diff --git a/apps/documentation/pages/users/organisations/_meta.json b/apps/documentation/pages/users/organisations/_meta.json
index b77f9137c..dfc75fc95 100644
--- a/apps/documentation/pages/users/organisations/_meta.json
+++ b/apps/documentation/pages/users/organisations/_meta.json
@@ -3,5 +3,6 @@
   "members": "Members",
   "groups": "Groups",
   "teams": "Teams",
+  "sso": "SSO",
   "billing": "Billing"
-}
\ No newline at end of file
+}
diff --git a/apps/documentation/pages/users/organisations/sso/_meta.json b/apps/documentation/pages/users/organisations/sso/_meta.json
new file mode 100644
index 000000000..4ba07c6f6
--- /dev/null
+++ b/apps/documentation/pages/users/organisations/sso/_meta.json
@@ -0,0 +1,4 @@
+{
+  "index": "Configuration",
+  "microsoft-entra-id": "Microsoft Entra ID"
+}
diff --git a/apps/documentation/pages/users/organisations/sso/index.mdx b/apps/documentation/pages/users/organisations/sso/index.mdx
new file mode 100644
index 000000000..c909b3336
--- /dev/null
+++ b/apps/documentation/pages/users/organisations/sso/index.mdx
@@ -0,0 +1,149 @@
+---
+title: SSO Portal
+description: Learn how to set up a custom SSO login portal for your organisation.
+---
+
+import Image from 'next/image';
+
+import { Callout, Steps } from 'nextra/components';
+
+# Organisation SSO Portal
+
+The SSO Portal provides a dedicated login URL for your organisation that integrates with any OIDC compliant identity provider. This feature provides:
+
+- **Single Sign-On**: Access Documenso using your own authentication system
+- **Automatic onboarding**: New users will be automatically added to your organisation when they sign in through the portal
+- **Delegated account management**: Your organisation has full control over the users who sign in through the portal
+
+<Callout type="warning">
+  Anyone who signs in through your portal will be added to your organisation as a member.
+</Callout>
+
+## Getting Started
+
+To set up the SSO Portal, you need to be an organisation owner, admin, or manager.
+
+<Callout type="info">
+  **Enterprise Only**: This feature is only available to Enterprise customers.
+</Callout>
+
+<Steps>
+
+### Access Organisation SSO Settings
+
+![Organisation SSO Portal settings](/organisations/organisations-sso-settings.webp)
+
+### Configure SSO Portal
+
+See the [Microsoft Entra ID](/users/organisations/sso/microsoft-entra-id) guide to find the values for the following fields.
+
+#### Issuer URL
+
+Enter the OpenID discovery endpoint URL for your provider. Here are some common examples:
+
+- **Google Workspace**: `https://accounts.google.com/.well-known/openid-configuration`
+- **Microsoft Entra ID**: `https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration`
+- **Okta**: `https://{your-domain}.okta.com/.well-known/openid-configuration`
+- **Auth0**: `https://{your-domain}.auth0.com/.well-known/openid-configuration`
+
+#### Client Credentials
+
+Enter the client ID and client secret provided by your identity provider:
+
+- **Client ID**: The unique identifier for your application
+- **Client Secret**: The secret key for authenticating your application
+
+#### Default Organisation Role
+
+Select the default Organisation role that new users will receive when they first sign in through the portal.
+
+#### Allowed Email Domains
+
+Specify which email domains are allowed to sign in through your SSO portal. Separate domains with spaces:
+
+```
+your-domain.com another-domain.com
+```
+
+Leave this field empty to allow all domains.
+
+### Configure Your Identity Provider
+
+You'll need to configure your identity provider with the following information:
+
+- Redirect URI
+- Scopes
+
+These values are found at the top of the page.
+
+### Save Configuration
+
+Toggle the "Enable SSO portal" switch to activate the feature for your organisation.
+
+Click "Update" to save your SSO portal configuration. The portal will be activated once all required fields are completed.
+
+</Steps>
+
+## Testing Your SSO Portal
+
+Once configured, you can test your SSO portal by:
+
+1. Navigating to your portal URL found at the top of the organisation SSO portal settings page
+2. Sign in with a test account from your configured domain
+3. Verifying that the user is properly provisioned with the correct organisation role
+
+## Best Practices
+
+### Reduce Friction
+
+Create a custom subdomain for your organisation's SSO portal. For example, you can create a subdomain like `documenso.your-organisation.com` which redirects to the portal link.
+
+### Security Considerations
+
+Please note that anyone who signs in through your portal will be added to your organisation as a member.
+
+- **Domain Restrictions**: Use allowed domains to prevent unauthorized access
+- **Role Assignment**: Carefully consider the default organisation role for new users
+
+## Troubleshooting
+
+### Common Issues
+
+**"Invalid issuer URL"**
+
+- Verify the issuer URL is correct and accessible
+- Ensure the URL follows the OpenID Connect discovery format
+
+**"Client authentication failed"**
+
+- Check that your client ID and client secret are correct
+- Verify that your application is properly registered with your identity provider
+
+**"User not provisioned"**
+
+- Check that the user's email domain is in the allowed domains list
+- Verify the default organisation role is set correctly
+
+**"Redirect URI mismatch"**
+
+- Ensure the redirect URI in Documenso matches exactly what's configured in your identity provider
+- Check for any trailing slashes or protocol mismatches
+
+### Getting Help
+
+If you encounter issues with your SSO portal configuration:
+
+1. Review your identity provider's documentation for OpenID Connect setup
+2. Check the Documenso logs for detailed error messages
+3. Contact your identity provider's support for provider-specific issues
+
+<Callout type="info">
+  For additional support for SSO Portal configuration, contact our support team at
+  support@documenso.com.
+</Callout>
+
+## Identity Provider Guides
+
+For detailed setup instructions for specific identity providers:
+
+- [Microsoft Entra ID](/users/organisations/sso/microsoft-entra-id) - Complete guide for Azure AD configuration
diff --git a/apps/documentation/pages/users/organisations/sso/microsoft-entra-id.mdx b/apps/documentation/pages/users/organisations/sso/microsoft-entra-id.mdx
new file mode 100644
index 000000000..6b3ed6d65
--- /dev/null
+++ b/apps/documentation/pages/users/organisations/sso/microsoft-entra-id.mdx
@@ -0,0 +1,76 @@
+---
+title: Microsoft Entra ID
+description: Learn how to configure Microsoft Entra ID (Azure AD) for your organisation's SSO portal.
+---
+
+import Image from 'next/image';
+
+import { Callout, Steps } from 'nextra/components';
+
+# Microsoft Entra ID Configuration
+
+Microsoft Entra ID (formerly Azure Active Directory) is a popular identity provider for enterprise SSO. This guide will walk you through creating an app registration and configuring it for use with your Documenso SSO portal.
+
+## Prerequisites
+
+- Access to Microsoft Entra ID (Azure AD) admin center
+- Access to your Documenso organisation as an administrator or manager
+
+<Callout type="warning">Each user in your Azure AD will need an email associated with it.</Callout>
+
+## Creating an App Registration
+
+<Steps>
+
+### Access Azure Portal
+
+1. Navigate to the Azure Portal
+2. Sign in with your Microsoft Entra ID administrator account
+3. Search for "Azure Active Directory" or "Microsoft Entra ID" in the search bar
+4. Click on "Microsoft Entra ID" from the results
+
+### Create App Registration
+
+1. In the left sidebar, click on "App registrations"
+2. Click the "New registration" button
+
+### Configure App Registration
+
+Fill in the registration form with the following details:
+
+- **Name**: Your preferred name (e.g. `Documenso SSO Portal`)
+- **Supported account types**: Choose based on your needs
+- **Redirect URI (Web)**: Found in the Documenso SSO portal settings page
+
+Click "Register" to create the app registration.
+
+### Get Client ID
+
+After registration, you'll be taken to the app's overview page. The **Application (client) ID** is displayed prominently - this is your Client ID for Documenso.
+
+### Create Client Secret
+
+1. In the left sidebar, click on "Certificates & secrets"
+2. Click "New client secret"
+3. Add a description (e.g., "Documenso SSO Secret")
+4. Choose an expiration period (recommended 12-24 months)
+5. Click "Add"
+
+Make sure you copy the "Secret value", not the "Secret ID", you won't be able to access it again after you leave the page.
+
+</Steps>
+
+## Getting Your OpenID Configuration URL
+
+1. In the Azure portal, go to "Microsoft Entra ID"
+2. Click on "Overview" in the left sidebar
+3. Click the "Endpoints" in the horizontal tab
+4. Copy the "OpenID Connect metadata document" value
+
+## Configure Documenso SSO Portal
+
+Now you have all the information needed to configure your Documenso SSO portal:
+
+- **Issuer URL**: The "OpenID Connect metadata document" value from the previous step
+- **Client ID**: The Application (client) ID from your app registration
+- **Client Secret**: The secret value you copied during creation
diff --git a/apps/documentation/public/organisations/organisations-sso-settings.webp b/apps/documentation/public/organisations/organisations-sso-settings.webp
new file mode 100644
index 000000000..b6d46f77e
Binary files /dev/null and b/apps/documentation/public/organisations/organisations-sso-settings.webp differ
diff --git a/apps/remix/app/routes/_authenticated+/o.$orgUrl.settings._layout.tsx b/apps/remix/app/routes/_authenticated+/o.$orgUrl.settings._layout.tsx
index 87326a5fa..1ef247147 100644
--- a/apps/remix/app/routes/_authenticated+/o.$orgUrl.settings._layout.tsx
+++ b/apps/remix/app/routes/_authenticated+/o.$orgUrl.settings._layout.tsx
@@ -6,6 +6,7 @@ import {
   GroupIcon,
   MailboxIcon,
   Settings2Icon,
+  ShieldCheckIcon,
   Users2Icon,
 } from 'lucide-react';
 import { FaUsers } from 'react-icons/fa6';
@@ -77,6 +78,11 @@ export default function SettingsLayout() {
       label: t`Groups`,
       icon: GroupIcon,
     },
+    {
+      path: `/o/${organisation.url}/settings/sso`,
+      label: t`SSO`,
+      icon: ShieldCheckIcon,
+    },
     {
       path: `/o/${organisation.url}/settings/billing`,
       label: t`Billing`,
@@ -94,6 +100,13 @@ export default function SettingsLayout() {
       return false;
     }
 
