diff --git a/docs/authentication/enterprise-connections/account-linking.mdx b/docs/authentication/enterprise-connections/account-linking.mdx
new file mode 100644
index 0000000000..951170b1ad
--- /dev/null
+++ b/docs/authentication/enterprise-connections/account-linking.mdx
@@ -0,0 +1,33 @@
+---
+title: Account linking
+description: Learn how Clerk handles account linking during Enterprise SSO.
+---
+
+Account linking is the process of connecting multiple user accounts from different services or platforms, allowing users to access various services with a single set of credentials. It enables seamless sign-in using Enterprise SSO alongside other authentication methods like username/password. Clerk automatically attempts to link accounts that share the same email address, assuming a single owner for each email.
+
+## How it works
+
+When a user attempts to sign in or up, Clerk checks if the email address from the Identity Provider (IdP) matches an existing account and attempts to link them. Email addresses from IdPs are considered verified by default.
+
+The following sections explain the different scenarios that can occur during this process and how Clerk handles each one.
+
+
+
+### Email is verified in Clerk
+
+When a user signs into your app using an IdP that returns a matching verified email address, Clerk automatically links the Enterprise SSO account to the existing account and completes the sign-in process. This includes accounts protected by passwords, as the Enterprise SSO sign-in flow automatically bypasses password verification.
+
+### Email is not verified and verification isn't required
+
+By default, Clerk requires email verification at sign-up. For instances that have disabled this behavior, there's a possibility that an account may be created using an unverified email address.
+
+To configure email verification at sign-up:
+
+1. In the Clerk Dashboard, navigate to the [**Email, Phone, Username**](https://dashboard.clerk.com/last-active?path=user-authentication/email-phone-username) page.
+1. Next to **Email address**, select the settings icon and disable the **Verify at sign-up** toggle.
+
+When a user signs into your app using an IdP, Clerk automatically links the Enterprise SSO account to the existing account by **also verifying the existing email address** and signing the user in. This includes accounts protected by passwords, as the Enterprise SSO sign-in flow automatically bypasses password verification.
+
+### Email is not verified
+
+When a user signs into your app using an IdP that returns a matching unverified email address, Clerk doesn't link the Enterprise SSO account to the existing account, but instead signs the user up and creates a completely new account.
diff --git a/docs/authentication/enterprise-connections/authentication-flows.mdx b/docs/authentication/enterprise-connections/authentication-flows.mdx
new file mode 100644
index 0000000000..f1d62c9895
--- /dev/null
+++ b/docs/authentication/enterprise-connections/authentication-flows.mdx
@@ -0,0 +1,58 @@
+---
+title: Enterprise SSO authentication flows
+description: Learn about the Enterprise SSO authentication flows.
+---
+
+There are two types of Enterprise SSO connections: [EASIE](#easie) and [SAML](#saml).
+
+## EASIE
+
+EASIE connections support the authentication flows described at [easie.dev](https://easie.dev).
+
+## SAML
+
+The SAML protocol supports two methods to start an SSO flow: [Service Provider-initiated (SP-initiated)](#service-provider-initiated-flow-recommended) and [Identity Provider-initiated (IdP-initiated)](#identity-provider-initiated-flow).
+
+For the best security practices, it's recommended to use the SP-initiated flow wherever possible. If you decide to enable IdP-initiated flows, ensure that proper [security measures](#clerks-security-measures), such as MFA and short validation periods, are in place to mitigate the associated risks.
+
+### Service Provider-initiated flow (recommended)
+
+In an SP-initiated flow:
+
+- The user starts the authentication process from your application (Service Provider, or SP), by providing their email address.
+- The user is redirected to the SAML provider (Identity Provider, or IdP) where they must authenticate.
+- After successful authentication, the user is redirected back to your app, gaining access to their account.
+
+### Identity Provider-initiated flow
+
+In an IdP-initiated flow:
+
+- The user starts the authentication flow from the SAML provider (IdP) by selecting which app (SP) they want to access.
+- The user is redirected to the app of their choice, gaining access to their account.
+
+> [!NOTE]
+> IdP-Initiated flow carries a [security risk](#risks-of-id-p-initiated-flow). It is recommended to use an SP-Initiated flow whenever possible.
+
+To allow IdP-initiated flows for your SAML connection:
+
+1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
+1. Select **Add connection** and select **For specific domains**.
+1. Select your **Identity Provider**. Complete the fields and select **Add connection**. You'll be redirected to the SAML connection's configuration page.
+1. Select the **Advanced** tab.
+1. In **Advanced Settings**, enable **Allow IdP-Initiated flow**. A modal will open. Select **Enable** to confirm.
+1. Select **Save**.
+
+#### Risks of IdP-initiated flow
+
+While IdP-initiated flows might offer convenience, they are also susceptible to security risks, such as [meddler-in-the-middle (MITM) attacks](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). A bad actor might hijack the IdP response to gain access to a compromised account.
+
+When enabling an IdP-initiated flow, it's possible for Clerk to receive unsolicited authentication requests, which neither the SP nor IdP can verify were initiated by the specified user. Additionally, a bad actor could intercept the IdP response and replace it, performing a CSRF attack to sign in as the attacker.
+
+#### Clerk's security measures
+
+To mitigate the risks associated with IdP-initiated flows, Clerk implements several security measures:
+
+- **Unsolicited `InResponseTo` attribute**: Clerk ensures that unsolicited responses don't contain an `InResponseTo` attribute, in accordance with the [SAML 2.0 profiles specification](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf). This prevents bad actors from stealing a response used in an SP-initiated flow and using it in an IdP-initiated flow.
