From 7460da39ffba7b96b49126632657616718bbbe6a Mon Sep 17 00:00:00 2001
From: Iago Dahlem Lorensini <iagodahlemlorensini@gmail.com>
Date: Wed, 10 Jun 2026 12:46:08 -0300
Subject: [PATCH 1/5] refactor(ui): make ResetConnectionDialog context-free

---
 .../ConfigureSSO/ResetConnectionDialog.tsx    | 35 +++++++++++--------
 .../__tests__/ResetConnectionDialog.test.tsx  | 34 ++++++------------
 .../components/ConfigureSSO/elements/Step.tsx |  7 +++-
 .../ConfigureSSO/steps/ConfirmationStep.tsx   |  6 ++++
 4 files changed, 42 insertions(+), 40 deletions(-)

diff --git a/packages/ui/src/components/ConfigureSSO/ResetConnectionDialog.tsx b/packages/ui/src/components/ConfigureSSO/ResetConnectionDialog.tsx
index c35bbf9bb46..dea7a27364c 100644
--- a/packages/ui/src/components/ConfigureSSO/ResetConnectionDialog.tsx
+++ b/packages/ui/src/components/ConfigureSSO/ResetConnectionDialog.tsx
@@ -8,17 +8,22 @@ import { Modal } from '@/elements/Modal';
 import { useFormControl } from '@/ui/utils/useFormControl';
 import { handleError } from '@/utils/errorHandler';
 
-import { useConfigureSSO } from './ConfigureSSOContext';
-
 type ResetConnectionDialogProps = {
   isOpen: boolean;
   onClose: () => void;
+  /** The value the user must type to confirm (the organization name). */
   confirmationValue: string;
+  /**
+   * The host-bound delete action, awaited on confirm before the dialog closes.
+   * The dialog is context-free: hosts (wizard footers, the Security page
+   * overview) bind the connection id and mutation themselves.
+   */
+  onDelete: () => Promise<unknown>;
+  /** The host's scrollable content container — the modal portals into it. */
+  contentRef: React.RefObject<HTMLDivElement>;
 };
 
 export const ResetConnectionDialog = (props: ResetConnectionDialogProps): JSX.Element | null => {
-  const { contentRef } = useConfigureSSO();
-
   if (!props.isOpen) {
     return null;
   }
@@ -27,7 +32,7 @@ export const ResetConnectionDialog = (props: ResetConnectionDialogProps): JSX.El
     <Modal
       handleClose={props.onClose}
       canCloseModal={false}
-      portalRoot={contentRef}
+      portalRoot={props.contentRef}
       containerSx={t => ({
         alignItems: 'center',
         position: 'absolute',
@@ -44,9 +49,8 @@ export const ResetConnectionDialog = (props: ResetConnectionDialogProps): JSX.El
 };
 
 const ResetConnectionDialogContent = withCardStateProvider((props: ResetConnectionDialogProps) => {
-  const { onClose, confirmationValue } = props;
+  const { onClose, onDelete, confirmationValue } = props;
   const card = useCardState();
-  const { enterpriseConnection, mutations } = useConfigureSSO();
 
   const confirmationField = useFormControl('deleteConfirmation', '', {
     type: 'text',
@@ -60,18 +64,19 @@ const ResetConnectionDialogContent = withCardStateProvider((props: ResetConnecti
   const canSubmit = Boolean(confirmationValue && confirmationField.value === confirmationValue);
 
   const onSubmit = async () => {
-    if (!enterpriseConnection || !canSubmit) {
+    if (!canSubmit) {
       return;
     }
 
     try {
-      // Reset is a pure delete — no navigation. Dropping `hasConnection` breaks
-      // the active step's entry guard, so the wizard self-corrects to the
-      // furthest-reachable step. The mutation is already reverification-wrapped.
-      // No `useWizard()` here — that lets this dialog be triggered from ANY
-      // footer (including the nested SAML configure footers) without binding to
-      // a nested wizard.
-      await mutations.deleteConnection(enterpriseConnection.id);
+      // Reset is a pure delete — no navigation. The host binds the delete
+      // mutation; in the wizard, dropping `hasConnection` breaks the active
+      // step's entry guard and the machine self-corrects to the
+      // furthest-reachable step. No `useWizard()` (or any context) here — that
+      // lets this dialog be triggered from ANY footer (including the nested
+      // SAML configure footers) and from the Security page overview without
+      // binding to a wizard.
+      await onDelete();
       onClose();
     } catch (err) {
       handleError(err as Error, [confirmationField], card.setError);
diff --git a/packages/ui/src/components/ConfigureSSO/__tests__/ResetConnectionDialog.test.tsx b/packages/ui/src/components/ConfigureSSO/__tests__/ResetConnectionDialog.test.tsx
index d16271cd6fe..21055b49410 100644
--- a/packages/ui/src/components/ConfigureSSO/__tests__/ResetConnectionDialog.test.tsx
+++ b/packages/ui/src/components/ConfigureSSO/__tests__/ResetConnectionDialog.test.tsx
@@ -1,34 +1,19 @@
-import type { EnterpriseConnectionResource } from '@clerk/shared/types';
 import { describe, expect, it, vi } from 'vitest';
 
 import { bindCreateFixtures } from '@/test/create-fixtures';
 import { render, screen, waitFor } from '@/test/utils';
 import { CardStateProvider } from '@/ui/elements/contexts';
 
-// The dialog no longer touches the wizard. On confirm it calls the
-// reverification-wrapped `mutations.deleteConnection(id)` directly — a pure
-// delete, no navigation — and the wizard self-corrects to the
-// furthest-reachable step once the active step's guard breaks. That lets the
-// dialog be triggered from ANY footer (including nested SAML configure footers)
-// without binding to a nested wizard.
-const deleteConnection = vi.fn();
-
-const connectionMockState = vi.hoisted(() => ({
-  current: { id: 'idn_connection_1' } as Partial<EnterpriseConnectionResource> | null,
-}));
-
-vi.mock('../ConfigureSSOContext', () => ({
-  useConfigureSSO: () => ({
-    enterpriseConnection: connectionMockState.current,
-    contentRef: { current: null },
-    // The dialog's confirm calls the reverification-wrapped `deleteConnection`
-    // mutation directly. No navigation — the wizard self-corrects.
-    mutations: { deleteConnection },
-  }),
-}));
-
 import { ResetConnectionDialog } from '../ResetConnectionDialog';
 
+// The dialog is context-free. On confirm it awaits the host-bound `onDelete`
+// action — a pure delete, no navigation — and in the wizard the machine
+// self-corrects to the furthest-reachable step once the active step's guard
+// breaks. That lets the dialog be triggered from ANY footer (including nested
+// SAML configure footers) and from the Security page overview without binding
+// to a wizard.
+const deleteConnection = vi.fn();
+
 const { createFixtures } = bindCreateFixtures('ConfigureSSO');
 
 const renderDialog = (
@@ -42,6 +27,8 @@ const renderDialog = (
         isOpen={props.isOpen ?? true}
         onClose={onClose}
         confirmationValue={props.confirmationValue ?? 'Acme Inc'}
+        onDelete={() => deleteConnection('idn_connection_1')}
+        contentRef={{ current: null }}
       />
     </CardStateProvider>,
     { wrapper },
@@ -52,7 +39,6 @@ const renderDialog = (
 const resetMocks = () => {
   deleteConnection.mockReset();
   deleteConnection.mockResolvedValue(undefined);
-  connectionMockState.current = { id: 'idn_connection_1' };
 };
 
 describe('ResetConnectionDialog', () => {
diff --git a/packages/ui/src/components/ConfigureSSO/elements/Step.tsx b/packages/ui/src/components/ConfigureSSO/elements/Step.tsx
index 96c70eaadd8..52139c52bc7 100644
--- a/packages/ui/src/components/ConfigureSSO/elements/Step.tsx
+++ b/packages/ui/src/components/ConfigureSSO/elements/Step.tsx
@@ -206,7 +206,7 @@ FooterContinue.displayName = 'Step.Footer.Continue';
  * footer row, matching the prior destructive affordance.
  */
 const FooterReset = (): JSX.Element | null => {
-  const { organizationEnterpriseConnection: c } = useConfigureSSO();
+  const { organizationEnterpriseConnection: c, enterpriseConnection, mutations, contentRef } = useConfigureSSO();
   const organization = __internal_useOrganizationBase();
   const [isOpen, setIsOpen] = useState(false);
 
@@ -229,6 +229,11 @@ const FooterReset = (): JSX.Element | null => {
         isOpen={isOpen}
         onClose={() => setIsOpen(false)}
         confirmationValue={organization?.name ?? ''}
+        // The footer self-hides without a connection (`hasConnection` above),
+        // so the resource is guaranteed to be set at this point.
+        // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+        onDelete={() => mutations.deleteConnection(enterpriseConnection!.id)}
+        contentRef={contentRef}
       />
     </>
   );
diff --git a/packages/ui/src/components/ConfigureSSO/steps/ConfirmationStep.tsx b/packages/ui/src/components/ConfigureSSO/steps/ConfirmationStep.tsx
index 6e1a29d3fea..8dc34be7323 100644
--- a/packages/ui/src/components/ConfigureSSO/steps/ConfirmationStep.tsx
+++ b/packages/ui/src/components/ConfigureSSO/steps/ConfirmationStep.tsx
@@ -254,6 +254,7 @@ const ConfigurationDetailsSection = (): JSX.Element => {
 };
 
 const ResetConnectionSection = (): JSX.Element => {
+  const { enterpriseConnection, mutations, contentRef } = useConfigureSSO();
   const { organization } = useOrganization();
   const [isOpen, setIsOpen] = useState(false);
 
@@ -277,6 +278,11 @@ const ResetConnectionSection = (): JSX.Element => {
         isOpen={isOpen}
         onClose={() => setIsOpen(false)}
         confirmationValue={organization?.name ?? ''}
+        // The confirmation step is only reachable with a connection, so the
+        // resource is guaranteed to be set at this point.
+        // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+        onDelete={() => mutations.deleteConnection(enterpriseConnection!.id)}
+        contentRef={contentRef}
       />
     </ProfileSection.Root>
   );