+    if (
+      (!isBillingEnabled || !organisation.organisationClaim.flags.authenticationPortal) &&
+      route.path.includes('/sso')
+    ) {
+      return false;
+    }
+
     return true;
   });
 
diff --git a/apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.sso.tsx b/apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.sso.tsx
new file mode 100644
index 000000000..db6b7c38d
--- /dev/null
+++ b/apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.sso.tsx
@@ -0,0 +1,432 @@
+import { zodResolver } from '@hookform/resolvers/zod';
+import { msg } from '@lingui/core/macro';
+import { Trans, useLingui } from '@lingui/react/macro';
+import { OrganisationMemberRole } from '@prisma/client';
+import { useForm } from 'react-hook-form';
+import { z } from 'zod';
+
+import { useCurrentOrganisation } from '@documenso/lib/client-only/providers/organisation';
+import { ORGANISATION_MEMBER_ROLE_HIERARCHY } from '@documenso/lib/constants/organisations';
+import { ORGANISATION_MEMBER_ROLE_MAP } from '@documenso/lib/constants/organisations-translations';
+import {
+  formatOrganisationCallbackUrl,
+  formatOrganisationLoginUrl,
+} from '@documenso/lib/utils/organisation-authentication-portal';
+import { trpc } from '@documenso/trpc/react';
+import { domainRegex } from '@documenso/trpc/server/enterprise-router/create-organisation-email-domain.types';
+import type { TGetOrganisationAuthenticationPortalResponse } from '@documenso/trpc/server/enterprise-router/get-organisation-authentication-portal.types';
+import { ZUpdateOrganisationAuthenticationPortalRequestSchema } from '@documenso/trpc/server/enterprise-router/update-organisation-authentication-portal.types';
+import { CopyTextButton } from '@documenso/ui/components/common/copy-text-button';
+import { Alert, AlertDescription } from '@documenso/ui/primitives/alert';
+import { Button } from '@documenso/ui/primitives/button';
+import {
+  Form,
+  FormControl,
+  FormField,
+  FormItem,
+  FormLabel,
+  FormMessage,
+} from '@documenso/ui/primitives/form/form';
+import { Input } from '@documenso/ui/primitives/input';
+import { Label } from '@documenso/ui/primitives/label';
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
+} from '@documenso/ui/primitives/select';
+import { SpinnerBox } from '@documenso/ui/primitives/spinner';
+import { Switch } from '@documenso/ui/primitives/switch';
+import { Textarea } from '@documenso/ui/primitives/textarea';
+import { useToast } from '@documenso/ui/primitives/use-toast';
+
+import { SettingsHeader } from '~/components/general/settings-header';
+import { appMetaTags } from '~/utils/meta';
+
+const ZProviderFormSchema = ZUpdateOrganisationAuthenticationPortalRequestSchema.shape.data
+  .pick({
+    enabled: true,
+    wellKnownUrl: true,
+    clientId: true,
+    autoProvisionUsers: true,
+    defaultOrganisationRole: true,
+  })
+  .extend({
+    clientSecret: z.string().nullable(),
+    allowedDomains: z.string().refine(
+      (value) => {
+        const domains = value.split(' ').filter(Boolean);
+
+        return domains.every((domain) => domainRegex.test(domain));
+      },
+      {
+        message: msg`Invalid domains`.id,
+      },
+    ),
+  });
+
+type TProviderFormSchema = z.infer<typeof ZProviderFormSchema>;
+
+export function meta() {
+  return appMetaTags('Organisation SSO Portal');
+}
+
+export default function OrganisationSettingSSOLoginPage() {
+  const { t } = useLingui();
+  const organisation = useCurrentOrganisation();
+
+  const { data: authenticationPortal, isLoading: isLoadingAuthenticationPortal } =
+    trpc.enterprise.organisation.authenticationPortal.get.useQuery({
+      organisationId: organisation.id,
+    });
+
+  if (isLoadingAuthenticationPortal || !authenticationPortal) {
+    return <SpinnerBox className="py-32" />;
+  }
+
+  return (
+    <div className="max-w-2xl">
+      <SettingsHeader
+        title={t`Organisation SSO Portal`}
+        subtitle={t`Manage a custom SSO login portal for your organisation.`}
+      />
+
+      <SSOProviderForm authenticationPortal={authenticationPortal} />
+    </div>
+  );
+}
+
+type SSOProviderFormProps = {
+  authenticationPortal: TGetOrganisationAuthenticationPortalResponse;
+};
+
+const SSOProviderForm = ({ authenticationPortal }: SSOProviderFormProps) => {
+  const { t } = useLingui();
+  const { toast } = useToast();
+
+  const organisation = useCurrentOrganisation();
+
+  const { mutateAsync: updateOrganisationAuthenticationPortal } =
+    trpc.enterprise.organisation.authenticationPortal.update.useMutation();
+
+  const form = useForm<TProviderFormSchema>({
+    resolver: zodResolver(ZProviderFormSchema),
+    defaultValues: {
+      enabled: authenticationPortal.enabled,
+      clientId: authenticationPortal.clientId,
+      clientSecret: authenticationPortal.clientSecretProvided ? null : '',
+      wellKnownUrl: authenticationPortal.wellKnownUrl,
+      autoProvisionUsers: authenticationPortal.autoProvisionUsers,
+      defaultOrganisationRole: authenticationPortal.defaultOrganisationRole,
+      allowedDomains: authenticationPortal.allowedDomains.join(' '),
+    },
+  });
+
+  const onSubmit = async (values: TProviderFormSchema) => {
+    const { enabled, clientId, clientSecret, wellKnownUrl } = values;
+
+    if (enabled && !clientId) {
+      form.setError('clientId', {
+        message: t`Client ID is required`,
+      });
+
+      return;
+    }
+
+    if (enabled && clientSecret === '') {
+      form.setError('clientSecret', {
+        message: t`Client secret is required`,
+      });
+
+      return;
+    }
+
+    if (enabled && !wellKnownUrl) {
+      form.setError('wellKnownUrl', {
+        message: t`Well-known URL is required`,
+      });
+
+      return;
+    }
+
+    try {
+      await updateOrganisationAuthenticationPortal({
+        organisationId: organisation.id,
+        data: {
+          enabled,
+          clientId,
+          clientSecret: values.clientSecret ?? undefined,
+          wellKnownUrl,
+          autoProvisionUsers: values.autoProvisionUsers,
+          defaultOrganisationRole: values.defaultOrganisationRole,
+          allowedDomains: values.allowedDomains.split(' ').filter(Boolean),
+        },
+      });
+
+      toast({
+        title: t`Success`,
+        description: t`Provider has been updated successfully`,
+        duration: 5000,
+      });
+    } catch (err) {
+      console.error(err);
+
+      toast({
+        title: t`An error occurred`,
+        description: t`We couldn't update the provider. Please try again.`,
+        variant: 'destructive',
+      });
+    }
+  };
+
+  const isSsoEnabled = form.watch('enabled');
+
+  return (
+    <Form {...form}>
+      <form onSubmit={form.handleSubmit(onSubmit)}>
+        <fieldset disabled={form.formState.isSubmitting} className="space-y-6">
+          <div className="space-y-2">
+            <Label>
+              <Trans>Organisation authentication portal URL</Trans>
+            </Label>
+
+            <div className="relative">
+              <Input
+                className="pr-12"
+                disabled
+                value={formatOrganisationLoginUrl(organisation.url)}
+              />
+              <div className="absolute bottom-0 right-2 top-0 flex items-center justify-center">
+                <CopyTextButton
+                  value={formatOrganisationLoginUrl(organisation.url)}
+                  onCopySuccess={() => toast({ title: t`Copied to clipboard` })}
+                />
+              </div>
+            </div>
+
+            <p className="text-muted-foreground text-xs">
+              <Trans>This is the URL which users will use to sign in to your organisation.</Trans>
+            </p>
+          </div>
+
+          <div className="space-y-2">
+            <Label>
+              <Trans>Redirect URI</Trans>
+            </Label>
+
+            <div className="relative">
+              <Input
+                className="pr-12"
+                disabled
+                value={formatOrganisationCallbackUrl(organisation.url)}
+              />
+              <div className="absolute bottom-0 right-2 top-0 flex items-center justify-center">
+                <CopyTextButton
+                  value={formatOrganisationCallbackUrl(organisation.url)}
+                  onCopySuccess={() => toast({ title: t`Copied to clipboard` })}
+                />
+              </div>
+            </div>
+
+            <p className="text-muted-foreground text-xs">
+              <Trans>Add this URL to your provider's allowed redirect URIs</Trans>
+            </p>
+          </div>
+
+          <div className="space-y-2">
+            <Label>
+              <Trans>Required scopes</Trans>
+            </Label>
+
+            <Input className="pr-12" disabled value={`openid profile email`} />
+
+            <p className="text-muted-foreground text-xs">
+              <Trans>This is the required scopes you must set in your provider's settings</Trans>
+            </p>
+          </div>
+
+          <FormField
+            control={form.control}
+            name="wellKnownUrl"
+            render={({ field }) => (
+              <FormItem>
+                <FormLabel required={isSsoEnabled}>
+                  <Trans>Issuer URL</Trans>
+                </FormLabel>
+                <FormControl>
+                  <Input
+                    placeholder={'https://your-provider.com/.well-known/openid-configuration'}
+                    {...field}
+                  />
+                </FormControl>
+
+                {!form.formState.errors.wellKnownUrl && (
+                  <p className="text-muted-foreground text-xs">
+                    <Trans>The OpenID discovery endpoint URL for your provider</Trans>
+                  </p>
+                )}
+                <FormMessage />
+              </FormItem>
+            )}
+          />
+
+          <div className="grid grid-cols-1 gap-4 md:grid-cols-2">
+            <FormField
+              control={form.control}
+              name="clientId"
+              render={({ field }) => (
+                <FormItem>
+                  <FormLabel required={isSsoEnabled}>
+                    <Trans>Client ID</Trans>
+                  </FormLabel>
+                  <FormControl>
+                    <Input id="client-id" {...field} />
+                  </FormControl>
+                  <FormMessage />
+                </FormItem>
+              )}
+            />
+
+            <FormField
+              control={form.control}
+              name="clientSecret"
+              render={({ field }) => (
+                <FormItem>
+                  <FormLabel required={isSsoEnabled}>
+                    <Trans>Client Secret</Trans>
+                  </FormLabel>
+                  <FormControl>
+                    <Input
+                      id="client-secret"
+                      type="password"
+                      {...field}
+                      value={field.value === null ? '**********************' : field.value}
+                    />
+                  </FormControl>
+                  <FormMessage />
+                </FormItem>
+              )}
+            />
+          </div>
+
+          <FormField
+            control={form.control}
+            name="defaultOrganisationRole"
+            render={({ field }) => (
+              <FormItem>
+                <FormLabel>
+                  <Trans>Default Organisation Role for New Users</Trans>
+                </FormLabel>
+                <FormControl>
+                  <Select value={field.value} onValueChange={field.onChange}>
+                    <SelectTrigger>
+                      <SelectValue placeholder={t`Select default role`} />
+                    </SelectTrigger>
+                    <SelectContent>
+                      {ORGANISATION_MEMBER_ROLE_HIERARCHY[OrganisationMemberRole.MANAGER].map(
+                        (role) => (
+                          <SelectItem key={role} value={role}>
+                            {t(ORGANISATION_MEMBER_ROLE_MAP[role])}
+                          </SelectItem>
+                        ),
+                      )}
+                    </SelectContent>
+                  </Select>
+                </FormControl>
+                <FormMessage />
+              </FormItem>
+            )}
+          />
+
+          <FormField
+            control={form.control}
+            name="allowedDomains"
+            render={({ field }) => (
+              <FormItem>
+                <FormLabel>
+                  <Trans>Allowed Email Domains</Trans>
+                </FormLabel>
+                <FormControl>
+                  <Textarea
+                    {...field}
+                    placeholder={t`your-domain.com another-domain.com`}
+                    className="min-h-[80px]"
+                  />
+                </FormControl>
+
+                {!form.formState.errors.allowedDomains && (
+                  <p className="text-muted-foreground text-xs">
+                    <Trans>
+                      Space-separated list of domains. Leave empty to allow all domains.
+                    </Trans>
+                  </p>
+                )}
+
+                <FormMessage />
+              </FormItem>
+            )}
+          />
+
+          {/* Todo: This is just dummy toggle, we need to decide what this does first. */}
+          {/* <FormField
+            control={form.control}
+            name="autoProvisionUsers"
+            render={({ field }) => (
+              <FormItem className="flex items-center justify-between rounded-lg border px-4 py-3">
+                <div className="space-y-0.5">
+                  <FormLabel>
+                    <Trans>Auto-provision Users</Trans>