+- **Replay detection**: Clerk consumes and remembers each response to prevent re-use. This ensures that bad actors cannot steal and reuse a response to gain access to a user's account.
+- **Multi-factor authentication**: Clerk supports [multi-factor authentication (MFA)](/docs/authentication/configuration/sign-up-sign-in-options#multi-factor-authentication) for SAML IdP-initiated flows. MFA requires users to provide two or more forms of verification, which significantly enhances security by reducing the risk of unauthorized access.
+- **Use small validation periods**: Each SAML response contains a timestamp indicating when it was issued and when it will expire. Since IdP-initiated flows are expected to be completed within seconds, validation periods must be as small as possible to prevent attacks. Common IdP providers such as Azure, Google, and Okta handle this by default. However, if you're using a custom IdP, you must ensure that the validation periods are set correctly.
diff --git a/docs/authentication/enterprise-connections/easie/google.mdx b/docs/authentication/enterprise-connections/easie/google.mdx
new file mode 100644
index 0000000000..fba2b4c478
--- /dev/null
+++ b/docs/authentication/enterprise-connections/easie/google.mdx
@@ -0,0 +1,75 @@
+---
+title: Add Google as an EASIE connection
+description: Learn how to allow users to sign up and sign in to your Clerk app with their Google account using EASIE SSO.
+---
+
+
+ - Use Google to authenticate users with EASIE SSO.
+
+
+Enabling EASIE SSO with Google allows your users to sign up and sign in to your Clerk application with their Google account.
+
+## Configure for your development instance
+
+For _development instances_, Clerk uses preconfigured shared credentials and redirect URIs—no other configuration is needed.
+
+1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
+1. Select **Add connection** and select **For specific domains**.
+1. Under **EASIE**, select **Google** as the identity provider.
+1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your app.
+1. Select **Add connection**.
+
+## Configure for your production instance
+
+> [!WARNING]
+> If you already [configured Google as a social provider](/docs/authentication/social-connections/google), you can skip this step. EASIE SSO will automatically use the credentials you configured for your social connection.
+
+For _production instances_, you must provide custom credentials, which involves generating your own **Client ID** and **Client Secret** using your Google Developer account.
+
+To make the setup process easier, it's recommended to keep two browser tabs open: one for your [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) and one for your [Google Cloud Console](https://console.cloud.google.com/).
+
+
+ ### Enable Google as an EASIE connection
+
+ 1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
+ 1. Select **Add connection** and select **For specific domains**.
+ 1. Below EASIE, select **Google** as the identity provider.
+ 1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your application.
+ 1. Ensure that **Use custom credentials** is toggled on.
+ 1. Save the **Redirect URI** somewhere secure. Keep this page open.
+
+ ### Create a Google Developer project
+
+ 1. Navigate to the [Google Cloud Console](https://console.cloud.google.com/).
+ 1. Select a project or [create a new one](https://console.cloud.google.com/projectcreate).
+ 1. If the **APIs & Services** page isn't already open, open the menu on the left and select **APIs & Services**.
+ 1. In the menu on the left, select **Credentials**.
+ 1. Select **Create Credentials**. Then, select **OAuth client ID.** You may need to [configure your OAuth consent screen](https://support.google.com/cloud/answer/6158849?hl=en#userconsent\&zippy=%2Cuser-consent).
+ 1. Select the appropriate application type for your project. Most likely, you will choose **Web application**.
+ 1. In the **Authorized redirect URIs** setting, paste the **Redirect URI** value you saved from the Clerk Dashboard.
+ 1. Select **Create**.
+
+ ### Set the Client ID and Client Secret in your Clerk Dashboard
+
+ Once the OAuth client is created in the Google Cloud Console, a modal will open with your **Client ID** and **Client Secret**. Save these values somewhere secure.
+
+ Go back to the Clerk Dashboard, where the modal should still be open, and paste these values into the respective fields. Note that if you have any other Google EASIE connections or a [Google social connection](docs/authentication/social-connections/google), this will update the credentials for all of them. Select **Add connection**.
+
diff --git a/docs/authentication/enterprise-connections/easie/microsoft.mdx b/docs/authentication/enterprise-connections/easie/microsoft.mdx
new file mode 100644
index 0000000000..a95fdf590c
--- /dev/null
+++ b/docs/authentication/enterprise-connections/easie/microsoft.mdx
@@ -0,0 +1,123 @@
+---
+title: Add Microsoft as an EASIE connection
+description: Learn how to allow users to sign up and sign in to your Clerk app with their Microsoft account using EASIE SSO.
+---
+
+
+ - Use Microsoft to authenticate users with EASIE SSO.
+
+
+Enabling EASIE SSO with Microsoft (formerly [Active Directory](https://learn.microsoft.com/en-us/entra/fundamentals/new-name)) allows your users to sign up and sign in to your Clerk application with their Microsoft account.
+
+## Configure for your development instance
+
+For _development instances_, Clerk uses preconfigured shared credentials and redirect URIs—no other configuration is needed.
+
+1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
+1. Select the **Add connection** button, and select **For specific domains**.
+1. Under **EASIE**, select **Microsoft** as the identity provider.
+1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your app.
+1. Select **Add connection**.
+
+## Configure for your production instance
+
+> [!WARNING]
+> If you already [configured Microsoft as a social provider](/docs/authentication/social-connections/microsoft), you can skip this step. EASIE SSO will automatically use the credentials you configured for your social connection.
+
+For _production instances_, you must provide custom credentials, which involves generating your own **Client ID** and **Client Secret** using your Microsoft Entra ID account.
+
+To make the setup process easier, it's recommended to keep two browser tabs open: one for your [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) and one for your [Microsoft Azure portal](https://portal.azure.com).
