PolicyStrata

Enterprise Identity

OIDC SSO, SCIM provisioning, and the SAML decision for Clearance.

Public Claim

Clearance supports enterprise SSO via OIDC, SCIM provisioning, RBAC, audit logs, scoped runner tokens, and evidence exports.

OIDC SSO

Enterprise OIDC SSO is live through Better Auth generic OAuth. Supported provider configurations include Okta, Microsoft Entra ID, Keycloak, and generic OpenID Connect discovery.

Keep just-in-time provisioning disabled by default. For enterprise pilots, use SCIM or admin invitation first, then SSO login.

SCIM Provisioning

SCIM v2 is available at /api/scim/v2. Workspace admins issue bearer tokens in settings. SCIM creates or updates users and organization memberships, supports deprovisioning, and writes audit events for provisioning changes.

SAML

SAML sign-in is not generally available in hosted Clearance. SAML metadata can be tracked for buyer onboarding, but it does not enable SAML authentication.

If a buyer requires SAML before Better Auth exposes a stable SAML provider in the installed package, use a dedicated identity broker for that deployment.

Validation

Before an enterprise pilot, run the staging validation in docs/identity-staging-validation.md against a real Okta or Microsoft Entra tenant.

On this page