From 33df3df54eb664ce96a1ab48db9df6c065b05219 Mon Sep 17 00:00:00 2001
From: Iago Dahlem Lorensini <iagodahlemlorensini@gmail.com>
Date: Wed, 10 Jun 2026 12:46:17 -0300
Subject: [PATCH 2/5] feat(localizations,shared): add Security page SSO
 overview localization

---
 packages/localizations/src/en-US.ts       | 24 +++++++++++++++++++++++
 packages/shared/src/types/localization.ts | 23 ++++++++++++++++++++++
 2 files changed, 47 insertions(+)

diff --git a/packages/localizations/src/en-US.ts b/packages/localizations/src/en-US.ts
index b6d14fad930..2a33cc67cb6 100644
--- a/packages/localizations/src/en-US.ts
+++ b/packages/localizations/src/en-US.ts
@@ -1066,6 +1066,30 @@ export const enUS: LocalizationResource = {
       successMessage: '{{domain}} has been removed.',
       title: 'Remove domain',
     },
+    securityPage: {
+      ssoSection: {
+        badge__active: 'Active',
+        badge__inactive: 'Inactive',
+        badge__inProgress: 'In Progress',
+        badge__unconfigured: 'Unconfigured',
+        certificateLabel: 'Certificate',
+        description: 'Configure to require organization members to sign in through your identity provider',
+        description__configured:
+          'Configure SSO to require organization members to sign in through your identity provider',
+        domainLabel: 'Domain',
+        enableSsoLabel: 'Enable SSO',
+        issuerLabel: 'Issuer',
+        menuAction__delete: 'Delete',
+        menuAction__edit: 'Edit',
+        primaryButton__continueConfiguration: 'Continue configuration',
+        primaryButton__startConfiguration: 'Start configuration',
+        providerLabel: 'Provider',
+        signOnUrlLabel: 'Sign on URL',
+        startedNotFinished: 'You have started a configuration but haven’t finished',
+        title: 'SSO',
+      },
+      title: 'Security',
+    },
     start: {
       headerTitle__general: 'General',
       headerTitle__members: 'Members',
diff --git a/packages/shared/src/types/localization.ts b/packages/shared/src/types/localization.ts
index 5b4feb90948..c3392f3c548 100644
--- a/packages/shared/src/types/localization.ts
+++ b/packages/shared/src/types/localization.ts
@@ -1130,6 +1130,29 @@ export type __internal_LocalizationResource = {
       messageLine2: LocalizationValue;
       successMessage: LocalizationValue;
     };
+    securityPage: {
+      title: LocalizationValue;
+      ssoSection: {
+        title: LocalizationValue;
+        badge__unconfigured: LocalizationValue;
+        badge__inProgress: LocalizationValue;
+        badge__active: LocalizationValue;
+        badge__inactive: LocalizationValue;
+        description: LocalizationValue;
+        description__configured: LocalizationValue;
+        startedNotFinished: LocalizationValue;
+        primaryButton__startConfiguration: LocalizationValue;
+        primaryButton__continueConfiguration: LocalizationValue;
+        enableSsoLabel: LocalizationValue;
+        providerLabel: LocalizationValue;
+        domainLabel: LocalizationValue;
+        signOnUrlLabel: LocalizationValue;
+        issuerLabel: LocalizationValue;
+        certificateLabel: LocalizationValue;
+        menuAction__edit: LocalizationValue;
+        menuAction__delete: LocalizationValue;
+      };
+    };
     membersPage: {
       detailsTitle__emptyRow: LocalizationValue;
       action__invite: LocalizationValue;

From 86addc45d48ba7b8e054c9cfa3f30174d702f574 Mon Sep 17 00:00:00 2001
From: Iago Dahlem Lorensini <iagodahlemlorensini@gmail.com>
Date: Wed, 10 Jun 2026 12:46:27 -0300
Subject: [PATCH 3/5] feat(ui,shared): render the organization Security page
 SSO overview

---
 .changeset/orange-pandas-shake.md             |   7 +
 packages/shared/src/types/elementIds.ts       |   9 +-
 .../OrganizationSecurityPage.tsx              |  73 ++-
 .../SecuritySsoSection.tsx                    | 498 ++++++++++++++++++
 .../OrganizationSecurityPage.test.tsx         | 299 +++++++++++
 .../src/customizables/elementDescriptors.ts   |  13 +
 packages/ui/src/elements/Section.tsx          |  13 +-
 packages/ui/src/internal/appearance.ts        |  13 +
 8 files changed, 911 insertions(+), 14 deletions(-)
 create mode 100644 .changeset/orange-pandas-shake.md
 create mode 100644 packages/ui/src/components/OrganizationProfile/SecuritySsoSection.tsx
 create mode 100644 packages/ui/src/components/OrganizationProfile/__tests__/OrganizationSecurityPage.test.tsx

diff --git a/.changeset/orange-pandas-shake.md b/.changeset/orange-pandas-shake.md
new file mode 100644
index 00000000000..280d85dc93c
--- /dev/null
+++ b/.changeset/orange-pandas-shake.md
@@ -0,0 +1,7 @@
+---
+'@clerk/localizations': patch
+'@clerk/shared': patch
+'@clerk/ui': patch
+---
+
+Add an overview to the organization profile Security page. The page now lands on a summary of the SSO connection — status badge (Unconfigured, In Progress, Active, Inactive), an Enable SSO toggle, and the provider, domain, sign-on URL, issuer, and certificate details — with Edit and Delete actions, and switches into the existing configuration flow on Start, Continue, or Edit.
diff --git a/packages/shared/src/types/elementIds.ts b/packages/shared/src/types/elementIds.ts
index 336279a9a07..bc03eced10d 100644
--- a/packages/shared/src/types/elementIds.ts
+++ b/packages/shared/src/types/elementIds.ts
@@ -53,6 +53,7 @@ export type ProfileSectionId =
   | 'manageVerifiedDomains'
   | 'subscriptionsList'
   | 'paymentMethods'
+  | 'sso'
   | 'ssoStatus'
   | 'enableSso'
   | 'ssoDomain'
@@ -61,7 +62,13 @@ export type ProfileSectionId =
   | 'resetSso'
   | 'testSsoUrl'
   | 'testResults';
-export type ProfilePageId = 'account' | 'security' | 'organizationGeneral' | 'organizationMembers' | 'billing';
+export type ProfilePageId =
+  | 'account'
+  | 'security'
+  | 'organizationGeneral'
+  | 'organizationMembers'
+  | 'organizationSecurity'
+  | 'billing';
 
 export type UserPreviewId = 'userButton' | 'personalWorkspace';
 export type OrganizationPreviewId =
diff --git a/packages/ui/src/components/OrganizationProfile/OrganizationSecurityPage.tsx b/packages/ui/src/components/OrganizationProfile/OrganizationSecurityPage.tsx
index 87ff924593d..7fe52fd244a 100644
--- a/packages/ui/src/components/OrganizationProfile/OrganizationSecurityPage.tsx
+++ b/packages/ui/src/components/OrganizationProfile/OrganizationSecurityPage.tsx
@@ -1,9 +1,15 @@
 import { useOrganization } from '@clerk/shared/react';
+import { useState } from 'react';
 
+import { Header } from '@/ui/elements/Header';
+import { ProfileCard } from '@/ui/elements/ProfileCard';
+
+import { Col, descriptors, localizationKeys } from '../../customizables';
 import { ConfigureSSOProtect } from '../ConfigureSSO/ConfigureSSO';
 import { ConfigureSSOSkeleton } from '../ConfigureSSO/ConfigureSSOSkeleton';
 import { ConfigureSSOWizard } from '../ConfigureSSO/ConfigureSSOWizard';
 import { useOrganizationEnterpriseConnection } from '../ConfigureSSO/hooks/useOrganizationEnterpriseConnection';
+import { SecuritySsoSection } from './SecuritySsoSection';
 
 type OrganizationSecurityPageProps = {
   contentRef: React.RefObject<HTMLDivElement>;
@@ -20,10 +26,18 @@ export const OrganizationSecurityPage = ({ contentRef }: OrganizationSecurityPag
   return <OrganizationSecurityPageContent contentRef={contentRef} />;
 };
 
-/** Separate from the page so the connection hook only runs behind the organization check. */
+/**
+ * The page-owned data layer: fetches through the umbrella hook ONCE, gates
+ * loading and permission, and injects the resolved data down — as props into
+ * the overview section, or into the pure `ConfigureSSOWizard` (which mounts its
+ * own provider). A separate component below the page (rather than inlined into
+ * it) so the connection hook only ever runs behind the page's organization
+ * check.
+ */
 const OrganizationSecurityPageContent = ({ contentRef }: OrganizationSecurityPageProps) => {
   const {
     isLoading,
+    organization,
     enterpriseConnection,
     organizationEnterpriseConnection,
     testRuns,
@@ -31,21 +45,60 @@ const OrganizationSecurityPageContent = ({ contentRef }: OrganizationSecurityPag
     primaryEmailAddress,
   } = useOrganizationEnterpriseConnection();
 