+
+
+ ### Enable Microsoft as an EASIE connection
+
+ 1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
+ 1. Select **Add connection** and select **For specific domains**.
+ 1. Under **EASIE**, select **Microsoft** as the identity provider.
+ 1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your app.
+ 1. Ensure that **Use custom credentials** is toggled on.
+ 1. Save the **Redirect URI** somewhere secure. Keep this page open.
+
+ ### Create a Microsoft Entra ID app
+
+ > [!TIP]
+ > If you already have a Microsoft Entra ID app you'd like to connect to Clerk, select your app from the [Microsoft Azure portal](https://portal.azure.com/#home) and skip to [the next step in this tutorial](#get-your-client-id-and-client-secret).
+
+ 1. On the homepage of the [Microsoft Azure portal](https://portal.azure.com/#home), in the **Azure services** section, select **[Microsoft Entra ID](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview)**.
+ 1. In the sidebar, open the **Manage** dropdown and select **[App registrations](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps)**.
+ 1. Select **New Registration**. You'll be redirected to the **Register an application** page.
+ 1. Complete the form as follows:
+ 1. Under **Name**, enter your app name.
+ 1. Under **Supported account types**, select **Accounts in any organizational directory (Any Microsoft Entra ID tenant – Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**.
+ 1. Under **Redirect URI (Optional)**, select **Web**.
+ 1. Select **Register** to submit the form.
+
+ ### Secure your app against the nOAuth vulnerability
+
+ [nOAuth](https://www.descope.com/blog/post/noauth) is an exploit in Microsoft Entra ID OAuth apps that can lead to account takeovers via email address spoofing. Clerk mitigates this risk by enforcing stricter checks on verified email addresses.
+
+ For further security, Microsoft offers an optional `xms_edov` claim, which provides additional context to determine whether the returned email is verified.
+
+ This claim is mandatory for applications backing EASIE connections. To enable it, you must:
+
+ 1. In the Microsoft Azure portal, navigate to your app.
+ 1. In the sidebar, select **Token configuration**.
+ 1. Select **Add optional claim**.
+ 1. For the **Token type**, select **ID**. Then, in the table that opens, enable the `email` and `xms_pdl` claims.
+ 1. At the bottom of the modal, select **Add**. A new modal will prompt you to turn on the Microsoft Graph email permission. Enable it, then select **Add** to complete the form.
+ > [!NOTE]
+ > At the time of writing, the `xms_edov` claim is still in preview and may not be available for all apps. We'll choose another claim and rename it in the manifest later.
+ 1. Repeat the previous steps for **Token type**, but select **Access** instead of **ID**. The **Optional claims** list should now show two claims for `email` and two for `xms_pdl`: one each for **ID** and **Access**.
+ 1. In the sidebar, go to **Manifest**.
+ 1. In the text editor, search for `"acceptMappedClaims"` and set its value from `null` to `true`.
+ 1. Search for `"optionalClaims"`, where you'll find the `idToken` and `accessToken` arrays. Each array has an object with the name `xms_pdl`. Change the name to `xms_edov`.
+ 1. At the top of the page, select **Save**.
+ 1. In the sidebar, navigate back to **Token configuration** and confirm that the **Optional claims** list includes two claims for `email` and two for `xms_edov`: one each for **ID** and **Access**.
+
+ With these steps complete, Microsoft will send the `xms_edov` claim in the token, which Clerk will use to determine whether the email is verified, even when used with Microsoft Entra ID.
+
+ ### Get your client ID and client secret
+
+ Once your Microsoft Entra ID app is created, or once you select your app from the Microsoft Azure portal, you'll be redirected to its **Overview**.
+
+ 1. From your app's overview, save the **Application (client) ID** somewhere secure. You'll need it to connect your Microsoft Entra ID app to your Clerk app.
+ 1. Under **Client credentials**, select **Add a certificate or secret** to generate a **Client Secret**. You'll be redirected to the **Certificate & secrets** page.
+ 1. Select **New client secret**. In the modal that opens, enter a description and set an expiration time for your secret.
+ > [!IMPORTANT]
+ > When your secret expires, your social connection will stop working until you generate a new client secret and add it to your Clerk app.
+ 1. Save the new client secret's **Value** somewhere secure. You'll add this and your client ID to your Clerk app later. Keep this page open.
+
+ ### Set the Client ID and Client Secret in your Clerk Dashboard
+
+ Go back to the Clerk Dashboard, where the modal should still be open, and paste the **Client ID** and **Client Secret** values into the respective fields. Note that if you have any other Microsoft EASIE connections or a [Microsoft social connection](docs/authentication/social-connections/microsoft), this will update the credentials for all of them. Select **Add connection**.
+
+ ### Enable OpenID
+
+ To connect your Clerk app to your Microsoft app, set the **Redirect URI** in your Microsoft Azure portal.
+
+ 1. Navigate back to the Microsoft Azure portal.
+ 1. In the sidebar, open the **Manage** dropdown and select **Authentication**.
+ 1. Select **Add a platform**.
+ 1. Select **Web**.
+ 1. In the **Redirect URIs** field and the **Front-channel logout URL** field, paste the **Redirect URI** you copied from the Clerk Dashboard.
+ 1. Under **Implicit grant and hybrid flows**, check both **Access tokens** and **ID tokens**.
+ 1. Select **Configure** to save the changes.
