Enterprise Identity
OIDC SSO, SCIM provisioning, and the SAML decision for Clearance.
Public Claim
Clearance supports enterprise SSO via OIDC, SCIM provisioning, RBAC, audit logs, scoped runner tokens, and evidence exports.
OIDC SSO
Enterprise OIDC SSO is live through Better Auth generic OAuth. Supported provider configurations include Okta, Microsoft Entra ID, Keycloak, and generic OpenID Connect discovery.
Keep just-in-time provisioning disabled by default. For enterprise pilots, use SCIM or admin invitation first, then SSO login.
SCIM Provisioning
SCIM v2 is available at /api/scim/v2. Workspace admins issue bearer tokens in
settings. SCIM creates or updates users and organization memberships, supports
deprovisioning, and writes audit events for provisioning changes.
SAML
SAML sign-in is not generally available in hosted Clearance. SAML metadata can be tracked for buyer onboarding, but it does not enable SAML authentication.
If a buyer requires SAML before Better Auth exposes a stable SAML provider in the installed package, use a dedicated identity broker for that deployment.
Validation
Before an enterprise pilot, run the staging validation in
docs/identity-staging-validation.md against a real Okta or Microsoft Entra
tenant.