-  // Gate loading above the provider so the context never observes a loading state.
+  // The page always lands on the overview; the wizard is entered explicitly via
+  // Start / Continue / Edit. There is no back-from-wizard affordance yet —
+  // returning is a reload for now; a follow-up adds the wizard-header button.
+  const [view, setView] = useState<'overview' | 'wizard'>('overview');
+
+  // Gate loading one level above both views so neither ever observes a loading
+  // state. The single test-run source is part of this initial fetch when a
+  // connection exists at load, so the overview's status (and a cold landing on
+  // the wizard's test step) is covered by the full skeleton here.
   if (isLoading) {
     return <ConfigureSSOSkeleton />;
   }
 
   return (
     <ConfigureSSOProtect>
-      <ConfigureSSOWizard
-        organizationEnterpriseConnection={organizationEnterpriseConnection}
-        testRuns={testRuns}
-        enterpriseConnection={enterpriseConnection}
-        contentRef={contentRef}
-        mutations={mutations}
-        primaryEmailAddress={primaryEmailAddress}
-      />
+      {view === 'overview' ? (
+        <ProfileCard.Page>
+          <Col
+            elementDescriptor={descriptors.page}
+            sx={t => ({ gap: t.space.$8 })}
+          >
+            <Col
+              elementDescriptor={descriptors.profilePage}
+              elementId={descriptors.profilePage.setId('organizationSecurity')}
+            >
+              <Header.Root>
+                <Header.Title
+                  localizationKey={localizationKeys('organizationProfile.securityPage.title')}
+                  sx={t => ({ marginBottom: t.space.$4 })}
+                  textVariant='h2'
+                />
+              </Header.Root>
+              <SecuritySsoSection
+                connection={organizationEnterpriseConnection}
+                enterpriseConnection={enterpriseConnection}
+                setConnectionActive={mutations.setConnectionActive}
+                deleteConnection={mutations.deleteConnection}
+                organizationName={organization?.name ?? ''}
+                contentRef={contentRef}
+                onConfigure={() => setView('wizard')}
+              />
+            </Col>
+          </Col>
+        </ProfileCard.Page>
+      ) : (
+        <ConfigureSSOWizard
+          organizationEnterpriseConnection={organizationEnterpriseConnection}
+          testRuns={testRuns}
+          enterpriseConnection={enterpriseConnection}
+          contentRef={contentRef}
+          mutations={mutations}
+          primaryEmailAddress={primaryEmailAddress}
+        />
+      )}
     </ConfigureSSOProtect>
   );
 };
diff --git a/packages/ui/src/components/OrganizationProfile/SecuritySsoSection.tsx b/packages/ui/src/components/OrganizationProfile/SecuritySsoSection.tsx
new file mode 100644
index 00000000000..b68945d89a8
--- /dev/null
+++ b/packages/ui/src/components/OrganizationProfile/SecuritySsoSection.tsx
@@ -0,0 +1,498 @@
+import { iconImageUrl } from '@clerk/shared/constants';
+import type { EnterpriseConnectionResource } from '@clerk/shared/types';
+import type { PropsWithChildren } from 'react';
+import { useId, useState } from 'react';
+
+import { Card } from '@/ui/elements/Card';
+import { CardStateProvider, useCardState } from '@/ui/elements/contexts';
+import { ProfileSection } from '@/ui/elements/Section';
+import { Switch } from '@/ui/elements/Switch';
+import { ThreeDotsMenu } from '@/ui/elements/ThreeDotsMenu';
+import { handleError } from '@/utils/errorHandler';
+
+import type { LocalizationKey } from '../../customizables';
+import { Badge, Button, Col, descriptors, Flex, Link, localizationKeys, Span, Text } from '../../customizables';
+import type {
+  OrganizationEnterpriseConnection,
+  OrganizationEnterpriseConnectionStatus,
+} from '../ConfigureSSO/domain/organizationEnterpriseConnection';
+import type { EnterpriseConnectionMutations } from '../ConfigureSSO/hooks/useOrganizationEnterpriseConnection';
+import { ResetConnectionDialog } from '../ConfigureSSO/ResetConnectionDialog';
+import type { ProviderType } from '../ConfigureSSO/types';
+
+/**
+ * Presentational, props-driven: the Security page owns the data (one
+ * `useOrganizationEnterpriseConnection()` call) and injects everything the
+ * overview needs here. No `useConfigureSSO` / wizard context below the page.
+ */
+type SecuritySsoSectionProps = {
+  /** The display-facing domain entity — `status` drives the per-state rendering. */
+  connection: OrganizationEnterpriseConnection;
+  /** The raw connection resource backing the detail rows (provider, domains, SAML config). */
+  enterpriseConnection: EnterpriseConnectionResource | undefined;
+  setConnectionActive: EnterpriseConnectionMutations['setConnectionActive'];
+  deleteConnection: EnterpriseConnectionMutations['deleteConnection'];
+  /** The delete dialog's type-to-confirm value. */
+  organizationName: string;
+  /** The delete dialog's portal root. */
+  contentRef: React.RefObject<HTMLDivElement>;
+  /** Start / Continue / Edit — the host switches the page to the wizard view. */
+  onConfigure: () => void;
+};
+
+const STATUS_BADGES: Record<
+  OrganizationEnterpriseConnectionStatus,
+  { id: string; colorScheme: 'danger' | 'warning' | 'success'; label: LocalizationKey }
+> = {
+  unconfigured: {
+    id: 'unconfigured',
+    colorScheme: 'danger',
+    label: localizationKeys('organizationProfile.securityPage.ssoSection.badge__unconfigured'),
+  },
+  in_progress: {
+    id: 'inProgress',
+    colorScheme: 'warning',
+    label: localizationKeys('organizationProfile.securityPage.ssoSection.badge__inProgress'),
+  },
+  active: {
+    id: 'active',
+    colorScheme: 'success',
+    label: localizationKeys('organizationProfile.securityPage.ssoSection.badge__active'),
+  },
+  inactive: {
+    id: 'inactive',
+    colorScheme: 'danger',
+    label: localizationKeys('organizationProfile.securityPage.ssoSection.badge__inactive'),
+  },
+};
+
+/**
+ * Provider icons whose SVGs are monochromatic and should flip with the theme.
+ * Mirrors the SUPPORTS_MASK_IMAGE list in `common/ProviderIcon.tsx` and the
+ * select-provider step — keep in sync if any of them grows.
+ */
+const MONOCHROMATIC_PROVIDER_ICONS: ReadonlySet<string> = new Set(['okta']);
+
+/** Reuses the select-provider step's labels/icons so the overview can never disagree with the wizard. */
+const PROVIDER_PRESENTATION: Record<ProviderType, { label: LocalizationKey; iconId: string }> = {
+  saml_okta: { label: localizationKeys('configureSSO.selectProviderStep.saml.okta'), iconId: 'okta' },
+  saml_microsoft: { label: localizationKeys('configureSSO.selectProviderStep.saml.microsoft'), iconId: 'microsoft' },
+  saml_google: { label: localizationKeys('configureSSO.selectProviderStep.saml.google'), iconId: 'google' },
+  saml_custom: { label: localizationKeys('configureSSO.selectProviderStep.saml.customSaml'), iconId: 'saml' },
+};
+
+export const SecuritySsoSection = (props: SecuritySsoSectionProps): JSX.Element => {
+  const { connection, onConfigure } = props;
+  const badge = STATUS_BADGES[connection.status];
+  const isConfigured = connection.status === 'active' || connection.status === 'inactive';
+
+  return (
+    <ProfileSection.Root
+      title={localizationKeys('organizationProfile.securityPage.ssoSection.title')}
+      id='sso'
+      centered={false}
+      badge={
+        <Badge
+          elementDescriptor={descriptors.organizationProfileSecuritySsoBadge}
+          elementId={descriptors.organizationProfileSecuritySsoBadge.setId(badge.id)}
+          colorScheme={badge.colorScheme}
+          localizationKey={badge.label}
+        />
+      }
+    >
+      {connection.status === 'unconfigured' && (
+        <NotConfiguredContent
+          primaryButtonKey={localizationKeys(
+            'organizationProfile.securityPage.ssoSection.primaryButton__startConfiguration',
+          )}
+          primaryButtonId='start'
+          onConfigure={onConfigure}
+        />
+      )}
+
+      {connection.status === 'in_progress' && (
+        <NotConfiguredContent
+          noticeKey={localizationKeys('organizationProfile.securityPage.ssoSection.startedNotFinished')}
+          primaryButtonKey={localizationKeys(
+            'organizationProfile.securityPage.ssoSection.primaryButton__continueConfiguration',
+          )}
+          primaryButtonId='continue'
+          onConfigure={onConfigure}
+        />
+      )}
+
+      {isConfigured && (
+        // The toggle's optimistic error state lives in its own card scope so it
+        // can never bleed into another surface (the wizard steps own theirs).
+        <CardStateProvider>
+          <ConfiguredContent {...props} />
+        </CardStateProvider>
+      )}
+    </ProfileSection.Root>
+  );
+};
+
+type NotConfiguredContentProps = {
+  /** The in-progress "started but haven't finished" line, when applicable. */
+  noticeKey?: LocalizationKey;
+  primaryButtonKey: LocalizationKey;
+  primaryButtonId: string;
+  onConfigure: () => void;
+};
+
+const NotConfiguredContent = ({
+  noticeKey,
+  primaryButtonKey,
+  primaryButtonId,
+  onConfigure,
+}: NotConfiguredContentProps): JSX.Element => (
+  <Col
+    align='start'
+    gap={4}
+  >
+    <Col gap={2}>
+      <Text
+        elementDescriptor={descriptors.organizationProfileSecuritySsoDescription}
+        colorScheme='secondary'
+        localizationKey={localizationKeys('organizationProfile.securityPage.ssoSection.description')}
+      />
+      {noticeKey && (
+        <Text
+          elementDescriptor={descriptors.organizationProfileSecuritySsoInProgressNotice}
+          colorScheme='secondary'
+          localizationKey={noticeKey}
+        />
+      )}
+    </Col>
+
+    <Button
+      elementDescriptor={descriptors.organizationProfileSecuritySsoConfigureButton}
+      elementId={descriptors.organizationProfileSecuritySsoConfigureButton.setId(primaryButtonId)}
+      variant='outline'
+      size='sm'
+      onClick={onConfigure}
+      localizationKey={primaryButtonKey}
+    />
+  </Col>
+);
+
+const ConfiguredContent = (props: SecuritySsoSectionProps): JSX.Element => {
+  const { connection, enterpriseConnection, deleteConnection, organizationName, contentRef, onConfigure } = props;
+  const card = useCardState();
+  const [isResetDialogOpen, setIsResetDialogOpen] = useState(false);
+
+  const provider = connection.provider ? PROVIDER_PRESENTATION[connection.provider] : undefined;
+  const domains = enterpriseConnection?.domains ?? [];
+  const samlConnection = enterpriseConnection?.samlConnection;
+
+  return (
+    <Col gap={3}>
+      <Flex
+        align='start'
+        justify='between'
+        gap={3}
+      >
+        <Text
+          elementDescriptor={descriptors.organizationProfileSecuritySsoDescription}
+          colorScheme='secondary'
+          localizationKey={localizationKeys('organizationProfile.securityPage.ssoSection.description__configured')}
+          sx={{ minWidth: 0 }}
+        />
+
+        <ThreeDotsMenu
+          elementId='sso'
+          actions={[
+            {
+              label: localizationKeys('organizationProfile.securityPage.ssoSection.menuAction__edit'),
+              onClick: onConfigure,
+            },
+            {
+              label: localizationKeys('organizationProfile.securityPage.ssoSection.menuAction__delete'),
+              isDestructive: true,
+              onClick: () => setIsResetDialogOpen(true),
+            },
+          ]}
+        />
+      </Flex>
+
+      <Card.Alert>{card.error}</Card.Alert>
+
+      <EnableSsoToggle
+        connection={connection}
+        enterpriseConnection={enterpriseConnection}
+        setConnectionActive={props.setConnectionActive}
+      />
+
+      <Col
+        elementDescriptor={descriptors.organizationProfileSecuritySsoDetailRows}
+        gap={2}
+        // Indents the rows so the labels line up under the toggle's text label.
+        sx={t => ({ paddingInlineStart: t.space.$8 })}
+      >
+        {provider && (
+          <DetailRow
+            id='provider'
+            label={localizationKeys('organizationProfile.securityPage.ssoSection.providerLabel')}
+          >
+            <Flex
+              align='center'
+              gap={2}
+              sx={{ minWidth: 0 }}
+            >
+              <ProviderIcon iconId={provider.iconId} />
+              <Text
+                localizationKey={provider.label}
+                truncate
+              />
+            </Flex>
+          </DetailRow>
+        )}
+
+        {domains.length > 0 && (
+          <DetailRow
+            id='domain'
+            label={localizationKeys('organizationProfile.securityPage.ssoSection.domainLabel')}
+          >
+            <Flex
+              justify='end'
+              align='center'
+              wrap='wrap'
+              gap={1}
+              sx={{ minWidth: 0 }}
+            >
+              {domains.map(domain => (
+                <ValueChip
+                  key={domain}
+                  id='domain'
+                >
+                  {domain}
+                </ValueChip>
+              ))}
+            </Flex>
+          </DetailRow>
+        )}
+
+        {samlConnection?.idpSsoUrl && (
+          <DetailRow
+            id='signOnUrl'
+            label={localizationKeys('organizationProfile.securityPage.ssoSection.signOnUrlLabel')}
+          >
+            <LinkChip
+              id='signOnUrl'
+              href={samlConnection.idpSsoUrl}
+            />
+          </DetailRow>
+        )}
+
+        {samlConnection?.idpEntityId && (
+          <DetailRow
+            id='issuer'
+            label={localizationKeys('organizationProfile.securityPage.ssoSection.issuerLabel')}
+          >
+            <LinkChip
+              id='issuer'
+              href={samlConnection.idpEntityId}
+            />
+          </DetailRow>
+        )}
+
+        {samlConnection?.idpCertificate && (
+          <DetailRow
+            id='certificate'
+            label={localizationKeys('organizationProfile.securityPage.ssoSection.certificateLabel')}
+          >
+            <ValueChip id='certificate'>{samlConnection.idpCertificate}</ValueChip>
+          </DetailRow>
+        )}
+      </Col>
+
+      <ResetConnectionDialog
+        isOpen={isResetDialogOpen}
+        onClose={() => setIsResetDialogOpen(false)}
+        confirmationValue={organizationName}
+        // This content only renders for a configured (active / inactive)
+        // connection, so the resource is guaranteed to be set at this point.
+        // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+        onDelete={() => deleteConnection(enterpriseConnection!.id)}
+        contentRef={contentRef}
+      />
+    </Col>
+  );
+};
+
+type EnableSsoToggleProps = Pick<
+  SecuritySsoSectionProps,
+  'connection' | 'enterpriseConnection' | 'setConnectionActive'
+>;
+
+/**
+ * Optimistic enable/disable toggle: flips immediately, reconciles with the
+ * server response, and rolls back (surfacing a card error) on failure — the
+ * same behavior as the wizard confirmation step's enable section.
+ */
+const EnableSsoToggle = ({
+  connection,
+  enterpriseConnection,
+  setConnectionActive,
+}: EnableSsoToggleProps): JSX.Element => {
+  const card = useCardState();
+  const labelId = useId();
+
+  const [isChecked, setIsChecked] = useState(connection.isActive);
+
+  const onActiveChange = async (active: boolean) => {
+    if (card.isLoading) {
+      return;
+    }
+
+    card.setError(undefined);
+    card.setLoading();
+    setIsChecked(active);
+
+    try {
+      // The toggle only renders for a configured (active / inactive)
+      // connection, so the resource is guaranteed to be set at this point.
+      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+      const updated = await setConnectionActive(enterpriseConnection!.id, active);
+      if (updated) {
+        setIsChecked(updated.active);
+      }
+    } catch (err) {
+      setIsChecked(!active);
+      handleError(err as Error, [], card.setError);
+    } finally {
+      card.setIdle();
+    }
+  };
+
+  return (
+    <Flex
+      elementDescriptor={descriptors.organizationProfileSecuritySsoEnableRow}
+      align='center'
+      gap={2}
+    >
+      <Switch
+        isChecked={isChecked}
+        // The spec gates enabling on a successful test run; by construction the
+        // gate barely bites (an inactive status implies a successful test), but
+        // it guards the theoretical never-tested-yet-configured combination.
+        isDisabled={card.isLoading || (!connection.hasSuccessfulTestRun && !connection.isActive)}
+        onChange={active => void onActiveChange(active)}
+        aria-labelledby={labelId}
+      />
+      <Text
+        elementDescriptor={descriptors.organizationProfileSecuritySsoEnableLabel}
+        id={labelId}
+        localizationKey={localizationKeys('organizationProfile.securityPage.ssoSection.enableSsoLabel')}
+      />
+    </Flex>
+  );
+};
+
+type DetailRowProps = PropsWithChildren<{
+  id: string;
+  label: LocalizationKey;
+}>;
+