+
diff --git a/docs/authentication/saml/jit-provisioning.mdx b/docs/authentication/enterprise-connections/jit-provisioning.mdx
similarity index 95%
rename from docs/authentication/saml/jit-provisioning.mdx
rename to docs/authentication/enterprise-connections/jit-provisioning.mdx
index 51e41eb0e0..e2b35adc01 100644
--- a/docs/authentication/saml/jit-provisioning.mdx
+++ b/docs/authentication/enterprise-connections/jit-provisioning.mdx
@@ -7,7 +7,7 @@ Just-in-Time (JIT) Provisioning, or automatic account provisioning, is a process
Using JIT Provisioning means your IT department won't have to manually create user accounts for each of the services or apps your employees use to get work done.
-Clerk supports JIT account provisioning for all [supported SAML providers](/docs/authentication/saml/overview).
+Clerk supports JIT account provisioning for all [supported SAML providers](/docs/authentication/enterprise-connections/overview).
Check your preferred SAML provider's documentation to enable JIT account provisioning on their side.
diff --git a/docs/authentication/enterprise-connections/overview.mdx b/docs/authentication/enterprise-connections/overview.mdx
new file mode 100644
index 0000000000..7964cc946f
--- /dev/null
+++ b/docs/authentication/enterprise-connections/overview.mdx
@@ -0,0 +1,80 @@
+---
+title: Enterprise SSO
+description: Clerk provides Enterprise SSO to authenticate users via federated Identity Providers such such as Azure AD, Okta, Google Workspace and more.
+---
+
+With Enterprise SSO, users can sign in seamlessly using their Identity Provider's (IdP) credentials and have their user data synchronized with Clerk. You can learn more about the process in the guides on [authentication flows](/docs/authentication/enterprise-connections/authentication-flows) and [account linking](/docs/authentication/enterprise-connections/account-linking).
+
+## SAML
+
+Clerk supports Enterprise SSO via the SAML protocol, enabling you to create authentication strategies for an IdP. The following IdPs are supported: [Microsoft Azure AD](/docs/authentication/enterprise-connections/saml/azure), [Google Workspace](/docs/authentication/enterprise-connections/saml/google), and [Okta Workforce](/docs/authentication/enterprise-connections/saml/okta). However, you can also [integrate with any other IdP](/docs/authentication/enterprise-connections/saml/custom-provider) that supports the SAML protocol.
+
+### Allow subdomains
+
+Authenticating via SAML SSO requires the user's email address domain to match the exact domain the SAML connection has been configured with. By default, subdomains are not supported. For example, a user with the email address `john@sales.example.com` wouldn't be able to use a SAML connection with the `example.com` domain to authenticate.
+
+To configure subdomains for a SAML connection:
+
+1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
+1. Select the SAML connection you want to allow subdomains for.
+1. Select the **Advanced** tab.
+1. Enable or disable the **Allow subdomains** option.
+1. Select **Save**.
+
+> [!NOTE]
+> To enable the **Allow subdomains** option, your SAML connection domain must be an [eTLD+1](https://developer.mozilla.org/en-US/docs/Glossary/eTLD).
+
+## EASIE
+
+[EASIE](https://easie.dev) SSO is a way for applications to provide enterprise-grade SSO through a multi-tenant OpenID provider. It is designed to be an easier alternative to SAML SSO.
+
+The following IdPs are supported: Google Workspace and Microsoft Entra ID. For _development instances_, Clerk uses preconfigured shared credentials and redirect URIs—no other configuration is needed. For _production instances_, you must provide custom credentials. Follow the steps outlined in the guides to complete the setup:
+
+- [Google](docs/authentication/social-connections/google)
+- [Microsoft](docs/authentication/social-connections/azure)
+
+### Automatic deprovisioning
+
+Clerk prevents users linked to deprovisioned accounts in the OpenID provider from accessing the app.
+
+Within 10 minutes of a user being removed from the OpenID provider (e.g. [suspendeded](https://support.google.com/a/answer/33312?hl=en) or [deleted](https://support.google.com/a/answer/33314?hl=en) via Google Workspace, or [deleted](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-create-delete-users#delete-a-user) via Microsoft Entra), Clerk will recognize that the user has been deprovisioned and will revoke that user's existing sessions.
+
+It is ultimately the app's responsibility to handle this unauthenticated state and display something appropriate to the user. For example, Next.js apps using [`auth.protect()`](docs/references/nextjs/auth#auth-protect) will automatically redirect the user to the sign-in page.
+
+## SAML vs. EASIE
+
+The primary security difference between EASIE SSO and SAML SSO is that EASIE depends on a multi-tenant identity provider, while SAML depends on a single-tenant identity provider. Relying on a multi-tenant provider **increases** the risk that a user from one tenant will mistakenly be granted access to the resources of another tenant. While Clerk implements [measures to address this risk](https://easie.dev/#mitigating-tenant-crossover-vulnerabilities), apps that require single-tenant IdPs should opt for SAML.
+
+For more information, see the [EASIE docs](https://easie.dev#security).
+
+## Frequently asked questions (FAQ)
+
+### I've enabled other strategies but they don't work
+
+A Clerk app can have multiple authentication strategies, but a domain that enables Enterprise SSO can't. Once Enterprise SSO is enabled for a domain, there can be no other authentication methods for that specific domain. This is in line with an organization's intent to manage their users' identity from one place. This allows your Clerk app to enable Enterprise SSO connections for certain domains while others use non-Enterprise SSO methods depending on each organization's needs.
+
+### Will Enterprise SSO work for my existing users?
+
+Yes, Enterprise SSO will work for your existing users as well! If you enable SAML or EASIE, any existing users with an email address that matches the SAML or EASIE connection domain will have to authenticate on the IdP side and an Enterprise account will be linked to their existing account.
+
+### What happens if I have multi-factor enabled at Clerk?
+
+Once the user returns from the IdP, they will need to complete additional authentication factors. This is useful if you want to add extra factors beyond what your IdP supports or if your IdP doesn’t support them. This feature is optional and can be disabled if not needed.
