Operations
Single sign-on (SSO)
Setting up SSO with Microsoft Entra ID, Okta, Google Workspace, or any SAML 2.0 provider — £49/mo add-on.
Setting up SSO with Entra, Okta or Google Workspace
Single sign-on lets your team log in to Thawly using your existing identity provider — Microsoft Entra ID, Okta, Google Workspace, or any standards-compliant SAML 2.0 identity provider. SSO is available on every paid plan as a £49/month add-on (annual billing available).
Why most teams add SSO
- IT-strict procurement. Some buyers can't approve a tool that doesn't sit behind their identity provider.
- Joiner / leaver handling. Deactivating a user in Entra or Okta removes their Thawly access automatically — no separate offboarding step.
- Audit trail. Sign-in events flow into your IdP's logs alongside everything else your team uses.
You don't need SSO to use Thawly. Every paid plan already supports unlimited seats with email + password sign-in via Clerk, Thawly's auth provider. SSO is for teams whose IT policy requires federated authentication.
How to buy SSO
- Sign in to Thawly and open Billing.
- Find the Single sign-on add-on card under the tier grid.
- Click Add SSO — £49/mo and complete Stripe checkout.
- You'll receive a confirmation email immediately.
SSO is billed alongside your existing subscription — same renewal date, same invoice line.
Activation timeline
We activate SSO within 1 business day of purchase. You'll receive a follow-up email when activation is complete with a link to Settings → Single sign-on to connect your IdP.
Why not instant? SSO uses Clerk's SAML integration, which we provision per-customer to keep your IdP configuration isolated. Activation is a manual step on our side. We'd rather take a working day to do it properly than ship a half-configured connection.
Supported identity providers
- Microsoft Entra ID (formerly Azure Active Directory)
- Okta (Workforce Identity)
- Google Workspace (Cloud Identity)
- Any SAML 2.0 provider — OneLogin, Auth0, JumpCloud, Ping, Duo, etc.
If your IdP supports SAML 2.0, it's supported. If you're not sure, email hello@thawly.co.uk with the IdP name and we'll confirm.
Connecting your IdP
After activation, head to Settings → Single sign-on in your Thawly account. You'll see a Clerk-hosted connection panel that walks you through the SAML metadata exchange.
The high-level flow is the same for every provider:
- Thawly gives you an ACS (Assertion Consumer Service) URL and an Entity ID.
- You create a SAML application in your IdP and paste in those two values.
- Your IdP gives you a metadata URL (or an XML file).
- You paste the metadata URL back into Thawly's connection panel.
- Thawly verifies the connection and you can immediately test sign-in.
The exact UI varies between Entra, Okta and Google Workspace, but the values exchanged are identical.
Quick links to provider docs
- Microsoft Entra — set up SAML SSO for an enterprise application
- Okta — create a SAML integration using AIW
- Google Workspace — set up SSO with a custom SAML app
After connection
- New users signing in via your IdP for the first time are auto-provisioned into your Thawly organisation.
- Removing a user from your IdP revokes their Thawly access on the next sign-in attempt.
- Email + password fallback can be disabled per-org if your security policy requires SSO-only access — email hello@thawly.co.uk.
Cancelling the SSO add-on
You can cancel SSO any time from Billing → Manage subscription in Stripe. Your team falls back to email + password sign-in at the end of the current billing period; no Thawly data is lost.
Pricing summary
| Item | Price |
|---|---|
| SSO add-on (monthly) | £49 / mo |
| SSO add-on (annual) | £490 / yr (10-for-12) |
| Setup fee | None |
| Per-user charge | None — unlimited seats on every paid plan |
If something's not working, email hello@thawly.co.uk with your IdP name and we'll get on it.