+/** A single overview detail row: gray label on the left, right-aligned value. */
+const DetailRow = ({ id, label, children }: DetailRowProps): JSX.Element => (
+  <Flex
+    elementDescriptor={descriptors.organizationProfileSecuritySsoDetailRow}
+    elementId={descriptors.organizationProfileSecuritySsoDetailRow.setId(id)}
+    align='center'
+    justify='between'
+    gap={3}
+  >
+    <Text
+      elementDescriptor={descriptors.organizationProfileSecuritySsoDetailRowLabel}
+      elementId={descriptors.organizationProfileSecuritySsoDetailRowLabel.setId(id)}
+      colorScheme='secondary'
+      localizationKey={label}
+      sx={{ flexShrink: 0, whiteSpace: 'nowrap' }}
+    />
+    {children}
+  </Flex>
+);
+
+type ValueChipProps = {
+  id: string;
+  children: string;
+};
+
+const ValueChip = ({ id, children }: ValueChipProps): JSX.Element => (
+  <Badge
+    elementDescriptor={descriptors.organizationProfileSecuritySsoDetailRowChip}
+    elementId={descriptors.organizationProfileSecuritySsoDetailRowChip.setId(id)}
+    sx={{ maxWidth: '100%', minWidth: 0 }}
+  >
+    <Text
+      as='span'
+      variant='caption'
+      truncate
+      title={children}
+      sx={{ color: 'inherit' }}
+    >
+      {children}
+    </Text>
+  </Badge>
+);
+
+type LinkChipProps = {
+  id: string;
+  href: string;
+};
+
+const LinkChip = ({ id, href }: LinkChipProps): JSX.Element => (
+  <Badge
+    elementDescriptor={descriptors.organizationProfileSecuritySsoDetailRowChip}
+    elementId={descriptors.organizationProfileSecuritySsoDetailRowChip.setId(id)}
+    sx={{ maxWidth: '100%', minWidth: 0 }}
+  >
+    <Link
+      elementDescriptor={descriptors.organizationProfileSecuritySsoDetailRowLink}
+      elementId={descriptors.organizationProfileSecuritySsoDetailRowLink.setId(id)}
+      href={href}
+      isExternal
+      title={href}
+      sx={{
+        color: 'inherit',
+        display: 'block',
+        overflow: 'hidden',
+        whiteSpace: 'nowrap',
+        textOverflow: 'ellipsis',
+        textDecoration: 'underline',
+        minWidth: 0,
+      }}
+    >
+      {href}
+    </Link>
+  </Badge>
+);
+
+/** The provider mark, mask-rendered for monochromatic SVGs so it flips with the theme. */
+const ProviderIcon = ({ iconId }: { iconId: string }): JSX.Element => (
+  <Span
+    elementDescriptor={descriptors.organizationProfileSecuritySsoProviderIcon}
+    aria-hidden
+    sx={theme => {
+      const baseSize = { width: theme.sizes.$4, height: theme.sizes.$4, flexShrink: 0 };
+      if (MONOCHROMATIC_PROVIDER_ICONS.has(iconId)) {
+        return {
+          ...baseSize,
+          backgroundColor: theme.colors.$colorForeground,
+          maskImage: `url(${iconImageUrl(iconId)})`,
+          maskSize: 'contain',
+          maskPosition: 'center',
+          maskRepeat: 'no-repeat',
+        };
+      }
+      return {
+        ...baseSize,
+        backgroundImage: `url(${iconImageUrl(iconId)})`,
+        backgroundSize: 'contain',
+        backgroundPosition: 'center',
+        backgroundRepeat: 'no-repeat',
+      };
+    }}
+  />
+);
diff --git a/packages/ui/src/components/OrganizationProfile/__tests__/OrganizationSecurityPage.test.tsx b/packages/ui/src/components/OrganizationProfile/__tests__/OrganizationSecurityPage.test.tsx
new file mode 100644
index 00000000000..ccb00310051
--- /dev/null
+++ b/packages/ui/src/components/OrganizationProfile/__tests__/OrganizationSecurityPage.test.tsx
@@ -0,0 +1,299 @@
+import { ClerkAPIResponseError } from '@clerk/shared/error';
+import { describe, expect, it } from 'vitest';
+
+import { bindCreateFixtures } from '@/test/create-fixtures';
+import { render, screen, waitFor } from '@/test/utils';
+
+import { OrganizationSecurityPage } from '../OrganizationSecurityPage';
+
+const { createFixtures } = bindCreateFixtures('OrganizationProfile');
+
+const withSecurityPageFixtures = (f: Parameters<Parameters<typeof createFixtures>[0]>[0]) => {
+  f.withEnterpriseSso({ selfServeSSO: true });
+  f.withEmailAddress();
+  f.withOrganizations();
+  f.withUser({
+    email_addresses: ['test@clerk.com'],
+    organization_memberships: [{ name: 'Org1', permissions: ['org:sys_entconns:manage'] }],
+  });
+};
+
+const configuredConnection = (overrides: Record<string, unknown> = {}) =>
+  ({
+    id: 'ent_1',
+    name: 'clerk.com',
+    provider: 'saml_okta',
+    active: false,
+    organizationId: 'Org1',
+    domains: ['clerk.com'],
+    samlConnection: {
+      idpSsoUrl: 'https://idp.example.com/sso',
+      idpEntityId: 'https://idp.example.com/entity',
+      idpCertificate: 'CERT',
+    },
+    ...overrides,
+  }) as any;
+
+const renderPage = (wrapper: React.ComponentType<{ children?: React.ReactNode }>) =>
+  render(<OrganizationSecurityPage contentRef={{ current: null }} />, { wrapper });
+
+describe('OrganizationSecurityPage', () => {
+  describe('overview states', () => {
+    it('renders the unconfigured state with a Start configuration action', async () => {
+      const { wrapper, fixtures } = await createFixtures(withSecurityPageFixtures);
+
+      fixtures.clerk.organization?.getEnterpriseConnections.mockResolvedValue([]);
+
+      renderPage(wrapper);
+
+      expect(await screen.findByRole('heading', { name: 'Security' })).toBeInTheDocument();
+      expect(screen.getByText('SSO')).toBeInTheDocument();
+      expect(screen.getByText('Unconfigured')).toBeInTheDocument();
+      expect(
+        screen.getByText('Configure to require organization members to sign in through your identity provider'),
+      ).toBeInTheDocument();
+      expect(screen.getByRole('button', { name: 'Start configuration' })).toBeInTheDocument();
+
+      // No configured-state affordances.
+      expect(screen.queryByRole('switch')).not.toBeInTheDocument();
+      expect(screen.queryByRole('button', { name: /open menu/i })).not.toBeInTheDocument();
+      // The wizard is not mounted.
+      expect(screen.queryByText(/select your identity provider/i)).not.toBeInTheDocument();
+    });
+
+    it('renders the in-progress state with a Continue configuration action', async () => {
+      const { wrapper, fixtures } = await createFixtures(withSecurityPageFixtures);
+
+      // A connection without SAML configuration is mid-setup.
+      fixtures.clerk.organization?.getEnterpriseConnections.mockResolvedValue([
+        configuredConnection({ samlConnection: null }),
+      ]);
+      fixtures.clerk.organization?.getEnterpriseConnectionTestRuns.mockResolvedValue({
+        data: [],
+        total_count: 0,
+      } as any);
+
+      renderPage(wrapper);
+
+      expect(await screen.findByText('In Progress')).toBeInTheDocument();
+      expect(
+        screen.getByText('Configure to require organization members to sign in through your identity provider'),
+      ).toBeInTheDocument();
+      expect(screen.getByText(/you have started a configuration but haven.t finished/i)).toBeInTheDocument();
+      expect(screen.getByRole('button', { name: 'Continue configuration' })).toBeInTheDocument();
+
+      expect(screen.queryByRole('switch')).not.toBeInTheDocument();
+      expect(screen.queryByRole('button', { name: /open menu/i })).not.toBeInTheDocument();
+    });
+
+    it('renders the active state with the toggle on and the connection details', async () => {
+      const { wrapper, fixtures } = await createFixtures(withSecurityPageFixtures);
+
+      fixtures.clerk.organization?.getEnterpriseConnections.mockResolvedValue([configuredConnection({ active: true })]);
+      fixtures.clerk.organization?.getEnterpriseConnectionTestRuns.mockResolvedValue({
+        data: [{ id: 'run_1', status: 'success' }],
+        total_count: 1,
+      } as any);
+
+      renderPage(wrapper);
+
+      expect(await screen.findByText('Active')).toBeInTheDocument();
+      expect(
+        screen.getByText('Configure SSO to require organization members to sign in through your identity provider'),
+      ).toBeInTheDocument();
+
+      const ssoSwitch = screen.getByRole('switch', { name: 'Enable SSO' });
+      expect(ssoSwitch).toBeChecked();
+      expect(ssoSwitch).toBeEnabled();
+
+      // Detail rows: gray label + right-aligned value per row.
+      expect(screen.getByText('Provider')).toBeInTheDocument();
+      expect(screen.getByText('Okta Workforce')).toBeInTheDocument();
+      expect(screen.getByText('Domain')).toBeInTheDocument();
+      expect(screen.getByText('clerk.com')).toBeInTheDocument();
+      expect(screen.getByText('Sign on URL')).toBeInTheDocument();
+      expect(screen.getByRole('link', { name: 'https://idp.example.com/sso' })).toHaveAttribute(
+        'href',
+        'https://idp.example.com/sso',
+      );
+      expect(screen.getByText('Issuer')).toBeInTheDocument();
+      expect(screen.getByRole('link', { name: 'https://idp.example.com/entity' })).toHaveAttribute(
+        'href',
+        'https://idp.example.com/entity',
+      );
+      expect(screen.getByText('Certificate')).toBeInTheDocument();
+      expect(screen.getByText('CERT')).toBeInTheDocument();
+
+      // The actions menu is available; the start/continue actions are not.
+      expect(screen.getByRole('button', { name: /open menu/i })).toBeInTheDocument();
+      expect(screen.queryByRole('button', { name: 'Start configuration' })).not.toBeInTheDocument();
+      expect(screen.queryByRole('button', { name: 'Continue configuration' })).not.toBeInTheDocument();
+      // The page lands on the overview, never directly on the wizard.
+      expect(screen.queryByText(/configuration details/i)).not.toBeInTheDocument();
+    });
+
+    it('renders the inactive state with the toggle off and a chip per domain', async () => {
+      const { wrapper, fixtures } = await createFixtures(withSecurityPageFixtures);
+
+      fixtures.clerk.organization?.getEnterpriseConnections.mockResolvedValue([
+        configuredConnection({ domains: ['github.com', 'gmail.com', 'maps.com', 'another.com'] }),
+      ]);
+      fixtures.clerk.organization?.getEnterpriseConnectionTestRuns.mockResolvedValue({
+        data: [{ id: 'run_1', status: 'success' }],
+        total_count: 1,
+      } as any);
+
+      renderPage(wrapper);
+
+      expect(await screen.findByText('Inactive')).toBeInTheDocument();
+
+      const ssoSwitch = screen.getByRole('switch', { name: 'Enable SSO' });
+      expect(ssoSwitch).not.toBeChecked();
+      // A successful test run satisfies the enable gate.
+      expect(ssoSwitch).toBeEnabled();
+
+      for (const domain of ['github.com', 'gmail.com', 'maps.com', 'another.com']) {
+        expect(screen.getByText(domain)).toBeInTheDocument();
+      }
+    });
+  });
+
+  describe('view switching', () => {
+    it('switches to the wizard when Start configuration is clicked', async () => {
+      const { wrapper, fixtures } = await createFixtures(withSecurityPageFixtures);
+
+      fixtures.clerk.organization?.getEnterpriseConnections.mockResolvedValue([]);
+
+      const { userEvent } = renderPage(wrapper);
+
+      await userEvent.click(await screen.findByRole('button', { name: 'Start configuration' }));
+
+      // A fresh start lands on the select-provider step.
+      expect(await screen.findByText(/select your identity provider/i)).toBeInTheDocument();
+      expect(screen.queryByRole('button', { name: 'Start configuration' })).not.toBeInTheDocument();
+    });
+
+    it('switches to the wizard when Edit is selected from the actions menu', async () => {
+      const { wrapper, fixtures } = await createFixtures(withSecurityPageFixtures);
+
+      fixtures.clerk.organization?.getEnterpriseConnections.mockResolvedValue([configuredConnection({ active: true })]);
+      fixtures.clerk.organization?.getEnterpriseConnectionTestRuns.mockResolvedValue({
+        data: [{ id: 'run_1', status: 'success' }],
+        total_count: 1,
+      } as any);
+
+      const { userEvent } = renderPage(wrapper);
+
+      await userEvent.click(await screen.findByRole('button', { name: /open menu/i }));
+      await userEvent.click(screen.getByRole('menuitem', { name: 'Edit' }));
+
+      // An active connection short-circuits the wizard to the confirmation step.
+      expect(await screen.findByText(/configuration details/i)).toBeInTheDocument();
+      // The overview unmounted.
+      expect(
+        screen.queryByText('Configure SSO to require organization members to sign in through your identity provider'),
+      ).not.toBeInTheDocument();
+    });
+  });
+
+  describe('actions menu', () => {
+    it('lists Edit and Delete, and Delete opens the type-to-confirm reset dialog', async () => {
+      const { wrapper, fixtures } = await createFixtures(withSecurityPageFixtures);
+
+      fixtures.clerk.organization?.getEnterpriseConnections.mockResolvedValue([configuredConnection({ active: true })]);
+      fixtures.clerk.organization?.getEnterpriseConnectionTestRuns.mockResolvedValue({
+        data: [],
+        total_count: 0,
+      } as any);
+      fixtures.clerk.organization?.deleteEnterpriseConnection.mockResolvedValue({} as any);
+
+      const { userEvent } = renderPage(wrapper);
+
+      await userEvent.click(await screen.findByRole('button', { name: /open menu/i }));
+      expect(screen.getByRole('menuitem', { name: 'Edit' })).toBeInTheDocument();
+      const deleteItem = screen.getByRole('menuitem', { name: 'Delete' });
+
+      await userEvent.click(deleteItem);
+      expect(await screen.findByRole('heading', { name: 'Reset connection' })).toBeInTheDocument();
+
+      // Type-to-confirm uses the organization name.
+      await userEvent.type(screen.getByLabelText(/below to continue/i), 'Org1');
+      await waitFor(() => expect(screen.getByRole('button', { name: 'Reset connection' })).toBeEnabled());
+      await userEvent.click(screen.getByRole('button', { name: 'Reset connection' }));
+
+      await waitFor(() => {
+        expect(fixtures.clerk.organization?.deleteEnterpriseConnection).toHaveBeenCalledWith('ent_1');
+      });
+    });
+  });
+
+  describe('Enable SSO toggle', () => {
+    it('flips optimistically, disables while saving, and settles on the server value', async () => {
+      const { wrapper, fixtures } = await createFixtures(withSecurityPageFixtures);
+
+      fixtures.clerk.organization?.getEnterpriseConnections.mockResolvedValue([configuredConnection({ active: true })]);
+      fixtures.clerk.organization?.getEnterpriseConnectionTestRuns.mockResolvedValue({
+        data: [],
+        total_count: 0,
+      } as any);
+
+      let resolveUpdate!: (value: unknown) => void;
+      fixtures.clerk.organization?.updateEnterpriseConnection.mockImplementation(
+        () => new Promise(resolve => (resolveUpdate = resolve)) as any,
+      );
+
+      const { userEvent } = renderPage(wrapper);
+
+      const ssoSwitch = await screen.findByRole('switch', { name: 'Enable SSO' });
+      expect(ssoSwitch).toBeChecked();
+
+      await userEvent.click(ssoSwitch);
+
+      // Optimistic flip + disabled while the mutation is in flight.
+      expect(ssoSwitch).not.toBeChecked();
+      expect(ssoSwitch).toBeDisabled();
+      expect(fixtures.clerk.organization?.updateEnterpriseConnection).toHaveBeenCalledWith('ent_1', {
+        active: false,
+      });
+
+      resolveUpdate({ active: false });
+
+      await waitFor(() => expect(ssoSwitch).toBeEnabled());
+      expect(ssoSwitch).not.toBeChecked();
+    });
+
+    it('rolls back the toggle and surfaces the error when the update fails', async () => {
+      const { wrapper, fixtures } = await createFixtures(withSecurityPageFixtures);
+
+      fixtures.clerk.organization?.getEnterpriseConnections.mockResolvedValue([configuredConnection({ active: true })]);
+      fixtures.clerk.organization?.getEnterpriseConnectionTestRuns.mockResolvedValue({
+        data: [],
+        total_count: 0,
+      } as any);
+      fixtures.clerk.organization?.updateEnterpriseConnection.mockRejectedValue(
+        new ClerkAPIResponseError('Error', {
+          data: [
+            {
+              code: 'connection_update_failed',
+              long_message: 'The connection could not be updated',
+              message: 'update failed',
+            },
+          ],
+          status: 400,
+        }),
+      );
+
+      const { userEvent } = renderPage(wrapper);
+
+      const ssoSwitch = await screen.findByRole('switch', { name: 'Enable SSO' });
+      expect(ssoSwitch).toBeChecked();
+
+      await userEvent.click(ssoSwitch);
+
+      // Rolled back to the server state, re-enabled, and the error surfaced.
+      await waitFor(() => expect(ssoSwitch).toBeEnabled());
+      expect(ssoSwitch).toBeChecked();
+      expect(await screen.findByText('The connection could not be updated')).toBeInTheDocument();
+    });
+  });
+});
diff --git a/packages/ui/src/customizables/elementDescriptors.ts b/packages/ui/src/customizables/elementDescriptors.ts
index adb4644e66e..c47903bdf8c 100644
--- a/packages/ui/src/customizables/elementDescriptors.ts
+++ b/packages/ui/src/customizables/elementDescriptors.ts
@@ -223,6 +223,19 @@ export const APPEARANCE_KEYS = containsAllElementsConfigKeys([
   'organizationProfileMembersSearchInputIcon',
   'organizationProfileMembersSearchInput',
 