+
+### What happens if I delete the Enterprise Connection? Will my users be deleted?
+
+The users will not be deleted, so your app will not break. However, they will need to use another [strategy](/docs/authentication/configuration/sign-up-sign-in-options#authentication-strategies) such as password or email to authenticate themselves moving forward.
+
+### Does Clerk support IdP-initiated SSO?
+
+Yes, for SAML only. Clerk supports both Service Provider-initiated (SP-initiated) and Identity Provider-initiated (IdP-initiated) SSO flows. For more information, see the [authentication flows guide](/docs/authentication/enterprise-connections/authentication-flows).
+
+### How much does it cost?
+
+For development instances, Enterprise connections are always free but limited to a maximum of 25.
+
+Production instances require the Pro plan and the Enhanced Authentication Add-on. Please see [pricing](/pricing){{ target: '_blank' }} for more information.
+
+### Can I get a bulk discount?
+
+Yes, [contact support](/contact/support){{ target: '_blank' }} to work out a custom plan.
diff --git a/docs/authentication/saml/azure.mdx b/docs/authentication/enterprise-connections/saml/azure.mdx
similarity index 90%
rename from docs/authentication/saml/azure.mdx
rename to docs/authentication/enterprise-connections/saml/azure.mdx
index d2228ef9ec..1ae47660ab 100644
--- a/docs/authentication/saml/azure.mdx
+++ b/docs/authentication/enterprise-connections/saml/azure.mdx
@@ -31,7 +31,7 @@ To make the setup process easier, it's recommended to keep two browser tabs open
1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
1. Select **Add connection** and select **For specific domains**.
- 1. In the modal that opens, select **Microsoft Entra ID (Formerly AD)** as the identity provider.
+ 1. Under **SAML**, select **Microsoft Entra ID (Formerly AD)** as the identity provider.
1. Add the **Name** of the connection. This is the name that will be displayed on the sign-in form.
1. Enter the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your app.
1. Select **Add connection**. You'll be redirected to the connection's configuration page.
@@ -118,15 +118,4 @@ To make the setup process easier, it's recommended to keep two browser tabs open
1. Navigate back to the Clerk Dashboard where you should still have the connection's configuration page open. If not, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page and select the connection.
1. At the top of the page, toggle on **Enable connection** and select **Save**.
-
- ### Test your OAuth
-
- The simplest way to test your OAuth is to visit your Clerk app's [Account Portal](/docs/customization/account-portal/overview), which is available for all Clerk apps out-of-the-box.
-
- 1. In the Clerk Dashboard, navigate to the [**Account Portal**](https://dashboard.clerk.com/last-active?path=account-portal) page.
- 1. Next to the **Sign-in** URL, select **Visit**. The URL should resemble:
-
- - **For development** – `https://your-domain.accounts.dev/sign-in`
- - **For production** – `https://accounts.your-domain.com/sign-in`
- 1. Sign in with your Microsoft account.
diff --git a/docs/authentication/saml/custom-provider.mdx b/docs/authentication/enterprise-connections/saml/custom-provider.mdx
similarity index 86%
rename from docs/authentication/saml/custom-provider.mdx
rename to docs/authentication/enterprise-connections/saml/custom-provider.mdx
index 15162ea682..c0b23a82ba 100644
--- a/docs/authentication/saml/custom-provider.mdx
+++ b/docs/authentication/enterprise-connections/saml/custom-provider.mdx
@@ -20,7 +20,7 @@ description: Learn how to integrate an Identity Provider with Clerk using SAML S
- Use a custom IdP to enable single sign-on (SSO) via SAML for your Clerk application.
-Clerk supports Enterprise SSO via the SAML protocol, enabling you to create authentication strategies for an Identity Provider (IdP). Currently, Clerk offers direct integrations with [Microsoft Azure AD](/docs/authentication/saml/azure), [Google Workspace](/docs/authentication/saml/google), and [Okta Workforce](/docs/authentication/saml/okta) as IdPs. However, you can also integrate with any other IdP that supports the SAML protocol. This guide will show you how to set up a SAML connection with a custom IdP in Clerk.
+Clerk supports Enterprise SSO via the SAML protocol, enabling you to create authentication strategies for an Identity Provider (IdP). Currently, Clerk offers direct integrations with [Microsoft Azure AD](/docs/authentication/enterprise-connections/saml/azure), [Google Workspace](/docs/authentication/enterprise-connections/saml/google), and [Okta Workforce](/docs/authentication/enterprise-connections/saml/okta) as IdPs. However, you can also integrate with any other IdP that supports the SAML protocol. This guide will show you how to set up a SAML connection with a custom IdP in Clerk.
## Tutorial
@@ -29,10 +29,9 @@ Clerk supports Enterprise SSO via the SAML protocol, enabling you to create auth
To create a SAML connection in Clerk:
- 1. Navigate to the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections).
- 1. In the top navigation, select **Configure**. Then in the sidebar, select **SSO Connections**.
- 1. Select the **Add connection** button, and select **For specific domains**.
- 1. Select **Custom SAML Provider**.
+ 1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
+ 1. Select **Add connection** and select **For specific domains**.
+ 1. Under **SAML**, select **Custom SAML Provider**.
1. Add the **Name** of the connection. This is the name that will be displayed in the sign-in form.
1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your application.
1. Select **Add connection**. You will be redirected to the connection's configuration page.
@@ -103,16 +102,10 @@ Clerk supports Enterprise SSO via the SAML protocol, enabling you to create auth
Learn more about [how to access the metadata from our APIs](/docs/users/metadata).