+                  </FormLabel>
+                  <p className="text-muted-foreground text-sm">
+                    <Trans>Automatically create accounts for new users on first login</Trans>
+                  </p>
+                </div>
+                <FormControl>
+                  <Switch checked={field.value} onCheckedChange={field.onChange} />
+                </FormControl>
+                <FormMessage />
+              </FormItem>
+            )}
+          /> */}
+
+          <FormField
+            control={form.control}
+            name="enabled"
+            render={({ field }) => (
+              <FormItem className="flex items-center justify-between rounded-lg border px-4 py-3">
+                <div className="space-y-0.5">
+                  <FormLabel>
+                    <Trans>Enable SSO portal</Trans>
+                  </FormLabel>
+                  <p className="text-muted-foreground text-sm">
+                    <Trans>Whether to enable the SSO portal for your organisation</Trans>
+                  </p>
+                </div>
+                <FormControl>
+                  <Switch checked={field.value} onCheckedChange={field.onChange} />
+                </FormControl>
+                <FormMessage />
+              </FormItem>
+            )}
+          />
+
+          <Alert variant="warning">
+            <AlertDescription>
+              <Trans>
+                Please note that anyone who signs in through your portal will be added to your
+                organisation as a member.
+              </Trans>
+            </AlertDescription>
+          </Alert>
+
+          <div className="flex justify-end gap-2">
+            <Button loading={form.formState.isSubmitting} type="submit">
+              <Trans>Update</Trans>
+            </Button>
+          </div>
+        </fieldset>
+      </form>
+    </Form>
+  );
+};
diff --git a/apps/remix/app/routes/_authenticated+/settings+/security._index.tsx b/apps/remix/app/routes/_authenticated+/settings+/security._index.tsx
index eacaaf4fc..5d878d971 100644
--- a/apps/remix/app/routes/_authenticated+/settings+/security._index.tsx
+++ b/apps/remix/app/routes/_authenticated+/settings+/security._index.tsx
@@ -192,6 +192,27 @@ export default function SettingsSecurity({ loaderData }: Route.ComponentProps) {
           </Link>
         </Button>
       </Alert>
+
+      <Alert
+        className="mt-6 flex flex-col justify-between p-6 sm:flex-row sm:items-center"
+        variant="neutral"
+      >
+        <div className="mb-4 mr-4 sm:mb-0">
+          <AlertTitle>
+            <Trans>Linked Accounts</Trans>
+          </AlertTitle>
+
+          <AlertDescription className="mr-2">
+            <Trans>View and manage all login methods linked to your account.</Trans>
+          </AlertDescription>
+        </div>
+
+        <Button asChild variant="outline" className="bg-background">
+          <Link to="/settings/security/linked-accounts">
+            <Trans>Manage linked accounts</Trans>
+          </Link>
+        </Button>
+      </Alert>
     </div>
   );
 }
diff --git a/apps/remix/app/routes/_authenticated+/settings+/security.linked-accounts.tsx b/apps/remix/app/routes/_authenticated+/settings+/security.linked-accounts.tsx
new file mode 100644
index 000000000..1c9c57914
--- /dev/null
+++ b/apps/remix/app/routes/_authenticated+/settings+/security.linked-accounts.tsx
@@ -0,0 +1,179 @@
+import { useMemo, useState } from 'react';
+
+import { useLingui } from '@lingui/react/macro';
+import { Trans } from '@lingui/react/macro';
+import { useQuery } from '@tanstack/react-query';
+import { DateTime } from 'luxon';
+
+import { authClient } from '@documenso/auth/client';
+import { Button } from '@documenso/ui/primitives/button';
+import type { DataTableColumnDef } from '@documenso/ui/primitives/data-table';
+import { DataTable } from '@documenso/ui/primitives/data-table';
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+  DialogTrigger,
+} from '@documenso/ui/primitives/dialog';
+import { Skeleton } from '@documenso/ui/primitives/skeleton';
+import { TableCell } from '@documenso/ui/primitives/table';
+import { useToast } from '@documenso/ui/primitives/use-toast';
+
+import { SettingsHeader } from '~/components/general/settings-header';
+import { appMetaTags } from '~/utils/meta';
+
+export function meta() {
+  return appMetaTags('Linked Accounts');
+}
+
+export default function SettingsSecurityLinkedAccounts() {
+  const { t } = useLingui();
+
+  const { data, isLoading, isLoadingError, refetch } = useQuery({
+    queryKey: ['linked-accounts'],
+    queryFn: async () => await authClient.account.getMany(),
+  });
+
+  const results = data?.accounts ?? [];
+
+  const columns = useMemo(() => {
+    return [
+      {
+        header: t`Provider`,
+        accessorKey: 'provider',
+        cell: ({ row }) => row.original.provider,
+      },
+      {
+        header: t`Linked At`,
+        accessorKey: 'createdAt',
+        cell: ({ row }) =>
+          row.original.createdAt
+            ? DateTime.fromJSDate(row.original.createdAt).toRelative()
+            : t`Unknown`,
+      },
+      {
+        id: 'actions',
+        cell: ({ row }) => (
+          <AccountUnlinkDialog
+            accountId={row.original.id}
+            provider={row.original.provider}
+            onSuccess={refetch}
+          />
+        ),
+      },
+    ] satisfies DataTableColumnDef<(typeof results)[number]>[];
+  }, []);
+
+  return (
+    <div>
+      <SettingsHeader
+        title={t`Linked Accounts`}
+        subtitle={t`View and manage all login methods linked to your account.`}
+      />
+
+      <div className="mt-4">
+        <DataTable
+          columns={columns}
+          data={results}
+          hasFilters={false}
+          error={{
+            enable: isLoadingError,
+          }}
+          skeleton={{
+            enable: isLoading,
+            rows: 3,
+            component: (
+              <>
+                <TableCell>
+                  <Skeleton className="h-4 w-40 rounded-full" />
+                </TableCell>
+                <TableCell>
+                  <Skeleton className="h-4 w-24 rounded-full" />
+                </TableCell>
+                <TableCell>
+                  <Skeleton className="h-8 w-16 rounded" />
+                </TableCell>
+              </>
+            ),
+          }}
+        />
+      </div>
+    </div>
+  );
+}
+
+type AccountUnlinkDialogProps = {
+  accountId: string;
+  provider: string;
+  onSuccess: () => Promise<unknown>;
+};
+
+const AccountUnlinkDialog = ({ accountId, onSuccess, provider }: AccountUnlinkDialogProps) => {
+  const { toast } = useToast();
+  const { t } = useLingui();
+
+  const [isLoading, setIsLoading] = useState(false);
+  const [open, setOpen] = useState(false);
+
+  const handleRevoke = async () => {
+    setIsLoading(true);
+
+    try {
+      await authClient.account.delete(accountId);
+
+      await onSuccess();
+
+      toast({
+        title: t`Account unlinked`,
+      });
+    } catch (error) {
+      console.error(error);
+
+      toast({
+        title: t`Error`,
+        description: t`Failed to unlink account`,
+        variant: 'destructive',
+      });
+    }
+
+    setIsLoading(false);
+  };
+
+  return (
+    <Dialog open={open} onOpenChange={(value) => !isLoading && setOpen(value)}>
+      <DialogTrigger asChild>
+        <Button variant="destructive" size="sm">
+          <Trans>Unlink</Trans>
+        </Button>
+      </DialogTrigger>
+
+      <DialogContent position="center">
+        <DialogHeader>
+          <DialogTitle>
+            <Trans>Are you sure?</Trans>
+          </DialogTitle>
+
+          <DialogDescription className="mt-4">
+            <Trans>
+              You are about to remove the <span className="font-semibold">{provider}</span> login
+              method from your account.
+            </Trans>
+          </DialogDescription>
+        </DialogHeader>
+
+        <DialogFooter>
+          <Button type="button" variant="secondary" onClick={() => setOpen(false)}>
+            <Trans>Cancel</Trans>
+          </Button>
+
+          <Button variant="destructive" loading={isLoading} onClick={handleRevoke}>
+            <Trans>Unlink</Trans>
+          </Button>
+        </DialogFooter>
+      </DialogContent>
+    </Dialog>
+  );
+};
diff --git a/apps/remix/app/routes/_unauthenticated+/o.$orgUrl.signin.tsx b/apps/remix/app/routes/_unauthenticated+/o.$orgUrl.signin.tsx
new file mode 100644
index 000000000..1a1e26350
--- /dev/null
+++ b/apps/remix/app/routes/_unauthenticated+/o.$orgUrl.signin.tsx
@@ -0,0 +1,218 @@
+import { useState } from 'react';
+
+import { msg } from '@lingui/core/macro';
+import { Trans, useLingui } from '@lingui/react/macro';
+import { MailsIcon } from 'lucide-react';
+import { Link, redirect, useSearchParams } from 'react-router';
+
+import { authClient } from '@documenso/auth/client';
+import { getOptionalSession } from '@documenso/auth/server/lib/utils/get-session';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { prisma } from '@documenso/prisma';
+import { Button } from '@documenso/ui/primitives/button';
+import { Checkbox } from '@documenso/ui/primitives/checkbox';
+import { useToast } from '@documenso/ui/primitives/use-toast';
+
+import { GenericErrorLayout } from '~/components/general/generic-error-layout';
+import { appMetaTags } from '~/utils/meta';
+
+import type { Route } from './+types/o.$orgUrl.signin';
+
+export function meta() {
+  return appMetaTags('Sign In');
+}
+
+export function ErrorBoundary() {
+  return (
+    <GenericErrorLayout
+      errorCode={404}
+      errorCodeMap={{
+        404: {
+          heading: msg`Authentication Portal Not Found`,
+          subHeading: msg`404 Not Found`,
+          message: msg`The organisation authentication portal does not exist, or is not configured`,
+        },
+      }}
+      primaryButton={
+        <Button asChild>
+          <Link to={`/`}>
+            <Trans>Go back</Trans>
+          </Link>
+        </Button>
+      }
+      secondaryButton={null}
+    />
+  );
+}
+
+export async function loader({ request, params }: Route.LoaderArgs) {
+  const { isAuthenticated, user } = await getOptionalSession(request);
+
+  const orgUrl = params.orgUrl;
+
+  const organisation = await prisma.organisation.findFirst({
+    where: {
+      url: orgUrl,
+    },
+    select: {
+      name: true,
+      organisationClaim: true,
+      organisationAuthenticationPortal: {
+        select: {
+          enabled: true,
+        },
+      },
+      members: {
+        select: {
+          userId: true,
+        },
+      },
+    },
+  });
+
+  if (
+    !organisation ||
+    !organisation.organisationAuthenticationPortal.enabled ||
+    !organisation.organisationClaim.flags.authenticationPortal
+  ) {
+    throw new AppError(AppErrorCode.NOT_FOUND, {
+      message: 'Organisation not found',
+    });
+  }
+
+  // Redirect to organisation if already signed in and a member of the organisation.
+  if (isAuthenticated && user && organisation.members.find((member) => member.userId === user.id)) {
+    throw redirect(`/o/${orgUrl}`);
+  }
+
+  return {
+    organisationName: organisation.name,
+    orgUrl,
+  };
+}
+
+export default function OrganisationSignIn({ loaderData }: Route.ComponentProps) {
+  const [searchParams] = useSearchParams();
+
+  const { organisationName, orgUrl } = loaderData;
+
+  const { t } = useLingui();
+  const { toast } = useToast();
+
+  const [isSubmitting, setIsSubmitting] = useState(false);
+  const [isConfirmationChecked, setIsConfirmationChecked] = useState(false);
+
+  const action = searchParams.get('action');
+
+  const onSignInWithOIDCClick = async () => {
+    setIsSubmitting(true);
+
+    try {
+      await authClient.oidc.org.signIn({
+        orgUrl,
+      });
+    } catch (err) {
+      toast({
+        title: t`An unknown error occurred`,
+        description: t`We encountered an unknown error while attempting to sign you In. Please try again later.`,
+        variant: 'destructive',
+      });
+    }
+
+    setIsSubmitting(false);
+  };
+
+  if (action === 'verification-required') {
+    return (
+      <div className="w-screen max-w-lg px-4">
+        <div className="flex items-start">
+          <div className="mr-4 mt-1 hidden md:block">
+            <MailsIcon className="text-primary h-10 w-10" strokeWidth={2} />
+          </div>
+          <div className="">
+            <h2 className="text-2xl font-bold md:text-4xl">
+              <Trans>Confirmation email sent</Trans>
+            </h2>
+
+            <p className="text-muted-foreground mt-4">
+              <Trans>
+                To gain access to your account, please confirm your email address by clicking on the
+                confirmation link from your inbox.
+              </Trans>
+            </p>
+
+            <div className="mt-4 flex items-center gap-x-2">
+              <Button asChild>
+                <Link to={`/o/${orgUrl}/signin`} replace>
+                  <Trans>Return</Trans>
+                </Link>
+              </Button>
+            </div>
+          </div>
+        </div>
+      </div>
+    );
+  }
+
+  return (
+    <div className="w-screen max-w-lg px-4">
+      <div className="border-border dark:bg-background z-10 rounded-xl border bg-neutral-100 p-6">
+        <h1 className="text-2xl font-semibold">
+          <Trans>Welcome to {organisationName}</Trans>
+        </h1>
+
+        <p className="text-muted-foreground mt-2 text-sm">
+          <Trans>Sign in to your account</Trans>
+        </p>
+
+        <hr className="-mx-6 my-4" />
+
+        <div className="mb-4 flex items-center gap-x-2">
+          <Checkbox