+  'organizationProfileSecuritySsoBadge',
+  'organizationProfileSecuritySsoDescription',
+  'organizationProfileSecuritySsoInProgressNotice',
+  'organizationProfileSecuritySsoConfigureButton',
+  'organizationProfileSecuritySsoEnableRow',
+  'organizationProfileSecuritySsoEnableLabel',
+  'organizationProfileSecuritySsoDetailRows',
+  'organizationProfileSecuritySsoDetailRow',
+  'organizationProfileSecuritySsoDetailRowLabel',
+  'organizationProfileSecuritySsoDetailRowChip',
+  'organizationProfileSecuritySsoDetailRowLink',
+  'organizationProfileSecuritySsoProviderIcon',
+
   'organizationListPreviewItems',
   'organizationListPreviewItem',
   'organizationListPreviewButton',
diff --git a/packages/ui/src/elements/Section.tsx b/packages/ui/src/elements/Section.tsx
index ce6ae5a5372..510ecf5c4f4 100644
--- a/packages/ui/src/elements/Section.tsx
+++ b/packages/ui/src/elements/Section.tsx
@@ -1,4 +1,5 @@
 import type { ProfileSectionId } from '@clerk/shared/types';
+import type { ReactNode } from 'react';
 import { forwardRef, isValidElement, useLayoutEffect, useRef, useState } from 'react';
 