- ### Activate your SAML connection
-
- Now that you have configured your SAML connection, you can activate it.
+ ### Enable the connection for Clerk
To make the connection available for your users to authenticate with:
1. In the Clerk Dashboard, you should still have the connection's configuration page open. If not, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page and select the connection.
1. Toggle on **Enable connection** and select **Save**.
-
- ### Test your SAML connection
-
- Everything should be set up now for you to test authentication via SAML. Go to your Clerk application's sign-in page and add your email address in the input field. If it matches an active SAML connection, you will be redirected to your IdP where you will sign in with your credentials.
diff --git a/docs/authentication/saml/google.mdx b/docs/authentication/enterprise-connections/saml/google.mdx
similarity index 93%
rename from docs/authentication/saml/google.mdx
rename to docs/authentication/enterprise-connections/saml/google.mdx
index 88c0bcaaff..15495420a1 100644
--- a/docs/authentication/saml/google.mdx
+++ b/docs/authentication/enterprise-connections/saml/google.mdx
@@ -27,13 +27,12 @@ description: Learn how to integrate Google Workspace with Clerk using SAML SSO.
To create a SAML connection in Clerk:
- 1. Navigate to the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections).
- 1. In the top navigation, select **Configure**. Then in the sidebar, select **SSO Connections**.
- 1. Select the **Add connection** button, and select **For specific domains**.
- 1. Select **Google Workspace** as the identity provider.
+ 1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
+ 1. Select **Add connection** and select **For specific domains**.
+ 1. Under **SAML**, select **Google Workspace** as the identity provider.
1. Add the **Name** of the connection. This is the name that will be displayed in the sign-in form.
1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your application.
- 1. Select **Add connection**. You will be redirected to the connection's configuration page.
+ 1. Select **Add connection**. You'll be redirected to the connection's configuration page.
### Create a new enterprise application in Google
diff --git a/docs/authentication/saml/okta.mdx b/docs/authentication/enterprise-connections/saml/okta.mdx
similarity index 94%
rename from docs/authentication/saml/okta.mdx
rename to docs/authentication/enterprise-connections/saml/okta.mdx
index d05ebe395b..e442e44eda 100644
--- a/docs/authentication/saml/okta.mdx
+++ b/docs/authentication/enterprise-connections/saml/okta.mdx
@@ -27,10 +27,9 @@ description: Learn how to integrate Okta Workforce with Clerk using SAML SSO.
To create a SAML connection in Clerk:
- 1. Navigate to the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections).
- 1. In the top navigation, select **Configure**. Then in the sidebar, select **SSO Connections**.
- 1. Select the **Add connection** button, and select **For specific domains**.
- 1. Select **Okta Workforce** as the identity provider.
+ 1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
+ 1. Select **Add connection** and select **For specific domains**.
+ 1. Under **SAML**, select **Okta Workforce** as the identity provider.
1. Add the **Name** of the connection. This is the name that will be displayed in the sign-in form.
1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your application.
1. Select **Add connection**. You will be redirected to the connection's configuration page.
diff --git a/docs/authentication/saml/account-linking.mdx b/docs/authentication/saml/account-linking.mdx
deleted file mode 100644
index 69bbce1b04..0000000000
--- a/docs/authentication/saml/account-linking.mdx
+++ /dev/null
@@ -1,37 +0,0 @@
----
-title: Account Linking
-description: Learn how Clerk handles account linking during SAML SSO.
----
-
-Account Linking is a process that Clerk uses to ensure a smooth sign-in and sign-up experience using SAML SSO and other methods (e.g. username/password). By using the email address as the common identifier, Clerk automatically attempts to link accounts whenever possible. Account linking triggers when a SAML provider returns an email address that matches an existing account, assuming a single owner for each email address.
-
-## How it works
-
-When a user attempts to sign in or sign up, Clerk first checks the provided email address. Clerk will attempt to link the SAML account with any existing Clerk account that shares the same email address.
-
-In the following sections, we'll look at the different scenarios that can occur during this process and explain how Clerk handles each one.
-
-> [!NOTE]
-> Email addresses from SAML providers are considered verified by default.
-
-
-
-### Email is verified in Clerk
-
-When a user signs into your app using a SAML provider that returns a matching verified email address, Clerk links the SAML account to the existing account and signs the user in. This even applies to password-protected accounts, as the SAML sign-in process automatically bypasses password verification.
-
-### Email is unverified and verification isn't required
-
-For instances that allow account creation without email verification at sign-up, there is a possibility that an account may be created using an unverified email address.
-
-To allow unverified email addresses for your instance:
-
-1. Navigate to the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=user-authentication/email-phone-username)
-1. In the navigation sidebar, select **Email, Phone, Username**.
-1. Next to **Email address**, select the settings icon and uncheck the **Verify at sign-up** toggle.
-
-When a user signs into your app using a SAML provider, Clerk links the SAML account to the existing account by also verifying the existing email address and signs the user in. This even applies to password-protected accounts, as the SAML sign-in process automatically bypasses password verification.
-
-### Email is unverified
-
-When a user signs into your app using a SAML provider that returns a matching unverified email address, Clerk doesn't link the SAML account to the existing account, but instead signs the user up and creates a completely new account.
diff --git a/docs/authentication/saml/authentication-flows.mdx b/docs/authentication/saml/authentication-flows.mdx
deleted file mode 100644
index 78a6d58927..0000000000
--- a/docs/authentication/saml/authentication-flows.mdx
+++ /dev/null
@@ -1,63 +0,0 @@
----
-title: SAML SSO authentication flows
-description: Learn about the SAML SSO authentication flows.
----
-
-The SAML protocol supports two methods to start an SSO flow: Service Provider-initiated (SP-initiated) and Identity Provider-initiated (IdP-initiated).
