← Platform
Enterprise plan

Enterprise Auth & SSO

Your IT team shouldn't have to argue about SAML with every vendor. Toretto ships with the session, password, and SSO controls enterprise customers expect — configured from a single settings page, with every change recorded for your next audit.

What you get

Session policy

Set max session lifetime and idle timeout per org. Platform ceiling is 24 hours — no exceptions, no knobs that let a future contributor bypass it.

Password policy

Rotation cadence (30 / 60 / 90 / 180 / 365 / never), length + complexity rules, MFA-required toggle. Enforced by Clerk on every sign-in.

SAML 2.0 + OIDC SSO

First-class wizards for Okta, Microsoft Entra ID, and Google Workspace. Any compliant IdP works through Custom SAML / Custom OIDC.

Append-only audit log

Every session, password, and SSO change captures actor + timestamp + before/after. Exported in the SOC 2 evidence bundle. Enforced at the database level — UPDATE / DELETE raise.

Why it matters

  • Close enterprise deals without custom work. The IT-security questionnaire every mid-market shipper sends includes “configurable session TTL”, “password rotation”, and “SSO against our IdP”. Shipping all three out of the box is the difference between a smooth pilot and a 6-week integration ticket.
  • SOC 2 evidence by construction. The append-only audit log is exactly what an auditor wants for CC6.1 (logical access controls). No after- the-fact log scraping required.
  • Delegate auth to your security lead. auth_policy:view and auth_policy:manage are distinct from org:settings. Your IT lead can own the auth posture without inheriting branding + billing scope they don't need.
  • No custom auth code on your side. We use Clerk's hosted auth. You configure the policy; the platform implements it. No SAML library to audit, no password-hash storage to worry about.

Supported IdPs

Okta

Microsoft Entra ID

(Active Directory)

Google Workspace

Custom SAML 2.0

Custom OIDC

Okta / Entra / Google ship with stepwise setup wizards (screenshots + labels matching the IdP's admin console). Custom SAML / OIDC paths expose the raw entity ID and ACS URL so any compliant IdP works.

Available on the Enterprise plan. Session and password policy are available on every plan. SSO connections require Enterprise — the upgrade path is self-serve from /settings/billing, no sales call required.

Book a demo See pricing