 import type { LocalizationKey } from '../customizables';
@@ -16,10 +17,12 @@ type ProfileSectionProps = Omit<PropsOfComponent<typeof Flex>, 'title'> & {
   titleId?: string;
   centered?: boolean;
   id: ProfileSectionId;
+  /** Optional badge rendered next to the section title in the header column. */
+  badge?: ReactNode;
 };
 
 const ProfileSectionRoot = (props: ProfileSectionProps) => {
-  const { title, titleId, centered = true, children, id, sx, ...rest } = props;
+  const { title, titleId, centered = true, children, id, sx, badge, ...rest } = props;
   const ref = useRef<HTMLDivElement | null>(null);
   const [height, setHeight] = useState(0);
 
@@ -93,7 +96,10 @@ const ProfileSectionRoot = (props: ProfileSectionProps) => {
           elementId={descriptors.profileSectionTitle.setId(id)}
           textElementDescriptor={descriptors.profileSectionTitleText}
           textElementId={descriptors.profileSectionTitleText.setId(id)}
-        />
+          sx={badge ? t => ({ alignItems: 'center', gap: t.space.$2 }) : undefined}
+        >
+          {badge}
+        </SectionHeader>
       </Col>
     </Flex>
   );
@@ -353,7 +359,7 @@ type SectionHeaderProps = PropsOfComponent<typeof Flex> & {
 };
 
 export const SectionHeader = (props: SectionHeaderProps) => {
-  const { textElementDescriptor, textElementId, textId, localizationKey, ...rest } = props;
+  const { textElementDescriptor, textElementId, textId, localizationKey, children, ...rest } = props;
   return (
     <Flex {...rest}>
       <Text
@@ -363,6 +369,7 @@ export const SectionHeader = (props: SectionHeaderProps) => {
         elementDescriptor={textElementDescriptor}
         elementId={textElementId}
       />
+      {children}
     </Flex>
   );
 };
diff --git a/packages/ui/src/internal/appearance.ts b/packages/ui/src/internal/appearance.ts
index 512d0dd8e5c..0e9427eccee 100644
--- a/packages/ui/src/internal/appearance.ts
+++ b/packages/ui/src/internal/appearance.ts
@@ -363,6 +363,19 @@ export type ElementsConfig = {
   organizationProfileMembersSearchInputIcon: WithOptions;
   organizationProfileMembersSearchInput: WithOptions;
 
+  organizationProfileSecuritySsoBadge: WithOptions<string>;
+  organizationProfileSecuritySsoDescription: WithOptions;
+  organizationProfileSecuritySsoInProgressNotice: WithOptions;
+  organizationProfileSecuritySsoConfigureButton: WithOptions<string>;
+  organizationProfileSecuritySsoEnableRow: WithOptions;
+  organizationProfileSecuritySsoEnableLabel: WithOptions;
+  organizationProfileSecuritySsoDetailRows: WithOptions;
+  organizationProfileSecuritySsoDetailRow: WithOptions<string>;
+  organizationProfileSecuritySsoDetailRowLabel: WithOptions<string>;
+  organizationProfileSecuritySsoDetailRowChip: WithOptions<string>;
+  organizationProfileSecuritySsoDetailRowLink: WithOptions<string>;
+  organizationProfileSecuritySsoProviderIcon: WithOptions;
+
   organizationListPreviewItems: WithOptions;
   organizationListPreviewItem: WithOptions;
   organizationListPreviewButton: WithOptions;

From 1a6e0ecb435927c2e7a26a5d9f32379a8484af19 Mon Sep 17 00:00:00 2001
From: Iago Dahlem Lorensini <iagodahlemlorensini@gmail.com>
Date: Wed, 10 Jun 2026 13:00:28 -0300
Subject: [PATCH 4/5] refactor(ui): trim comments across the security page
 overview

---
 .../ConfigureSSO/ResetConnectionDialog.tsx    | 15 +-------
 .../__tests__/ResetConnectionDialog.test.tsx  |  6 ---
 .../components/ConfigureSSO/elements/Step.tsx |  3 +-
 .../ConfigureSSO/steps/ConfirmationStep.tsx   |  3 +-
 .../OrganizationSecurityPage.tsx              | 17 +--------
 .../SecuritySsoSection.tsx                    | 38 +++----------------
 .../OrganizationSecurityPage.test.tsx         |  9 -----
 packages/ui/src/elements/Section.tsx          |  1 -
 8 files changed, 10 insertions(+), 82 deletions(-)

diff --git a/packages/ui/src/components/ConfigureSSO/ResetConnectionDialog.tsx b/packages/ui/src/components/ConfigureSSO/ResetConnectionDialog.tsx
index dea7a27364c..2ae450a7d2e 100644
--- a/packages/ui/src/components/ConfigureSSO/ResetConnectionDialog.tsx
+++ b/packages/ui/src/components/ConfigureSSO/ResetConnectionDialog.tsx
@@ -11,15 +11,8 @@ import { handleError } from '@/utils/errorHandler';
 type ResetConnectionDialogProps = {
   isOpen: boolean;
   onClose: () => void;
-  /** The value the user must type to confirm (the organization name). */
   confirmationValue: string;
-  /**
-   * The host-bound delete action, awaited on confirm before the dialog closes.
-   * The dialog is context-free: hosts (wizard footers, the Security page
-   * overview) bind the connection id and mutation themselves.
-   */
   onDelete: () => Promise<unknown>;
-  /** The host's scrollable content container — the modal portals into it. */
   contentRef: React.RefObject<HTMLDivElement>;
 };
 