-
-## Service Provider-initiated flow (recommended)
-
-In an SP-initiated flow:
-
-- The user starts the authentication process from your application (Service Provider, or SP), by providing their email address.
-- The user is redirected to the SAML provider (Identity Provider, or IdP) where they must authenticate.
-- After successful authentication, the user is redirected back to your application, gaining access to their account.
-
-## Identity Provider-initiated flow
-
-In an IdP-initiated flow:
-
-- The user starts the authentication flow from the SAML provider (IdP) by selecting which application (SP) they want to access.
-- The user is redirected to the application of their choice, gaining access to their account.
-
-> [!NOTE]
-> IdP-Initiated flow carries a [security risk](#risks-of-id-p-initiated-flow). It is recommended to use an SP-Initiated flow whenever possible.
-
-To allow IdP-initiated flows for your SAML connection:
-
-1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page.
-1. Select **Add connection** and select **For specific domains**.
-1. Select your **Identity Provider**. Complete the fields and select **Add connection**. You'll be redirected to the SAML connection's configuration page.
-1. Select the **Advanced** tab.
-1. In **Advanced Settings**, enable **Allow IdP-Initiated flow**. A modal will open. Select **Enable** to confirm.
-1. Select **Save**.
-
-### Risks of IdP-initiated flow
-
-While IdP-initiated flows might offer convenience, they are also susceptible to security risks, such as [meddler-in-the-middle (MITM) attacks](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). A bad actor might hijack the IdP response to gain access to a compromised account.
-
-When enabling an IdP-initiated flow, it is possible for Clerk to receive unsolicited authentication requests, which neither the SP nor IdP can verify were initiated by the specified user. Additionally, a bad actor could intercept the IdP response and replace it, performing a CSRF attack to sign in as the attacker.
-
-### Clerk's security measures
-
-To mitigate the risks associated with IdP-initiated flows, Clerk implements several security measures:
-
-#### Unsolicited `InResponseTo` attribute
-
-Clerk ensures that unsolicited responses don't contain an `InResponseTo` attribute, in accordance with the [SAML 2.0 profiles specification](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf). This prevents bad actors from stealing a response used in an SP-initiated flow and using it in an IdP-initiated flow.
-
-#### Replay detection
-
-Clerk consumes and remembers each response to prevent re-use. This ensures that bad actors cannot steal and reuse a response to gain access to a user's account.
-
-#### Multi-factor authentication
-
-Clerk supports [multi-factor authentication (MFA)](/docs/authentication/configuration/sign-up-sign-in-options#multi-factor-authentication) for SAML IdP-initiated flows. MFA requires users to provide two or more forms of verification, which significantly enhances security by reducing the risk of unauthorized access.
-
-#### Use small validation periods
-
-Each SAML response contains a timestamp indicating when it was issued and when it will expire. Since IdP-initiated flows are expected to be completed within seconds, validation periods must be as small as possible to prevent attacks. Common IdP providers such as Azure, Google, and Okta handle this by default. However, if you are using a custom IdP, you must ensure that the validation periods are set correctly.
-
-### Conclusion
-
-For the best security practices, Clerk recommends using the SP-initiated flow wherever possible. If you decide to enable IdP-initiated flows, ensure that proper security measures—such as MFA, replay detection, and short validation periods—are in place to mitigate the associated risks.
diff --git a/docs/authentication/saml/overview.mdx b/docs/authentication/saml/overview.mdx
deleted file mode 100644
index 7f0bd583aa..0000000000
--- a/docs/authentication/saml/overview.mdx
+++ /dev/null
@@ -1,53 +0,0 @@
----
-title: Enterprise SSO via SAML
-description: Clerk supports Enterprise SSO via the SAML protocol so that you can create authentication strategies for Identity Providers, such as Okta.
----
-
-Clerk supports Enterprise SSO via the SAML protocol, enabling you to create authentication strategies for an Identity Provider (IdP). With Enterprise SSO, users can sign in seamlessly using their IdP's credentials and have their user data synchronized with Clerk. You can learn more about the process in the [SAML SSO authentication flows](/docs/authentication/saml/authentication-flows) and [Account linking](/docs/authentication/saml/account-linking) guides, or you can jump straight into integrating an IdP with Clerk. Currently, Clerk offers direct integrations with [Microsoft Azure AD](/docs/authentication/saml/azure), [Google Workspace](/docs/authentication/saml/google), and [Okta Workforce](/docs/authentication/saml/okta) as IdPs. However, you can also [integrate with any other IdP](/docs/authentication/saml/custom-provider) that supports the SAML protocol.
-
-## Allow subdomains
-
-Authenticating via SAML SSO requires the user's email address domain to match the exact domain the SAML connection has been configured with. By default, subdomains are not supported. For example, a user with the email address `john@sales.example.com` would not be able to use a SAML connection with the `example.com` domain in order to authenticate.
-
-To support SAML SSO with subdomains,
-
-1. Navigate to the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections).
-1. In the top navigation, select **Configure**. Then in the sidebar, select **SSO Connections**.
-1. Select the SAML connection you want to allow subdomains for.
-1. Select the **Advanced** tab.
-1. Toggle on the **Allow subdomains** option.
-
-> [!NOTE]
-> To enable the **Allow subdomains** option, your SAML connection domain must be an eTLD+1.
-
-## Frequently asked questions (FAQ)
-
-### I've enabled other strategies but they don't work
-
-A Clerk application can have multiple authentication strategies, but a domain that enables Enterprise SSO can not. Once Enterprise SSO is enabled for a domain, there can be no other authentication methods for that specific domain. This is in line with an organization's intent to manage their users' identity from one place. This will allow your Clerk application to enable Enterprise SSO connections for certain domains while others use non-Enterprise SSO methods depending on each organization's needs.