+            id={`flag-3rd-party-service`}
+            checked={isConfirmationChecked}
+            onCheckedChange={(checked) =>
+              setIsConfirmationChecked(checked === 'indeterminate' ? false : checked)
+            }
+          />
+
+          <label
+            className="text-muted-foreground ml-2 flex flex-row items-center text-sm"
+            htmlFor={`flag-3rd-party-service`}
+          >
+            <Trans>
+              I understand that I am providing my credentials to a 3rd party service configured by
+              this organisation
+            </Trans>
+          </label>
+        </div>
+
+        <Button
+          type="button"
+          size="lg"
+          variant="outline"
+          className="bg-background w-full"
+          loading={isSubmitting}
+          disabled={!isConfirmationChecked}
+          onClick={onSignInWithOIDCClick}
+        >
+          <Trans>Sign In</Trans>
+        </Button>
+
+        <div className="relative mt-2 flex items-center justify-center gap-x-4 py-2 text-xs uppercase">
+          <div className="bg-border h-px flex-1" />
+          <span className="text-muted-foreground bg-transparent">
+            <Trans>OR</Trans>
+          </span>
+          <div className="bg-border h-px flex-1" />
+        </div>
+
+        <div className="text-muted-foreground mt-1 flex items-center justify-center text-xs">
+          <Link to="/signin">
+            <Trans>Return to Documenso sign in page here</Trans>
+          </Link>
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/apps/remix/app/routes/_unauthenticated+/organisation.sso.confirmation.$token.tsx b/apps/remix/app/routes/_unauthenticated+/organisation.sso.confirmation.$token.tsx
new file mode 100644
index 000000000..ac6869c89
--- /dev/null
+++ b/apps/remix/app/routes/_unauthenticated+/organisation.sso.confirmation.$token.tsx
@@ -0,0 +1,333 @@
+import { useState } from 'react';
+
+import { msg } from '@lingui/core/macro';
+import { Trans } from '@lingui/react/macro';
+import { AlertTriangle, Building2, Database, Eye, Settings, UserCircle2 } from 'lucide-react';
+import { data, isRouteErrorResponse } from 'react-router';
+import { useNavigate } from 'react-router';
+import { match } from 'ts-pattern';
+
+import { ORGANISATION_ACCOUNT_LINK_VERIFICATION_TOKEN_IDENTIFIER } from '@documenso/lib/constants/organisations';
+import { ZOrganisationAccountLinkMetadataSchema } from '@documenso/lib/types/organisation';
+import { formatAvatarUrl } from '@documenso/lib/utils/avatars';
+import { formatOrganisationLoginPath } from '@documenso/lib/utils/organisation-authentication-portal';
+import { extractInitials } from '@documenso/lib/utils/recipient-formatter';
+import { prisma } from '@documenso/prisma';
+import { trpc } from '@documenso/trpc/react';
+import { Alert, AlertDescription } from '@documenso/ui/primitives/alert';
+import { AvatarWithText } from '@documenso/ui/primitives/avatar';
+import { Badge } from '@documenso/ui/primitives/badge';
+import { Button } from '@documenso/ui/primitives/button';
+import {
+  Card,
+  CardContent,
+  CardDescription,
+  CardFooter,
+  CardHeader,
+  CardTitle,
+} from '@documenso/ui/primitives/card';
+import { Checkbox } from '@documenso/ui/primitives/checkbox';
+import { Separator } from '@documenso/ui/primitives/separator';
+import { useToast } from '@documenso/ui/primitives/use-toast';
+
+import { GenericErrorLayout, defaultErrorCodeMap } from '~/components/general/generic-error-layout';
+
+import type { Route } from './+types/organisation.sso.confirmation.$token';
+
+export function ErrorBoundary({ error }: Route.ErrorBoundaryProps) {
+  const errorCode = isRouteErrorResponse(error) ? error.data.type : 500;
+
+  const errorMap = match(errorCode)
+    .with('invalid-token', () => ({
+      subHeading: msg`400 Error`,
+      heading: msg`Invalid Token`,
+      message: msg`The token is invalid or has expired.`,
+    }))
+    .otherwise(() => defaultErrorCodeMap[500]);
+
+  return (
+    <GenericErrorLayout errorCode={500} errorCodeMap={{ 500: errorMap }} secondaryButton={null} />
+  );
+}
+
+export async function loader({ params }: Route.LoaderArgs) {
+  const { token } = params;
+
+  if (!token) {
+    throw data({
+      type: 'invalid-token',
+    });
+  }
+
+  const verificationToken = await prisma.verificationToken.findFirst({
+    where: {
+      token,
+      identifier: ORGANISATION_ACCOUNT_LINK_VERIFICATION_TOKEN_IDENTIFIER,
+    },
+    include: {
+      user: {
+        select: {
+          name: true,
+          email: true,
+          avatarImageId: true,
+        },
+      },
+    },
+  });
+
+  if (!verificationToken || verificationToken.expires < new Date()) {
+    throw data({
+      type: 'invalid-token',
+    });
+  }
+
+  const metadata = ZOrganisationAccountLinkMetadataSchema.safeParse(verificationToken.metadata);
+
+  if (!metadata.success) {
+    throw data({
+      type: 'invalid-token',
+    });
+  }
+
+  const organisation = await prisma.organisation.findFirst({
+    where: {
+      id: metadata.data.organisationId,
+    },
+    select: {
+      name: true,
+      url: true,
+      avatarImageId: true,
+    },
+  });
+
+  if (!organisation) {
+    throw data({
+      type: 'invalid-token',
+    });
+  }
+
+  return {
+    token,
+    type: metadata.data.type,
+    user: {
+      name: verificationToken.user.name,
+      email: verificationToken.user.email,
+      avatar: verificationToken.user.avatarImageId,
+    },
+    organisation: {
+      name: organisation.name,
+      url: organisation.url,
+      avatar: organisation.avatarImageId,
+    },
+  } as const;
+}
+
+export default function OrganisationSsoConfirmationTokenPage({ loaderData }: Route.ComponentProps) {
+  const { token, type, user, organisation } = loaderData;
+
+  const { toast } = useToast();
+  const navigate = useNavigate();
+
+  const [isConfirmationChecked, setIsConfirmationChecked] = useState(false);
+
+  const { mutate: declineLinkOrganisationAccount, isPending: isDeclining } =
+    trpc.enterprise.organisation.authenticationPortal.declineLinkAccount.useMutation({
+      onSuccess: async () => {
+        await navigate('/');
+
+        toast({
+          title: 'Account link declined',
+        });
+      },
+      onError: (error) => {
+        toast({
+          title: 'Error declining account link',
+          description: error.message,
+        });
+      },
+    });
+
+  const { mutate: linkOrganisationAccount, isPending: isLinking } =
+    trpc.enterprise.organisation.authenticationPortal.linkAccount.useMutation({
+      onSuccess: async () => {
+        await navigate(formatOrganisationLoginPath(organisation.url));
+
+        toast({
+          title: 'Account linked successfully',
+        });
+      },
+      onError: (error) => {
+        toast({
+          title: 'Error linking account',
+          description: error.message,
+        });
+      },
+    });
+
+  return (
+    <div>
+      <Card className="w-full max-w-2xl border">
+        <CardHeader>
+          <CardTitle>
+            {type === 'link' ? (
+              <Trans>Account Linking Request</Trans>
+            ) : (
+              <Trans>Account Creation Request</Trans>
+            )}
+          </CardTitle>
+          <CardDescription>
+            {type === 'link' ? (
+              <Trans>
+                An organisation wants to link your account. Please review the details below.
+              </Trans>
+            ) : (
+              <Trans>
+                An organisation wants to create an account for you. Please review the details below.
+              </Trans>
+            )}
+          </CardDescription>
+        </CardHeader>
+
+        <CardContent className="space-y-6">
+          {/* Current User Section */}
+          <div className="space-y-3">
+            <h3 className="text-muted-foreground flex items-center gap-2 font-semibold">
+              <UserCircle2 className="h-4 w-4" />
+              <Trans>Your Account</Trans>
+            </h3>
+            <div className="bg-muted/50 flex items-center justify-between gap-3 rounded-lg p-3">
+              <AvatarWithText
+                avatarSrc={formatAvatarUrl(user.avatar)}
+                avatarFallback={extractInitials(user.name || user.email)}
+                primaryText={user.name}
+                secondaryText={user.email}
+              />
+
+              <Badge variant="secondary">
+                <Trans>Account</Trans>
+              </Badge>
+            </div>
+          </div>
+
+          <Separator />
+
+          {/* Organisation Section */}
+          <div className="space-y-3">
+            <h3 className="text-muted-foreground flex items-center gap-2 font-semibold">
+              <Building2 className="h-4 w-4" />
+              <Trans>Requesting Organisation</Trans>
+            </h3>
+            <div className="bg-muted/50 flex items-center justify-between gap-3 rounded-lg p-3">
+              <AvatarWithText
+                avatarSrc={formatAvatarUrl(organisation.avatar)}
+                avatarFallback={extractInitials(organisation.name)}
+                primaryText={organisation.name}
+                secondaryText={`/o/${organisation.url}`}
+              />
+
+              <Badge variant="secondary">
+                <Trans>Organisation</Trans>
+              </Badge>
+            </div>
+          </div>
+
+          <Separator />
+
+          {/* Warnings Section */}
+          <div className="space-y-3">
+            <h3 className="text-muted-foreground flex items-center gap-2 font-semibold">
+              <AlertTriangle className="h-4 w-4" />
+              <Trans>Important: What This Means</Trans>
+            </h3>
+            <div className="space-y-3 rounded-lg border p-4">
+              <p className="text-sm font-medium">
+                <Trans>
+                  By accepting this request, you grant {organisation.name} the following
+                  permissions:
+                </Trans>
+              </p>
+              <ul className="space-y-2 text-sm">
+                <li className="flex items-start gap-2">
+                  <Eye className="mt-0.5 h-4 w-4 flex-shrink-0" />
+                  <span>
+                    <Trans>
+                      <span className="text-muted-foreground font-semibold">
+                        Full account access:
+                      </span>{' '}
+                      View all your profile information, settings, and activity
+                    </Trans>
+                  </span>
+                </li>
+                <li className="flex items-start gap-2">
+                  <Settings className="mt-0.5 h-4 w-4 flex-shrink-0" />
+                  <span>
+                    <Trans>
+                      <span className="text-muted-foreground font-semibold">
+                        Account management:
+                      </span>{' '}
+                      Modify your account settings, permissions, and preferences
+                    </Trans>
+                  </span>
+                </li>
+                <li className="flex items-start gap-2">
+                  <Database className="mt-0.5 h-4 w-4 flex-shrink-0" />
+                  <span>
+                    <Trans>
+                      <span className="text-muted-foreground font-semibold">Data access:</span>{' '}
+                      Access all data associated with your account
+                    </Trans>
+                  </span>
+                </li>
+              </ul>
+
+              <Alert variant="warning" className="mt-3">
+                <AlertDescription>
+                  <Trans>
+                    This organisation will have administrative control over your account. You can
+                    revoke this access later, but they will retain access to any data they've
+                    already collected.
+                  </Trans>
+                </AlertDescription>
+              </Alert>
+            </div>
+          </div>
+
+          <div className="mb-4 flex items-center gap-x-2">
+            <Checkbox
+              id={`accept-conditions`}
+              checked={isConfirmationChecked}
+              onCheckedChange={(checked) =>
+                setIsConfirmationChecked(checked === 'indeterminate' ? false : checked)
+              }
+            />
+
+            <label
+              className="text-muted-foreground ml-2 flex flex-row items-center text-sm"
+              htmlFor={`accept-conditions`}
+            >
+              <Trans>I agree to link my account with this organization</Trans>
+            </label>
+          </div>
+        </CardContent>
+
+        <CardFooter className="flex justify-end gap-3">
+          <Button
+            variant="outline"
+            disabled={isDeclining || isLinking}
+            onClick={() => declineLinkOrganisationAccount({ token })}
+          >
+            <Trans>Decline</Trans>
+          </Button>
+
+          <Button
+            disabled={!isConfirmationChecked || isDeclining || isLinking}
+            loading={isLinking}
+            onClick={() => linkOrganisationAccount({ token })}
+          >
+            <Trans>Accept & Link Account</Trans>
+          </Button>
+        </CardFooter>
+      </Card>
+    </div>
+  );
+}
diff --git a/apps/remix/public/static/building-2.png b/apps/remix/public/static/building-2.png
new file mode 100644
index 000000000..f9c7266e6
Binary files /dev/null and b/apps/remix/public/static/building-2.png differ
diff --git a/packages/auth/client/index.ts b/packages/auth/client/index.ts
index e99573af6..5acf23c4c 100644
--- a/packages/auth/client/index.ts
+++ b/packages/auth/client/index.ts
@@ -7,6 +7,7 @@ import { AppError } from '@documenso/lib/errors/app-error';
 