@@ -69,13 +62,7 @@ const ResetConnectionDialogContent = withCardStateProvider((props: ResetConnecti
     }
 
     try {
-      // Reset is a pure delete — no navigation. The host binds the delete
-      // mutation; in the wizard, dropping `hasConnection` breaks the active
-      // step's entry guard and the machine self-corrects to the
-      // furthest-reachable step. No `useWizard()` (or any context) here — that
-      // lets this dialog be triggered from ANY footer (including the nested
-      // SAML configure footers) and from the Security page overview without
-      // binding to a wizard.
+      // A pure delete, no navigation — the wizard self-corrects once the active step's entry guard breaks.
       await onDelete();
       onClose();
     } catch (err) {
diff --git a/packages/ui/src/components/ConfigureSSO/__tests__/ResetConnectionDialog.test.tsx b/packages/ui/src/components/ConfigureSSO/__tests__/ResetConnectionDialog.test.tsx
index 21055b49410..dff7186523c 100644
--- a/packages/ui/src/components/ConfigureSSO/__tests__/ResetConnectionDialog.test.tsx
+++ b/packages/ui/src/components/ConfigureSSO/__tests__/ResetConnectionDialog.test.tsx
@@ -6,12 +6,6 @@ import { CardStateProvider } from '@/ui/elements/contexts';
 
 import { ResetConnectionDialog } from '../ResetConnectionDialog';
 
-// The dialog is context-free. On confirm it awaits the host-bound `onDelete`
-// action — a pure delete, no navigation — and in the wizard the machine
-// self-corrects to the furthest-reachable step once the active step's guard
-// breaks. That lets the dialog be triggered from ANY footer (including nested
-// SAML configure footers) and from the Security page overview without binding
-// to a wizard.
 const deleteConnection = vi.fn();
 
 const { createFixtures } = bindCreateFixtures('ConfigureSSO');
diff --git a/packages/ui/src/components/ConfigureSSO/elements/Step.tsx b/packages/ui/src/components/ConfigureSSO/elements/Step.tsx
index 52139c52bc7..53eccada5db 100644
--- a/packages/ui/src/components/ConfigureSSO/elements/Step.tsx
+++ b/packages/ui/src/components/ConfigureSSO/elements/Step.tsx
@@ -229,8 +229,7 @@ const FooterReset = (): JSX.Element | null => {
         isOpen={isOpen}
         onClose={() => setIsOpen(false)}
         confirmationValue={organization?.name ?? ''}
-        // The footer self-hides without a connection (`hasConnection` above),
-        // so the resource is guaranteed to be set at this point.
+        // The footer self-hides without a connection (`hasConnection` above), so the resource is set.
         // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
         onDelete={() => mutations.deleteConnection(enterpriseConnection!.id)}
         contentRef={contentRef}
diff --git a/packages/ui/src/components/ConfigureSSO/steps/ConfirmationStep.tsx b/packages/ui/src/components/ConfigureSSO/steps/ConfirmationStep.tsx
index 8dc34be7323..2f0a10385b3 100644
--- a/packages/ui/src/components/ConfigureSSO/steps/ConfirmationStep.tsx
+++ b/packages/ui/src/components/ConfigureSSO/steps/ConfirmationStep.tsx
@@ -278,8 +278,7 @@ const ResetConnectionSection = (): JSX.Element => {
         isOpen={isOpen}
         onClose={() => setIsOpen(false)}
         confirmationValue={organization?.name ?? ''}
-        // The confirmation step is only reachable with a connection, so the
-        // resource is guaranteed to be set at this point.
+        // The confirmation step is only reachable with a connection, so the resource is set.
         // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
         onDelete={() => mutations.deleteConnection(enterpriseConnection!.id)}
         contentRef={contentRef}
diff --git a/packages/ui/src/components/OrganizationProfile/OrganizationSecurityPage.tsx b/packages/ui/src/components/OrganizationProfile/OrganizationSecurityPage.tsx
index 7fe52fd244a..98ee5378068 100644
--- a/packages/ui/src/components/OrganizationProfile/OrganizationSecurityPage.tsx
+++ b/packages/ui/src/components/OrganizationProfile/OrganizationSecurityPage.tsx
@@ -26,14 +26,7 @@ export const OrganizationSecurityPage = ({ contentRef }: OrganizationSecurityPag
   return <OrganizationSecurityPageContent contentRef={contentRef} />;
 };
 
-/**
- * The page-owned data layer: fetches through the umbrella hook ONCE, gates
- * loading and permission, and injects the resolved data down — as props into
- * the overview section, or into the pure `ConfigureSSOWizard` (which mounts its
- * own provider). A separate component below the page (rather than inlined into
- * it) so the connection hook only ever runs behind the page's organization
- * check.
- */
+/** Separate from the page so the connection hook only runs behind the organization check. */
 const OrganizationSecurityPageContent = ({ contentRef }: OrganizationSecurityPageProps) => {
   const {
     isLoading,
@@ -45,15 +38,9 @@ const OrganizationSecurityPageContent = ({ contentRef }: OrganizationSecurityPag
     primaryEmailAddress,
   } = useOrganizationEnterpriseConnection();
 
-  // The page always lands on the overview; the wizard is entered explicitly via
-  // Start / Continue / Edit. There is no back-from-wizard affordance yet —
-  // returning is a reload for now; a follow-up adds the wizard-header button.
   const [view, setView] = useState<'overview' | 'wizard'>('overview');
 
-  // Gate loading one level above both views so neither ever observes a loading
-  // state. The single test-run source is part of this initial fetch when a
-  // connection exists at load, so the overview's status (and a cold landing on
-  // the wizard's test step) is covered by the full skeleton here.
+  // Gate loading above the provider so the context never observes a loading state.
   if (isLoading) {
     return <ConfigureSSOSkeleton />;
   }
diff --git a/packages/ui/src/components/OrganizationProfile/SecuritySsoSection.tsx b/packages/ui/src/components/OrganizationProfile/SecuritySsoSection.tsx
index b68945d89a8..b977c537e29 100644
--- a/packages/ui/src/components/OrganizationProfile/SecuritySsoSection.tsx
+++ b/packages/ui/src/components/OrganizationProfile/SecuritySsoSection.tsx
@@ -20,23 +20,14 @@ import type { EnterpriseConnectionMutations } from '../ConfigureSSO/hooks/useOrg
 import { ResetConnectionDialog } from '../ConfigureSSO/ResetConnectionDialog';
 import type { ProviderType } from '../ConfigureSSO/types';
 
-/**
- * Presentational, props-driven: the Security page owns the data (one
- * `useOrganizationEnterpriseConnection()` call) and injects everything the
- * overview needs here. No `useConfigureSSO` / wizard context below the page.
- */
+/** Props-driven: the Security page owns the data — no wizard context below the page. */
 type SecuritySsoSectionProps = {
-  /** The display-facing domain entity — `status` drives the per-state rendering. */
   connection: OrganizationEnterpriseConnection;
-  /** The raw connection resource backing the detail rows (provider, domains, SAML config). */
   enterpriseConnection: EnterpriseConnectionResource | undefined;
   setConnectionActive: EnterpriseConnectionMutations['setConnectionActive'];
   deleteConnection: EnterpriseConnectionMutations['deleteConnection'];
-  /** The delete dialog's type-to-confirm value. */
   organizationName: string;
-  /** The delete dialog's portal root. */
   contentRef: React.RefObject<HTMLDivElement>;
-  /** Start / Continue / Edit — the host switches the page to the wizard view. */
   onConfigure: () => void;
 };
 
@@ -66,14 +57,9 @@ const STATUS_BADGES: Record<
   },
 };
 
-/**
- * Provider icons whose SVGs are monochromatic and should flip with the theme.
- * Mirrors the SUPPORTS_MASK_IMAGE list in `common/ProviderIcon.tsx` and the
- * select-provider step — keep in sync if any of them grows.
- */
+/** Keep in sync with the select-provider step's MONOCHROMATIC_PROVIDER_ICONS. */
 const MONOCHROMATIC_PROVIDER_ICONS: ReadonlySet<string> = new Set(['okta']);
 
-/** Reuses the select-provider step's labels/icons so the overview can never disagree with the wizard. */
 const PROVIDER_PRESENTATION: Record<ProviderType, { label: LocalizationKey; iconId: string }> = {
   saml_okta: { label: localizationKeys('configureSSO.selectProviderStep.saml.okta'), iconId: 'okta' },
   saml_microsoft: { label: localizationKeys('configureSSO.selectProviderStep.saml.microsoft'), iconId: 'microsoft' },
@@ -122,8 +108,6 @@ export const SecuritySsoSection = (props: SecuritySsoSectionProps): JSX.Element
       )}
 
       {isConfigured && (
-        // The toggle's optimistic error state lives in its own card scope so it
-        // can never bleed into another surface (the wizard steps own theirs).
         <CardStateProvider>
           <ConfiguredContent {...props} />
         </CardStateProvider>
@@ -133,7 +117,6 @@ export const SecuritySsoSection = (props: SecuritySsoSectionProps): JSX.Element
 };
 
 type NotConfiguredContentProps = {
-  /** The in-progress "started but haven't finished" line, when applicable. */
   noticeKey?: LocalizationKey;
   primaryButtonKey: LocalizationKey;
   primaryButtonId: string;
@@ -310,8 +293,7 @@ const ConfiguredContent = (props: SecuritySsoSectionProps): JSX.Element => {
         isOpen={isResetDialogOpen}
         onClose={() => setIsResetDialogOpen(false)}
         confirmationValue={organizationName}
-        // This content only renders for a configured (active / inactive)
-        // connection, so the resource is guaranteed to be set at this point.
+        // A configured (active / inactive) connection guarantees the resource is set.
         // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
         onDelete={() => deleteConnection(enterpriseConnection!.id)}
         contentRef={contentRef}
@@ -325,11 +307,6 @@ type EnableSsoToggleProps = Pick<
   'connection' | 'enterpriseConnection' | 'setConnectionActive'
 >;
 