-
-### Will SAML work for my existing users?
-
-Yes, SAML will work for your existing users as well! If you enable SAML, any existing users with an email address that matches the SAML Connection domain will have to authenticate on the IdP side and an Enterprise Account will be linked to their existing account.
-
-### What happens if I have multi-factor enabled at Clerk?
-
-This will work: Once the user comes back from the IdP, they will need to go through the extra factors of authentication. This is in case you need to add extra factors on top of what your IdP supports (or in case they don't). You can choose to not enable this feature if you wish.
-
-### What happens if I delete the SAML connection? Will my users be deleted?
-
-The users will not be deleted, so your application will not break. However, they will need to use another [strategy](/docs/authentication/configuration/sign-up-sign-in-options#authentication-strategies) such as password, email OTP, etc., to authenticate themselves moving forward.
-
-### Does Clerk support IdP-initiated SSO?
-
-Yes, Clerk supports both Service Provider-initiated (SP-initiated) and Identity Provider-initiated (IdP-initiated) SSO flows. [Learn more](/docs/authentication/saml/authentication-flows).
-
-### How much does it cost?
-
-For production instances, each active connection costs $50 per month. SAML connections require the Pro plan and the Enhanced Authentication Add-on. See [pricing](/pricing){{ target: '_blank' }} for those costs, and the costs of other add-ons or features.
-
-For development instances, SAML connections will always be free, but capped to 5.
-
-### Can I get a bulk discount?
-
-Yes, [contact support](/contact/support){{ target: '_blank' }} to work out a custom plan.
diff --git a/docs/authentication/social-connections/microsoft.mdx b/docs/authentication/social-connections/microsoft.mdx
index 0b0ed582e7..167ecb1de6 100644
--- a/docs/authentication/social-connections/microsoft.mdx
+++ b/docs/authentication/social-connections/microsoft.mdx
@@ -131,4 +131,4 @@ To make the setup process easier, it's recommended to keep two browser tabs open
- Only credentials of type `secret` are supported (not the `certificate` type).
> [!TIP]
-> If you're using [SAML with Microsoft](/docs/authentication/saml/azure), the different tenant types _are_ supported, and you can disregard these limitations.
+> If you're using [SAML with Microsoft](/docs/authentication/enterprise-connections/saml/azure), the different tenant types _are_ supported, and you can disregard these limitations.
diff --git a/docs/custom-flows/saml-connections.mdx b/docs/custom-flows/saml-connections.mdx
index b1386039de..e062065c88 100644
--- a/docs/custom-flows/saml-connections.mdx
+++ b/docs/custom-flows/saml-connections.mdx
@@ -7,7 +7,7 @@ description: Learn how to use the Clerk API to build a custom sign-up and sign-i
## Before you start
-You must configure your application instance through the Clerk Dashboard for the SAML connection(s) that you want to use. Visit [the appropriate SAML guide for your platform](/docs/authentication/saml/overview) to learn how to configure your instance.
+You must configure your application instance through the Clerk Dashboard for the SAML connection(s) that you want to use. Visit [the appropriate SAML guide for your platform](/docs/authentication/enterprise-connections/overview) to learn how to configure your instance.
## Create the sign-up and sign-in flow
diff --git a/docs/manifest.json b/docs/manifest.json
index b57462e7e5..b66d65442f 100644
--- a/docs/manifest.json
+++ b/docs/manifest.json
@@ -490,40 +490,62 @@
]
},
{
- "title": "SAML",
+ "title": "Enterprise Connections",
"items": [
[
{
"title": "Overview",
- "href": "/docs/authentication/saml/overview"
+ "href": "/docs/authentication/enterprise-connections/overview"
},
{
"title": "Authentication flows",
- "href": "/docs/authentication/saml/authentication-flows"
+ "href": "/docs/authentication/enterprise-connections/authentication-flows"
},
{
"title": "Account linking",
- "href": "/docs/authentication/saml/account-linking"
+ "href": "/docs/authentication/enterprise-connections/account-linking"
},
{
- "title": "Azure",
- "href": "/docs/authentication/saml/azure"
- },
- {
- "title": "Google",
- "href": "/docs/authentication/saml/google"
- },
- {
- "title": "Okta",
- "href": "/docs/authentication/saml/okta"
+ "title": "Just-in-Time account provisioning",
+ "href": "/docs/authentication/enterprise-connections/jit-provisioning"
},
{
- "title": "Custom provider",
- "href": "/docs/authentication/saml/custom-provider"
+ "title": "EASIE",
+ "items": [
+ [
+ {
+ "title": "Microsoft",
+ "href": "/docs/authentication/enterprise-connections/easie/microsoft"
+ },
+ {
+ "title": "Google",
+ "href": "/docs/authentication/enterprise-connections/easie/google"
+ }
+ ]
+ ]
},
{
- "title": "Just-in-Time account provisioning",
- "href": "/docs/authentication/saml/jit-provisioning"
+ "title": "SAML",
+ "items": [
+ [
+ {
+ "title": "Azure",
+ "href": "/docs/authentication/enterprise-connections/saml/azure"
+ },
+ {
+ "title": "Google",
+ "href": "/docs/authentication/enterprise-connections/saml/google"
+ },
+ {
+ "title": "Okta",
+ "href": "/docs/authentication/enterprise-connections/saml/okta"
+ },
+ {
+ "title": "Custom provider",
+ "href": "/docs/authentication/enterprise-connections/saml/custom-provider"
+ }
+ ]
+ ]
}
]
]