 import type { AuthAppType } from '../server';
 import type { SessionValidationResult } from '../server/lib/session/session';
+import type { PartialAccount } from '../server/lib/utils/get-accounts';
 import type { ActiveSession } from '../server/lib/utils/get-session';
 import { handleSignInRedirect } from '../server/lib/utils/redirect';
 import type {
@@ -96,6 +97,25 @@ export class AuthClient {
     }
   }
 
+  public account = {
+    getMany: async () => {
+      const response = await this.client['accounts'].$get();
+
+      await this.handleError(response);
+
+      const result = await response.json();
+
+      return superjson.deserialize<{ accounts: PartialAccount[] }>(result);
+    },
+    delete: async (accountId: string) => {
+      const response = await this.client['account'][':accountId'].$delete({
+        param: { accountId },
+      });
+
+      await this.handleError(response);
+    },
+  };
+
   public emailPassword = {
     signIn: async (data: Omit<TEmailPasswordSignin, 'csrfToken'> & { csrfToken?: string }) => {
       let csrfToken = data.csrfToken;
@@ -214,6 +234,22 @@ export class AuthClient {
         window.location.href = data.redirectUrl;
       }
     },
+    org: {
+      signIn: async ({ orgUrl }: { orgUrl: string }) => {
+        const response = await this.client['oauth'].authorize.oidc.org[':orgUrl'].$post({
+          param: { orgUrl },
+        });
+
+        await this.handleError(response);
+
+        const data = await response.json();
+
+        // Redirect to external OIDC provider URL.
+        if (data.redirectUrl) {
+          window.location.href = data.redirectUrl;
+        }
+      },
+    },
   };
 }
 
diff --git a/packages/auth/server/index.ts b/packages/auth/server/index.ts
index 5f85d5b2a..1bdc40ee3 100644
--- a/packages/auth/server/index.ts
+++ b/packages/auth/server/index.ts
@@ -7,6 +7,7 @@ import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
 import { extractRequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
 
 import { setCsrfCookie } from './lib/session/session-cookies';
+import { accountRoute } from './routes/account';
 import { callbackRoute } from './routes/callback';
 import { emailPasswordRoute } from './routes/email-password';
 import { oauthRoute } from './routes/oauth';
@@ -43,6 +44,7 @@ export const auth = new Hono<HonoAuthContext>()
   })
   .route('/', sessionRoute)
   .route('/', signOutRoute)
+  .route('/', accountRoute)
   .route('/callback', callbackRoute)
   .route('/oauth', oauthRoute)
   .route('/email-password', emailPasswordRoute)
diff --git a/packages/auth/server/lib/utils/delete-account-provider.ts b/packages/auth/server/lib/utils/delete-account-provider.ts
new file mode 100644
index 000000000..c1aebb2b6
--- /dev/null
+++ b/packages/auth/server/lib/utils/delete-account-provider.ts
@@ -0,0 +1,37 @@
+import { UserSecurityAuditLogType } from '@prisma/client';
+import type { Context } from 'hono';
+
+import { ORGANISATION_USER_ACCOUNT_TYPE } from '@documenso/lib/constants/organisations';
+import { prisma } from '@documenso/prisma';
+
+import { getSession } from './get-session';
+
+export const deleteAccountProvider = async (c: Context, accountId: string): Promise<void> => {
+  const { user } = await getSession(c);
+
+  const requestMeta = c.get('requestMetadata');
+
+  await prisma.$transaction(async (tx) => {
+    const deletedAccountProvider = await tx.account.delete({
+      where: {
+        id: accountId,
+        userId: user.id,
+      },
+      select: {
+        type: true,
+      },
+    });
+
+    await tx.userSecurityAuditLog.create({
+      data: {
+        userId: user.id,
+        ipAddress: requestMeta.ipAddress,
+        userAgent: requestMeta.userAgent,
+        type:
+          deletedAccountProvider.type === ORGANISATION_USER_ACCOUNT_TYPE
+            ? UserSecurityAuditLogType.ORGANISATION_SSO_UNLINK
+            : UserSecurityAuditLogType.ACCOUNT_SSO_UNLINK,
+      },
+    });
+  });
+};
diff --git a/packages/auth/server/lib/utils/get-accounts.ts b/packages/auth/server/lib/utils/get-accounts.ts
new file mode 100644
index 000000000..072196ac6
--- /dev/null
+++ b/packages/auth/server/lib/utils/get-accounts.ts
@@ -0,0 +1,32 @@
+import type { Context } from 'hono';
+
+import { prisma } from '@documenso/prisma';
+
+import { getSession } from './get-session';
+
+export type PartialAccount = {
+  id: string;
+  userId: number;
+  type: string;
+  provider: string;
+  providerAccountId: string;
+  createdAt: Date;
+};
+
+export const getAccounts = async (c: Context | Request): Promise<PartialAccount[]> => {
+  const { user } = await getSession(c);
+
+  return await prisma.account.findMany({
+    where: {
+      userId: user.id,
+    },
+    select: {
+      id: true,
+      userId: true,
+      type: true,
+      provider: true,
+      providerAccountId: true,
+      createdAt: true,
+    },
+  });
+};
diff --git a/packages/auth/server/lib/utils/handle-oauth-callback-url.ts b/packages/auth/server/lib/utils/handle-oauth-callback-url.ts
index 15fc1f7fa..34a3aa4fe 100644
--- a/packages/auth/server/lib/utils/handle-oauth-callback-url.ts
+++ b/packages/auth/server/lib/utils/handle-oauth-callback-url.ts
@@ -20,70 +20,10 @@ type HandleOAuthCallbackUrlOptions = {
 export const handleOAuthCallbackUrl = async (options: HandleOAuthCallbackUrlOptions) => {
   const { c, clientOptions } = options;
 
-  if (!clientOptions.clientId || !clientOptions.clientSecret) {
-    throw new AppError(AppErrorCode.NOT_SETUP);
-  }
-
-  const { token_endpoint } = await getOpenIdConfiguration(clientOptions.wellKnownUrl, {
-    requiredScopes: clientOptions.scope,
-  });
-
-  const oAuthClient = new OAuth2Client(
-    clientOptions.clientId,
-    clientOptions.clientSecret,
-    clientOptions.redirectUrl,
-  );
-
   const requestMeta = c.get('requestMetadata');
 
-  const code = c.req.query('code');
-  const state = c.req.query('state');
-
-  const storedState = deleteCookie(c, `${clientOptions.id}_oauth_state`);
-  const storedCodeVerifier = deleteCookie(c, `${clientOptions.id}_code_verifier`);
-  const storedRedirectPath = deleteCookie(c, `${clientOptions.id}_redirect_path`) ?? '';
-
-  if (!code || !storedState || state !== storedState || !storedCodeVerifier) {
-    throw new AppError(AppErrorCode.INVALID_REQUEST, {
-      message: 'Invalid or missing state',
-    });
-  }
-
-  // eslint-disable-next-line prefer-const
-  let [redirectState, redirectPath] = storedRedirectPath.split(' ');
-
-  if (redirectState !== storedState || !redirectPath) {
-    redirectPath = '/';
-  }
-
-  const tokens = await oAuthClient.validateAuthorizationCode(
-    token_endpoint,
-    code,
-    storedCodeVerifier,
-  );
-
-  const accessToken = tokens.accessToken();
-  const accessTokenExpiresAt = tokens.accessTokenExpiresAt();
-  const idToken = tokens.idToken();
-
-  // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
-  const claims = decodeIdToken(tokens.idToken()) as Record<string, unknown>;
-
-  const email = claims.email;
-  const name = claims.name;
-  const sub = claims.sub;
-
-  if (typeof email !== 'string' || typeof name !== 'string' || typeof sub !== 'string') {
-    throw new AppError(AuthenticationErrorCode.InvalidRequest, {
-      message: 'Invalid claims',
-    });
-  }
-
-  if (claims.email_verified !== true && !clientOptions.bypassEmailVerification) {
-    throw new AppError(AuthenticationErrorCode.UnverifiedEmail, {
-      message: 'Account email is not verified',
-    });
-  }
+  const { email, name, sub, accessToken, accessTokenExpiresAt, idToken, redirectPath } =
+    await validateOauth({ c, clientOptions });
 
