Enterprise SSO (Clerk)

Contrax Enterprise workspaces can enforce sign-in via your company identity provider. Contrax uses Clerk for authentication — SAML/OIDC connections are configured in the Clerk Dashboard, not in Contrax code.

Setup checklist

1. Upgrade the workspace to plan: enterprise (sales / founder provisioning via POST /api/organizations/enterprise).
2. In Clerk Dashboard → SSO connections, add your SAML or OIDC IdP (Okta, Azure AD, Google Workspace, etc.).
3. Add allowed email domains on the Contrax Organization.domains array (e.g. acme.com).
4. In Workspace → Settings, enable Enforce SSO (sets ssoEnforced: true).

Enforcement behavior

When SSO is enforced for an Enterprise org, API access requires either:

• Sign-in via a Clerk SAML connection (detected on the user's external accounts), or
• A verified email address matching one of the organization's configured domains.

Password or social logins from personal email domains are rejected with HTTP 403 on tenant API routes.

Related

• Enterprise plan
• Licensing & SLA tiers
• Integrations