code. Add 1–2 weeks per enterprise customer for coordination with their IT team (exchanging metadata, configuring their IdP, testing provisioning). The code is fast; the customer-coordination is what makes enterprise deals feel slow.
- Can you keep email/password for existing users?
- Yes — SSO is an addition, not a replacement. Existing users keep email/password until their workspace admin enables SSO, then SAML takes priority. Break-glass admin access (super-admins who can bypass SSO in emergencies) is standard.
- What's the ongoing cost?
- Your chosen provider (Clerk, Auth0, WorkOS) charges separately. Clerk starts around $25/month with SSO add-ons per customer. Auth0 enterprise pricing varies by contract. WorkOS charges per enterprise connection, typically $125/month per customer. Most SaaS price their enterprise tier to comfortably cover these fees.
- Do you handle SOC 2 audit prep?
- The auth implementation includes all SSO-related controls SOC 2 typically requires: audit logging, MFA, session management, deprovisioning. Full SOC 2 audit prep (policies, procedures, evidence collection for all controls) is a bigger scope — I can recommend compliance consultants who specialize in that.
- What if my customers use a custom/in-house IdP?
- As long as it speaks SAML or OIDC, it works. WorkOS and Auth0 both support generic SAML/OIDC connections in addition to pre-configured Okta/Azure templates. Truly exotic IdPs (SiteMinder, legacy on-prem) sometimes require Auth0 specifically.
Ready to start?
Tell me what you need in 60 seconds. Tailored proposal in your inbox within 6 hours.