   // Find the account if possible.
   const existingAccount = await prisma.account.findFirst({
@@ -199,3 +139,92 @@ export const handleOAuthCallbackUrl = async (options: HandleOAuthCallbackUrlOpti
 
   return c.redirect(redirectPath, 302);
 };
+
+export const validateOauth = async (options: HandleOAuthCallbackUrlOptions) => {
+  const { c, clientOptions } = options;
+
+  if (!clientOptions.clientId || !clientOptions.clientSecret) {
+    throw new AppError(AppErrorCode.NOT_SETUP);
+  }
+
+  const { token_endpoint } = await getOpenIdConfiguration(clientOptions.wellKnownUrl, {
+    requiredScopes: clientOptions.scope,
+  });
+
+  const oAuthClient = new OAuth2Client(
+    clientOptions.clientId,
+    clientOptions.clientSecret,
+    clientOptions.redirectUrl,
+  );
+
+  const code = c.req.query('code');
+  const state = c.req.query('state');
+
+  const storedState = deleteCookie(c, `${clientOptions.id}_oauth_state`);
+  const storedCodeVerifier = deleteCookie(c, `${clientOptions.id}_code_verifier`);
+  const storedRedirectPath = deleteCookie(c, `${clientOptions.id}_redirect_path`) ?? '';
+
+  if (!code || !storedState || state !== storedState || !storedCodeVerifier) {
+    throw new AppError(AppErrorCode.INVALID_REQUEST, {
+      message: 'Invalid or missing state',
+    });
+  }
+
+  // eslint-disable-next-line prefer-const
+  let [redirectState, redirectPath] = storedRedirectPath.split(' ');
+
+  if (redirectState !== storedState || !redirectPath) {
+    redirectPath = '/';
+  }
+
+  const tokens = await oAuthClient.validateAuthorizationCode(
+    token_endpoint,
+    code,
+    storedCodeVerifier,
+  );
+
+  const accessToken = tokens.accessToken();
+  const accessTokenExpiresAt = tokens.accessTokenExpiresAt();
+  const idToken = tokens.idToken();
+
+  // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+  const claims = decodeIdToken(tokens.idToken()) as Record<string, unknown>;
+
+  const email = claims.email;
+  const name = claims.name;
+  const sub = claims.sub;
+
+  if (typeof email !== 'string') {
+    throw new AppError(AuthenticationErrorCode.InvalidRequest, {
+      message: 'Missing email',
+    });
+  }
+
+  if (typeof name !== 'string') {
+    throw new AppError(AuthenticationErrorCode.InvalidRequest, {
+      message: 'Missing name',
+    });
+  }
+
+  if (typeof sub !== 'string') {
+    throw new AppError(AuthenticationErrorCode.InvalidRequest, {
+      message: 'Missing sub claim',
+    });
+  }
+
+  if (claims.email_verified !== true && !clientOptions.bypassEmailVerification) {
+    throw new AppError(AuthenticationErrorCode.UnverifiedEmail, {
+      message: 'Account email is not verified',
+    });
+  }
+
+  return {
+    email,
+    name,
+    sub,
+    accessToken,
+    accessTokenExpiresAt,
+    idToken,
+    redirectPath,
+  };
+};
diff --git a/packages/auth/server/lib/utils/handle-oauth-organisation-callback-url.ts b/packages/auth/server/lib/utils/handle-oauth-organisation-callback-url.ts
new file mode 100644
index 000000000..d8cae91f0
--- /dev/null
+++ b/packages/auth/server/lib/utils/handle-oauth-organisation-callback-url.ts
@@ -0,0 +1,99 @@
+import type { Context } from 'hono';
+
+import { sendOrganisationAccountLinkConfirmationEmail } from '@documenso/ee/server-only/lib/send-organisation-account-link-confirmation-email';
+import { AppError } from '@documenso/lib/errors/app-error';
+import { onCreateUserHook } from '@documenso/lib/server-only/user/create-user';
+import { formatOrganisationLoginUrl } from '@documenso/lib/utils/organisation-authentication-portal';
+import { prisma } from '@documenso/prisma';
+
+import { AuthenticationErrorCode } from '../errors/error-codes';
+import { onAuthorize } from './authorizer';
+import { validateOauth } from './handle-oauth-callback-url';
+import { getOrganisationAuthenticationPortalOptions } from './organisation-portal';
+
+type HandleOAuthOrganisationCallbackUrlOptions = {
+  c: Context;
+  orgUrl: string;
+};
+
+export const handleOAuthOrganisationCallbackUrl = async (
+  options: HandleOAuthOrganisationCallbackUrlOptions,
+) => {
+  const { c, orgUrl } = options;
+
+  const { organisation, clientOptions } = await getOrganisationAuthenticationPortalOptions({
+    type: 'url',
+    organisationUrl: orgUrl,
+  });
+
+  const { email, name, sub, accessToken, accessTokenExpiresAt, idToken } = await validateOauth({
+    c,
+    clientOptions: {
+      ...clientOptions,
+      bypassEmailVerification: true, // Bypass for organisation OIDC because we manually verify the email.
+    },
+  });
+
+  const allowedDomains = organisation.organisationAuthenticationPortal.allowedDomains;
+
+  if (allowedDomains.length > 0 && !allowedDomains.some((domain) => email.endsWith(`@${domain}`))) {
+    throw new AppError(AuthenticationErrorCode.InvalidRequest, {
+      message: 'Email domain not allowed',
+    });
+  }
+
+  // Find the account if possible.
+  const existingAccount = await prisma.account.findFirst({
+    where: {
+      provider: clientOptions.id,
+      providerAccountId: sub,
+    },
+    include: {
+      user: true,
+    },
+  });
+
+  // Directly log in user if account already exists.
+  if (existingAccount) {
+    await onAuthorize({ userId: existingAccount.user.id }, c);
+
+    return c.redirect(`/o/${orgUrl}`, 302);
+  }
+
+  let userToLink = await prisma.user.findFirst({
+    where: {
+      email,
+    },
+  });
+
+  // Handle new user.
+  if (!userToLink) {
+    userToLink = await prisma.user.create({
+      data: {
+        email: email,
+        name: name,
+        emailVerified: null, // Do not verify email.
+      },
+    });
+
+    await onCreateUserHook(userToLink).catch((err) => {
+      // Todo: (RR7) Add logging.
+      console.error(err);
+    });
+  }
+
+  await sendOrganisationAccountLinkConfirmationEmail({
+    type: userToLink.emailVerified ? 'link' : 'create',
+    userId: userToLink.id,
+    organisationId: organisation.id,
+    organisationName: organisation.name,
+    oauthConfig: {
+      accessToken,
+      idToken,
+      providerAccountId: sub,
+      expiresAt: Math.floor(accessTokenExpiresAt.getTime() / 1000),
+    },
+  });
+
+  return c.redirect(`${formatOrganisationLoginUrl(orgUrl)}?action=verification-required`, 302);
+};
diff --git a/packages/auth/server/lib/utils/organisation-portal.ts b/packages/auth/server/lib/utils/organisation-portal.ts
new file mode 100644
index 000000000..a00c1d507
--- /dev/null
+++ b/packages/auth/server/lib/utils/organisation-portal.ts
@@ -0,0 +1,94 @@
+import { IS_BILLING_ENABLED } from '@documenso/lib/constants/app';
+import { DOCUMENSO_ENCRYPTION_KEY } from '@documenso/lib/constants/crypto';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { symmetricDecrypt } from '@documenso/lib/universal/crypto';
+import { formatOrganisationCallbackUrl } from '@documenso/lib/utils/organisation-authentication-portal';
+import { prisma } from '@documenso/prisma';
+
+type GetOrganisationAuthenticationPortalOptions =
+  | {
+      type: 'url';
+      organisationUrl: string;
+    }
+  | {
+      type: 'id';
+      organisationId: string;
+    };
+
+export const getOrganisationAuthenticationPortalOptions = async (
+  options: GetOrganisationAuthenticationPortalOptions,
+) => {
+  const organisation = await prisma.organisation.findFirst({
+    where:
+      options.type === 'url'
+        ? {
+            url: options.organisationUrl,
+          }
+        : {
+            id: options.organisationId,
+          },
+    include: {
+      organisationClaim: true,
+      organisationAuthenticationPortal: true,
+      groups: true,
+    },
+  });
+
+  if (!organisation) {
+    throw new AppError(AppErrorCode.NOT_FOUND, {
+      message: 'Organisation not found',
+    });
+  }
+
+  if (!IS_BILLING_ENABLED()) {
+    throw new AppError(AppErrorCode.NOT_SETUP, {
+      message: 'Billing is not enabled',
+    });
+  }
+
+  if (
+    !organisation.organisationClaim.flags.authenticationPortal ||
+    !organisation.organisationAuthenticationPortal.enabled
+  ) {
+    throw new AppError(AppErrorCode.NOT_SETUP, {
+      message: 'Authentication portal is not enabled for this organisation',
+    });
+  }
+
+  const {
+    clientId,
+    clientSecret: encryptedClientSecret,
+    wellKnownUrl,
+  } = organisation.organisationAuthenticationPortal;
+
+  if (!clientId || !encryptedClientSecret || !wellKnownUrl) {
+    throw new AppError(AppErrorCode.NOT_SETUP, {
+      message: 'Authentication portal is not configured for this organisation',
+    });
+  }
+
+  if (!DOCUMENSO_ENCRYPTION_KEY) {
+    throw new AppError(AppErrorCode.NOT_SETUP, {
+      message: 'Encryption key is not set',
+    });
+  }
+
+  const clientSecret = Buffer.from(
+    symmetricDecrypt({ key: DOCUMENSO_ENCRYPTION_KEY, data: encryptedClientSecret }),
+  ).toString('utf-8');
+
+  return {
+    organisation,
+    clientId,
+    clientSecret,
+    wellKnownUrl,
+    clientOptions: {
+      id: organisation.id,
+      scope: ['openid', 'email', 'profile'],
+      clientId,
+      clientSecret,
+      redirectUrl: formatOrganisationCallbackUrl(organisation.url),
+      wellKnownUrl,
+    },
+  };
+};
diff --git a/packages/auth/server/routes/account.ts b/packages/auth/server/routes/account.ts
new file mode 100644
index 000000000..049c9c069
--- /dev/null
+++ b/packages/auth/server/routes/account.ts
@@ -0,0 +1,25 @@
+import { Hono } from 'hono';
+import superjson from 'superjson';
+
+import { deleteAccountProvider } from '../lib/utils/delete-account-provider';
+import { getAccounts } from '../lib/utils/get-accounts';
+
+export const accountRoute = new Hono()
+  /**
+   * Get all linked accounts.
+   */
+  .get('/accounts', async (c) => {
+    const accounts = await getAccounts(c);
+
+    return c.json(superjson.serialize({ accounts }));
+  })
+  /**
+   * Delete an account linking method.
+   */
+  .delete('/account/:accountId', async (c) => {
+    const accountId = c.req.param('accountId');
+
+    await deleteAccountProvider(c, accountId);
+
+    return c.json({ success: true });
+  });
diff --git a/packages/auth/server/routes/callback.ts b/packages/auth/server/routes/callback.ts
index 809f96f5a..d19309796 100644
--- a/packages/auth/server/routes/callback.ts
+++ b/packages/auth/server/routes/callback.ts
@@ -1,7 +1,10 @@
 import { Hono } from 'hono';
 