-/**
- * Optimistic enable/disable toggle: flips immediately, reconciles with the
- * server response, and rolls back (surfacing a card error) on failure — the
- * same behavior as the wizard confirmation step's enable section.
- */
 const EnableSsoToggle = ({
   connection,
   enterpriseConnection,
@@ -350,8 +327,7 @@ const EnableSsoToggle = ({
     setIsChecked(active);
 
     try {
-      // The toggle only renders for a configured (active / inactive)
-      // connection, so the resource is guaranteed to be set at this point.
+      // A configured (active / inactive) connection guarantees the resource is set.
       // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
       const updated = await setConnectionActive(enterpriseConnection!.id, active);
       if (updated) {
@@ -373,9 +349,7 @@ const EnableSsoToggle = ({
     >
       <Switch
         isChecked={isChecked}
-        // The spec gates enabling on a successful test run; by construction the
-        // gate barely bites (an inactive status implies a successful test), but
-        // it guards the theoretical never-tested-yet-configured combination.
+        // The spec gates enabling on a successful test run.
         isDisabled={card.isLoading || (!connection.hasSuccessfulTestRun && !connection.isActive)}
         onChange={active => void onActiveChange(active)}
         aria-labelledby={labelId}
@@ -394,7 +368,6 @@ type DetailRowProps = PropsWithChildren<{
   label: LocalizationKey;
 }>;
 
-/** A single overview detail row: gray label on the left, right-aligned value. */
 const DetailRow = ({ id, label, children }: DetailRowProps): JSX.Element => (
   <Flex
     elementDescriptor={descriptors.organizationProfileSecuritySsoDetailRow}
@@ -469,7 +442,6 @@ const LinkChip = ({ id, href }: LinkChipProps): JSX.Element => (
   </Badge>
 );
 
-/** The provider mark, mask-rendered for monochromatic SVGs so it flips with the theme. */
 const ProviderIcon = ({ iconId }: { iconId: string }): JSX.Element => (
   <Span
     elementDescriptor={descriptors.organizationProfileSecuritySsoProviderIcon}
diff --git a/packages/ui/src/components/OrganizationProfile/__tests__/OrganizationSecurityPage.test.tsx b/packages/ui/src/components/OrganizationProfile/__tests__/OrganizationSecurityPage.test.tsx
index ccb00310051..5f70ff36ccf 100644
--- a/packages/ui/src/components/OrganizationProfile/__tests__/OrganizationSecurityPage.test.tsx
+++ b/packages/ui/src/components/OrganizationProfile/__tests__/OrganizationSecurityPage.test.tsx
@@ -54,10 +54,8 @@ describe('OrganizationSecurityPage', () => {
       ).toBeInTheDocument();
       expect(screen.getByRole('button', { name: 'Start configuration' })).toBeInTheDocument();
 
-      // No configured-state affordances.
       expect(screen.queryByRole('switch')).not.toBeInTheDocument();
       expect(screen.queryByRole('button', { name: /open menu/i })).not.toBeInTheDocument();
-      // The wizard is not mounted.
       expect(screen.queryByText(/select your identity provider/i)).not.toBeInTheDocument();
     });
 
@@ -106,7 +104,6 @@ describe('OrganizationSecurityPage', () => {
       expect(ssoSwitch).toBeChecked();
       expect(ssoSwitch).toBeEnabled();
 
-      // Detail rows: gray label + right-aligned value per row.
       expect(screen.getByText('Provider')).toBeInTheDocument();
       expect(screen.getByText('Okta Workforce')).toBeInTheDocument();
       expect(screen.getByText('Domain')).toBeInTheDocument();
@@ -124,11 +121,9 @@ describe('OrganizationSecurityPage', () => {
       expect(screen.getByText('Certificate')).toBeInTheDocument();
       expect(screen.getByText('CERT')).toBeInTheDocument();
 
-      // The actions menu is available; the start/continue actions are not.
       expect(screen.getByRole('button', { name: /open menu/i })).toBeInTheDocument();
       expect(screen.queryByRole('button', { name: 'Start configuration' })).not.toBeInTheDocument();
       expect(screen.queryByRole('button', { name: 'Continue configuration' })).not.toBeInTheDocument();
-      // The page lands on the overview, never directly on the wizard.
       expect(screen.queryByText(/configuration details/i)).not.toBeInTheDocument();
     });
 
@@ -168,7 +163,6 @@ describe('OrganizationSecurityPage', () => {
 
       await userEvent.click(await screen.findByRole('button', { name: 'Start configuration' }));
 
-      // A fresh start lands on the select-provider step.
       expect(await screen.findByText(/select your identity provider/i)).toBeInTheDocument();
       expect(screen.queryByRole('button', { name: 'Start configuration' })).not.toBeInTheDocument();
     });
@@ -189,7 +183,6 @@ describe('OrganizationSecurityPage', () => {
 
       // An active connection short-circuits the wizard to the confirmation step.
       expect(await screen.findByText(/configuration details/i)).toBeInTheDocument();
-      // The overview unmounted.
       expect(
         screen.queryByText('Configure SSO to require organization members to sign in through your identity provider'),
       ).not.toBeInTheDocument();
@@ -249,7 +242,6 @@ describe('OrganizationSecurityPage', () => {
 
       await userEvent.click(ssoSwitch);
 
-      // Optimistic flip + disabled while the mutation is in flight.
       expect(ssoSwitch).not.toBeChecked();
       expect(ssoSwitch).toBeDisabled();
       expect(fixtures.clerk.organization?.updateEnterpriseConnection).toHaveBeenCalledWith('ent_1', {
@@ -290,7 +282,6 @@ describe('OrganizationSecurityPage', () => {
 
       await userEvent.click(ssoSwitch);
 
-      // Rolled back to the server state, re-enabled, and the error surfaced.
       await waitFor(() => expect(ssoSwitch).toBeEnabled());
       expect(ssoSwitch).toBeChecked();
       expect(await screen.findByText('The connection could not be updated')).toBeInTheDocument();
diff --git a/packages/ui/src/elements/Section.tsx b/packages/ui/src/elements/Section.tsx
index 510ecf5c4f4..157a0236ae1 100644
--- a/packages/ui/src/elements/Section.tsx
+++ b/packages/ui/src/elements/Section.tsx
@@ -17,7 +17,6 @@ type ProfileSectionProps = Omit<PropsOfComponent<typeof Flex>, 'title'> & {
   titleId?: string;
   centered?: boolean;
   id: ProfileSectionId;
-  /** Optional badge rendered next to the section title in the header column. */
   badge?: ReactNode;
 };
 

From 87bd9f23fb46fe0ce8e4240d8ac49480eaadf2da Mon Sep 17 00:00:00 2001
From: Iago Dahlem Lorensini <iagodahlemlorensini@gmail.com>
Date: Wed, 10 Jun 2026 14:09:12 -0300
Subject: [PATCH 5/5] fix(ui): truncate long SSO detail values on the security
 page

---
 .../SecuritySsoSection.tsx                    |  8 ++++-
 .../OrganizationSecurityPage.test.tsx         | 33 +++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/packages/ui/src/components/OrganizationProfile/SecuritySsoSection.tsx b/packages/ui/src/components/OrganizationProfile/SecuritySsoSection.tsx
index b977c537e29..1a5745b68bb 100644
--- a/packages/ui/src/components/OrganizationProfile/SecuritySsoSection.tsx
+++ b/packages/ui/src/components/OrganizationProfile/SecuritySsoSection.tsx
@@ -383,7 +383,13 @@ const DetailRow = ({ id, label, children }: DetailRowProps): JSX.Element => (
       localizationKey={label}
       sx={{ flexShrink: 0, whiteSpace: 'nowrap' }}
     />
-    {children}
+    <Flex
+      justify='end'
+      // Bounds the value side to the remaining row width so chips truncate instead of overflowing the card.
+      sx={{ flex: '1 1 0', minWidth: 0 }}
+    >
+      {children}
+    </Flex>
   </Flex>
 );
 
diff --git a/packages/ui/src/components/OrganizationProfile/__tests__/OrganizationSecurityPage.test.tsx b/packages/ui/src/components/OrganizationProfile/__tests__/OrganizationSecurityPage.test.tsx
index 5f70ff36ccf..d4d15c889e1 100644
--- a/packages/ui/src/components/OrganizationProfile/__tests__/OrganizationSecurityPage.test.tsx
+++ b/packages/ui/src/components/OrganizationProfile/__tests__/OrganizationSecurityPage.test.tsx
@@ -151,6 +151,39 @@ describe('OrganizationSecurityPage', () => {
         expect(screen.getByText(domain)).toBeInTheDocument();
       }
     });
+
+    it('renders long SAML values as truncating chips with full-value tooltips', async () => {
+      const longSsoUrl = `https://idp.example.com/sso/${'a'.repeat(280)}`;
+      const longCertificate = 'MIIC'.repeat(75);
+      const { wrapper, fixtures } = await createFixtures(withSecurityPageFixtures);
+
+      fixtures.clerk.organization?.getEnterpriseConnections.mockResolvedValue([
+        configuredConnection({
+          active: true,
+          samlConnection: {
+            idpSsoUrl: longSsoUrl,
+            idpEntityId: 'https://idp.example.com/entity',
+            idpCertificate: longCertificate,
+          },
+        }),
+      ]);
+      fixtures.clerk.organization?.getEnterpriseConnectionTestRuns.mockResolvedValue({
+        data: [{ id: 'run_1', status: 'success' }],
+        total_count: 1,
+      } as any);
+
+      renderPage(wrapper);
+
+      const ssoLink = await screen.findByRole('link', { name: longSsoUrl });
+      expect(ssoLink).toHaveAttribute('href', longSsoUrl);
+      // The full value stays reachable via the tooltip once the chip truncates visually.
+      expect(ssoLink).toHaveAttribute('title', longSsoUrl);
+      expect(ssoLink).toHaveStyle({ overflow: 'hidden', textOverflow: 'ellipsis', whiteSpace: 'nowrap' });
+
+      const certificate = screen.getByText(longCertificate);
+      expect(certificate).toHaveAttribute('title', longCertificate);
+      expect(certificate).toHaveStyle({ overflow: 'hidden', textOverflow: 'ellipsis', whiteSpace: 'nowrap' });
+    });
   });
 
   describe('view switching', () => {