Jiffy

SSO Fallback — Descope Behind Clerk (stub)

Status: Stub. This path is documented so the Sprint 76 prebuild gate (scripts/verify-clerk-saml-plan.ts) can surface it as the remediation when Clerk's SAML plan tier is insufficient. It is not enabled by default and requires a follow-up sprint to stand up.

When this applies

  • The Clerk plan backing Jiffy does not expose enterprise_sso_providers (i.e., SAML is not enabled).
  • A specific customer IdP has documented incompatibility with Clerk's native SAML flow (e.g., quirky ADFS deployments).

High-level sketch

  1. Provision the customer IdP in Descope; Descope becomes the SAML terminator.
  2. Wire Descope as an OIDC identity source to Clerk.
  3. Clerk issues the final Jiffy session token; Descope acts as a pre-flight.
  4. Jiffy staff provisioning UI at /admin/sso is replaced by Descope's native connection flow for the duration of the fallback.

What this sprint does NOT ship

  • Descope tenant, API key, or tenant-to-org mapping.
  • Token-exchange shim between Descope and Clerk.
  • SOC 2 sub-processor review for Descope.

If you are reading this doc because the prebuild gate halted a build, the correct next step is to upgrade the Clerk plan. Only escalate to this fallback if that upgrade path is blocked for business reasons.