+import { AppError } from '@documenso/lib/errors/app-error';
+
 import { GoogleAuthOptions, OidcAuthOptions } from '../config';
 import { handleOAuthCallbackUrl } from '../lib/utils/handle-oauth-callback-url';
+import { handleOAuthOrganisationCallbackUrl } from '../lib/utils/handle-oauth-organisation-callback-url';
 import type { HonoAuthContext } from '../types/context';
 
 /**
@@ -14,6 +17,31 @@ export const callbackRoute = new Hono<HonoAuthContext>()
    */
   .get('/oidc', async (c) => handleOAuthCallbackUrl({ c, clientOptions: OidcAuthOptions }))
 
+  /**
+   * Organisation OIDC callback verification.
+   */
+  .get('/oidc/org/:orgUrl', async (c) => {
+    const orgUrl = c.req.param('orgUrl');
+
+    try {
+      return await handleOAuthOrganisationCallbackUrl({
+        c,
+        orgUrl,
+      });
+    } catch (err) {
+      console.error(err);
+
+      if (err instanceof Error) {
+        throw new AppError(err.name, {
+          message: err.message,
+          statusCode: 500,
+        });
+      }
+
+      throw err;
+    }
+  })
+
   /**
    * Google callback verification.
    */
diff --git a/packages/auth/server/routes/email-password.ts b/packages/auth/server/routes/email-password.ts
index 2353cfd41..b43d9f9a5 100644
--- a/packages/auth/server/routes/email-password.ts
+++ b/packages/auth/server/routes/email-password.ts
@@ -16,7 +16,7 @@ import { validateTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/
 import { viewBackupCodes } from '@documenso/lib/server-only/2fa/view-backup-codes';
 import { createUser } from '@documenso/lib/server-only/user/create-user';
 import { forgotPassword } from '@documenso/lib/server-only/user/forgot-password';
-import { getMostRecentVerificationTokenByUserId } from '@documenso/lib/server-only/user/get-most-recent-verification-token-by-user-id';
+import { getMostRecentEmailVerificationToken } from '@documenso/lib/server-only/user/get-most-recent-email-verification-token';
 import { resetPassword } from '@documenso/lib/server-only/user/reset-password';
 import { updatePassword } from '@documenso/lib/server-only/user/update-password';
 import { verifyEmail } from '@documenso/lib/server-only/user/verify-email';
@@ -105,7 +105,7 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
     }
 
     if (!user.emailVerified) {
-      const mostRecentToken = await getMostRecentVerificationTokenByUserId({
+      const mostRecentToken = await getMostRecentEmailVerificationToken({
         userId: user.id,
       });
 
diff --git a/packages/auth/server/routes/oauth.ts b/packages/auth/server/routes/oauth.ts
index 0eed4fba1..4a8346ba9 100644
--- a/packages/auth/server/routes/oauth.ts
+++ b/packages/auth/server/routes/oauth.ts
@@ -4,6 +4,7 @@ import { z } from 'zod';
 
 import { GoogleAuthOptions, OidcAuthOptions } from '../config';
 import { handleOAuthAuthorizeUrl } from '../lib/utils/handle-oauth-authorize-url';
+import { getOrganisationAuthenticationPortalOptions } from '../lib/utils/organisation-portal';
 import type { HonoAuthContext } from '../types/context';
 
 const ZOAuthAuthorizeSchema = z.object({
@@ -34,4 +35,20 @@ export const oauthRoute = new Hono<HonoAuthContext>()
       clientOptions: OidcAuthOptions,
       redirectPath,
     });
+  })
+  /**
+   * Organisation OIDC authorize endpoint.
+   */
+  .post('/authorize/oidc/org/:orgUrl', async (c) => {
+    const orgUrl = c.req.param('orgUrl');
+
+    const { clientOptions } = await getOrganisationAuthenticationPortalOptions({
+      type: 'url',
+      organisationUrl: orgUrl,
+    });
+
+    return await handleOAuthAuthorizeUrl({
+      c,
+      clientOptions,
+    });
   });
diff --git a/packages/ee/server-only/lib/link-organisation-account.ts b/packages/ee/server-only/lib/link-organisation-account.ts
new file mode 100644
index 000000000..29e296a0c
--- /dev/null
+++ b/packages/ee/server-only/lib/link-organisation-account.ts
@@ -0,0 +1,163 @@
+import { UserSecurityAuditLogType } from '@prisma/client';
+
+import { getOrganisationAuthenticationPortalOptions } from '@documenso/auth/server/lib/utils/organisation-portal';
+import { IS_BILLING_ENABLED } from '@documenso/lib/constants/app';
+import {
+  ORGANISATION_ACCOUNT_LINK_VERIFICATION_TOKEN_IDENTIFIER,
+  ORGANISATION_USER_ACCOUNT_TYPE,
+} from '@documenso/lib/constants/organisations';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { addUserToOrganisation } from '@documenso/lib/server-only/organisation/accept-organisation-invitation';
+import { ZOrganisationAccountLinkMetadataSchema } from '@documenso/lib/types/organisation';
+import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
+import { prisma } from '@documenso/prisma';
+
+export interface LinkOrganisationAccountOptions {
+  token: string;
+  requestMeta: RequestMetadata;
+}
+
+export const linkOrganisationAccount = async ({
+  token,
+  requestMeta,
+}: LinkOrganisationAccountOptions) => {
+  if (!IS_BILLING_ENABLED()) {
+    throw new AppError(AppErrorCode.INVALID_REQUEST, {
+      message: 'Billing is not enabled',
+    });
+  }
+
+  // Delete the token since it contains unnecessary sensitive data.
+  const verificationToken = await prisma.verificationToken.delete({
+    where: {
+      token,
+      identifier: ORGANISATION_ACCOUNT_LINK_VERIFICATION_TOKEN_IDENTIFIER,
+    },
+    include: {
+      user: {
+        select: {
+          id: true,
+          emailVerified: true,
+          accounts: {
+            select: {
+              provider: true,
+              providerAccountId: true,
+            },
+          },
+        },
+      },
+    },
+  });
+
+  if (!verificationToken) {
+    throw new AppError(AppErrorCode.INVALID_REQUEST, {
+      message: 'Verification token not found, used or expired',
+    });
+  }
+
+  if (verificationToken.completed) {
+    throw new AppError('ALREADY_USED');
+  }
+
+  if (verificationToken.expires < new Date()) {
+    throw new AppError(AppErrorCode.INVALID_REQUEST, {
+      message: 'Verification token not found, used or expired',
+    });
+  }
+
+  const tokenMetadata = ZOrganisationAccountLinkMetadataSchema.safeParse(
+    verificationToken.metadata,
+  );
+
+  if (!tokenMetadata.success) {
+    console.error('Invalid token metadata', tokenMetadata.error);
+
+    throw new AppError(AppErrorCode.INVALID_REQUEST, {
+      message: 'Verification token not found, used or expired',
+    });
+  }
+
+  const user = verificationToken.user;
+
+  const { clientOptions, organisation } = await getOrganisationAuthenticationPortalOptions({
+    type: 'id',
+    organisationId: tokenMetadata.data.organisationId,
+  });
+
+  const organisationMember = await prisma.organisationMember.findFirst({
+    where: {
+      userId: user.id,
+      organisationId: tokenMetadata.data.organisationId,
+    },
+  });
+
+  const oauthConfig = tokenMetadata.data.oauthConfig;
+
+  const userAlreadyLinked = user.accounts.find(
+    (account) =>
+      account.provider === clientOptions.id &&
+      account.providerAccountId === oauthConfig.providerAccountId,
+  );
+
+  if (organisationMember && userAlreadyLinked) {
+    return;
+  }
+
+  await prisma.$transaction(
+    async (tx) => {
+      // Link the user if not linked yet.
+      if (!userAlreadyLinked) {
+        await tx.account.create({
+          data: {
+            type: ORGANISATION_USER_ACCOUNT_TYPE,
+            provider: clientOptions.id,
+            providerAccountId: oauthConfig.providerAccountId,
+            access_token: oauthConfig.accessToken,
+            expires_at: oauthConfig.expiresAt,
+            token_type: 'Bearer',
+            id_token: oauthConfig.idToken,
+            userId: user.id,
+          },
+        });
+
+        // Log link event.
+        await tx.userSecurityAuditLog.create({
+          data: {
+            userId: user.id,
+            ipAddress: requestMeta.ipAddress,
+            userAgent: requestMeta.userAgent,
+            type: UserSecurityAuditLogType.ORGANISATION_SSO_LINK,
+          },
+        });
+
+        // If account already exists in an unverified state, remove the password to ensure
+        // they cannot sign in using that method since we cannot confirm the password
+        // was set by the user.
+        if (!user.emailVerified) {
+          await tx.user.update({
+            where: {
+              id: user.id,
+            },
+            data: {
+              emailVerified: new Date(),
+              password: null,
+              // Todo: (RR7) Will need to update the "password" account after the migration.
+            },
+          });
+        }
+      }
+
+      // Only add the user to the organisation if they are not already a member.
+      if (!organisationMember) {
+        await addUserToOrganisation({
+          userId: user.id,
+          organisationId: tokenMetadata.data.organisationId,
+          organisationGroups: organisation.groups,
+          organisationMemberRole:
+            organisation.organisationAuthenticationPortal.defaultOrganisationRole,
+        });
+      }
+    },
+    { timeout: 30_000 },
+  );
+};
diff --git a/packages/ee/server-only/lib/send-organisation-account-link-confirmation-email.ts b/packages/ee/server-only/lib/send-organisation-account-link-confirmation-email.ts
new file mode 100644
index 000000000..bbc262075
--- /dev/null
+++ b/packages/ee/server-only/lib/send-organisation-account-link-confirmation-email.ts
@@ -0,0 +1,119 @@
+import { createElement } from 'react';
+
+import { msg } from '@lingui/core/macro';
+import crypto from 'crypto';
+import { DateTime } from 'luxon';
+
+import { mailer } from '@documenso/email/mailer';
+import { OrganisationAccountLinkConfirmationTemplate } from '@documenso/email/templates/organisation-account-link-confirmation';
+import { getI18nInstance } from '@documenso/lib/client-only/providers/i18n-server';
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+import { DOCUMENSO_INTERNAL_EMAIL } from '@documenso/lib/constants/email';
+import { ORGANISATION_ACCOUNT_LINK_VERIFICATION_TOKEN_IDENTIFIER } from '@documenso/lib/constants/organisations';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { getEmailContext } from '@documenso/lib/server-only/email/get-email-context';
+import type { TOrganisationAccountLinkMetadata } from '@documenso/lib/types/organisation';
+import { renderEmailWithI18N } from '@documenso/lib/utils/render-email-with-i18n';
+import { prisma } from '@documenso/prisma';
+
+export type SendOrganisationAccountLinkConfirmationEmailProps = TOrganisationAccountLinkMetadata & {
+  organisationName: string;
+};
+
+export const sendOrganisationAccountLinkConfirmationEmail = async ({
+  type,
+  userId,
+  organisationId,
+  organisationName,
+  oauthConfig,
+}: SendOrganisationAccountLinkConfirmationEmailProps) => {
+  const user = await prisma.user.findFirst({
+    where: {
+      id: userId,
+    },
+    include: {
+      verificationTokens: {
+        where: {
+          identifier: ORGANISATION_ACCOUNT_LINK_VERIFICATION_TOKEN_IDENTIFIER,
+        },
+        orderBy: {
+          createdAt: 'desc',
+        },
+        take: 1,
+      },
+    },
+  });
+
+  if (!user) {
+    throw new AppError(AppErrorCode.NOT_FOUND, {
+      message: 'User not found',
+    });
+  }
+
+  const [previousVerificationToken] = user.verificationTokens;
+
+  // If we've sent a token in the last 5 minutes, don't send another one
+  if (
+    previousVerificationToken?.createdAt &&
+    DateTime.fromJSDate(previousVerificationToken.createdAt).diffNow('minutes').minutes > -5
+  ) {
+    return;
+  }
+
+  const token = crypto.randomBytes(20).toString('hex');
+
+  const createdToken = await prisma.verificationToken.create({
+    data: {
+      identifier: ORGANISATION_ACCOUNT_LINK_VERIFICATION_TOKEN_IDENTIFIER,
+      token,
+      expires: DateTime.now().plus({ minutes: 30 }).toJSDate(),
+      metadata: {
+        type,
+        userId,
+        organisationId,
+        oauthConfig,
+      } satisfies TOrganisationAccountLinkMetadata,
+      userId,
+    },
+  });
+
+  const { emailLanguage } = await getEmailContext({
+    emailType: 'INTERNAL',
+    source: {
+      type: 'organisation',
+      organisationId,
+    },
+    meta: null,
+  });
+
+  const assetBaseUrl = NEXT_PUBLIC_WEBAPP_URL() || 'http://localhost:3000';
+  const confirmationLink = `${assetBaseUrl}/organisation/sso/confirmation/${createdToken.token}`;
+
+  const confirmationTemplate = createElement(OrganisationAccountLinkConfirmationTemplate, {
+    type,
+    assetBaseUrl,
+    confirmationLink,
+    organisationName,
+  });
+
+  const [html, text] = await Promise.all([
+    renderEmailWithI18N(confirmationTemplate, { lang: emailLanguage }),
+    renderEmailWithI18N(confirmationTemplate, { lang: emailLanguage, plainText: true }),
+  ]);
+
+  const i18n = await getI18nInstance(emailLanguage);
+
+  return mailer.sendMail({
+    to: {
+      address: user.email,
+      name: user.name || '',
+    },
+    from: DOCUMENSO_INTERNAL_EMAIL,
+    subject:
+      type === 'create'
+        ? i18n._(msg`Account creation request`)
+        : i18n._(msg`Account linking request`),
+    html,
+    text,
+  });
+};
diff --git a/packages/email/static/building-2.png b/packages/email/static/building-2.png
new file mode 100644
index 000000000..f9c7266e6
Binary files /dev/null and b/packages/email/static/building-2.png differ
diff --git a/packages/email/templates/organisation-account-link-confirmation.tsx b/packages/email/templates/organisation-account-link-confirmation.tsx
new file mode 100644
index 000000000..7b275dfb6
--- /dev/null
+++ b/packages/email/templates/organisation-account-link-confirmation.tsx
@@ -0,0 +1,145 @@
+import { msg } from '@lingui/core/macro';
+import { useLingui } from '@lingui/react';
+import { Trans } from '@lingui/react/macro';
+
+import {
+  Body,
+  Button,
+  Container,
+  Head,
+  Hr,
+  Html,
+  Img,
+  Preview,
+  Section,
+  Text,
+} from '../components';
+import { useBranding } from '../providers/branding';
+import { TemplateFooter } from '../template-components/template-footer';
+import TemplateImage from '../template-components/template-image';
+
+type OrganisationAccountLinkConfirmationTemplateProps = {
+  type: 'create' | 'link';
+  confirmationLink: string;
+  organisationName: string;
+  assetBaseUrl: string;
+};
+
+export const OrganisationAccountLinkConfirmationTemplate = ({
+  type = 'link',
+  confirmationLink = '<CONFIRMATION_LINK>',
+  organisationName = '<ORGANISATION_NAME>',
+  assetBaseUrl = 'http://localhost:3002',
+}: OrganisationAccountLinkConfirmationTemplateProps) => {
+  const { _ } = useLingui();
+  const branding = useBranding();
+
+  const previewText =
+    type === 'create'
+      ? msg`A request has been made to create an account for you`
+      : msg`A request has been made to link your Documenso account`;
+
+  return (
+    <Html>
+      <Head />
+      <Preview>{_(previewText)}</Preview>
+      <Body className="mx-auto my-auto font-sans">
+        <Section className="bg-white">
+          <Container className="mx-auto mb-2 mt-8 max-w-xl rounded-lg border border-solid border-slate-200 px-2 pt-2 backdrop-blur-sm">
+            {branding.brandingEnabled && branding.brandingLogo ? (
+              <Img src={branding.brandingLogo} alt="Branding Logo" className="mb-4 h-6 p-2" />
+            ) : (
+              <TemplateImage
+                assetBaseUrl={assetBaseUrl}
+                className="mb-4 h-6 p-2"
+                staticAsset="logo.png"
+              />
+            )}
+
+            <Section>
+              <TemplateImage
+                className="mx-auto h-12 w-12"
+                assetBaseUrl={assetBaseUrl}
+                staticAsset="building-2.png"
+              />
+            </Section>
+
+            <Section className="p-2 text-slate-500">
+              <Text className="text-center text-lg font-medium text-black">
+                {type === 'create' ? (
+                  <Trans>Account creation request</Trans>
+                ) : (
+                  <Trans>Link your Documenso account</Trans>
+                )}
+              </Text>
+
+              <Text className="text-center text-base">
+                {type === 'create' ? (
+                  <Trans>
+                    <span className="font-bold">{organisationName}</span> has requested to create an
+                    account on your behalf.
+                  </Trans>
+                ) : (
+                  <Trans>
+                    <span className="font-bold">{organisationName}</span> has requested to link your
+                    current Documenso account to their organisation.
+                  </Trans>
+                )}
+              </Text>
+
+              {/* Placeholder text if we want to have the warning in the email as well. */}
+              {/* <Section className="mt-6">
+                <Text className="my-0 text-sm">
+                  <Trans>
+                    By accepting this request, you will be granting{' '}
+                    <strong>{organisationName}</strong> full access to:
+                  </Trans>
+                </Text>
+
+                <ul className="mb-0 mt-2">
+                  <li className="text-sm">
+                    <Trans>Your account, and everything associated with it</Trans>
+                  </li>
+                  <li className="mt-1 text-sm">
+                    <Trans>Something something something</Trans>
+                  </li>
+                  <li className="mt-1 text-sm">
+                    <Trans>Something something something</Trans>
+                  </li>
+                </ul>
+
+                <Text className="mt-2 text-sm">
+                  <Trans>
+                    You can unlink your account at any time in your security settings on Documenso{' '}
+                    <Link href={`${assetBaseUrl}/settings/security/linked-accounts`}>here.</Link>
+                  </Trans>
+                </Text>
+              </Section> */}
+
+              <Section className="mb-6 mt-8 text-center">
+                <Button
+                  className="bg-documenso-500 inline-flex items-center justify-center rounded-lg px-6 py-3 text-center text-sm font-medium text-black no-underline"
+                  href={confirmationLink}
+                >
+                  <Trans>Review request</Trans>
+                </Button>
+              </Section>
+            </Section>
+
+            <Text className="text-center text-xs text-slate-500">
+              <Trans>Link expires in 30 minutes.</Trans>
+            </Text>
+          </Container>
+
+          <Hr className="mx-auto mt-12 max-w-xl" />
+
+          <Container className="mx-auto max-w-xl">
+            <TemplateFooter isDocument={false} />
+          </Container>
+        </Section>
+      </Body>
+    </Html>
+  );
+};
+
+export default OrganisationAccountLinkConfirmationTemplate;
diff --git a/packages/lib/constants/auth.ts b/packages/lib/constants/auth.ts
index 38e1c3998..4f78f78b0 100644
--- a/packages/lib/constants/auth.ts
+++ b/packages/lib/constants/auth.ts
@@ -23,6 +23,9 @@ export const OIDC_PROVIDER_LABEL = env('NEXT_PRIVATE_OIDC_PROVIDER_LABEL');
 
 export const USER_SECURITY_AUDIT_LOG_MAP: Record<string, string> = {
   ACCOUNT_SSO_LINK: 'Linked account to SSO',
+  ACCOUNT_SSO_UNLINK: 'Unlinked account from SSO',
+  ORGANISATION_SSO_LINK: 'Linked account to organisation',
+  ORGANISATION_SSO_UNLINK: 'Unlinked account from organisation',
   ACCOUNT_PROFILE_UPDATE: 'Profile updated',
   AUTH_2FA_DISABLE: '2FA Disabled',
   AUTH_2FA_ENABLE: '2FA Enabled',
diff --git a/packages/lib/constants/email.ts b/packages/lib/constants/email.ts
index 3eb597ce1..1d6a7dc07 100644
--- a/packages/lib/constants/email.ts
+++ b/packages/lib/constants/email.ts
@@ -16,3 +16,5 @@ export const EMAIL_VERIFICATION_STATE = {
   EXPIRED: 'EXPIRED',
   ALREADY_VERIFIED: 'ALREADY_VERIFIED',
 } as const;
+
+export const USER_SIGNUP_VERIFICATION_TOKEN_IDENTIFIER = 'confirmation-email';
diff --git a/packages/lib/constants/organisations.ts b/packages/lib/constants/organisations.ts
index cd5bdb43b..0c758ba97 100644
--- a/packages/lib/constants/organisations.ts
+++ b/packages/lib/constants/organisations.ts
@@ -126,3 +126,7 @@ export const PROTECTED_ORGANISATION_URLS = [
 export const isOrganisationUrlProtected = (url: string) => {
   return PROTECTED_ORGANISATION_URLS.some((protectedUrl) => url.startsWith(`/${protectedUrl}`));
 };
+
+export const ORGANISATION_ACCOUNT_LINK_VERIFICATION_TOKEN_IDENTIFIER = 'organisation-account-link';
+
+export const ORGANISATION_USER_ACCOUNT_TYPE = 'org-oidc';
diff --git a/packages/lib/server-only/auth/send-confirmation-email.ts b/packages/lib/server-only/auth/send-confirmation-email.ts
index 5e91f4b4c..55dfd2f10 100644
--- a/packages/lib/server-only/auth/send-confirmation-email.ts
+++ b/packages/lib/server-only/auth/send-confirmation-email.ts
@@ -8,7 +8,10 @@ import { prisma } from '@documenso/prisma';
 
 import { getI18nInstance } from '../../client-only/providers/i18n-server';
 import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
-import { env } from '../../utils/env';
+import {
+  DOCUMENSO_INTERNAL_EMAIL,
+  USER_SIGNUP_VERIFICATION_TOKEN_IDENTIFIER,
+} from '../../constants/email';
 import { renderEmailWithI18N } from '../../utils/render-email-with-i18n';
 
 export interface SendConfirmationEmailProps {
@@ -16,15 +19,15 @@ export interface SendConfirmationEmailProps {
 }
 
 export const sendConfirmationEmail = async ({ userId }: SendConfirmationEmailProps) => {
-  const NEXT_PRIVATE_SMTP_FROM_NAME = env('NEXT_PRIVATE_SMTP_FROM_NAME');
-  const NEXT_PRIVATE_SMTP_FROM_ADDRESS = env('NEXT_PRIVATE_SMTP_FROM_ADDRESS');
-
   const user = await prisma.user.findFirstOrThrow({
     where: {
       id: userId,
     },
     include: {
       verificationTokens: {
+        where: {
+          identifier: USER_SIGNUP_VERIFICATION_TOKEN_IDENTIFIER,
+        },
         orderBy: {
           createdAt: 'desc',
         },
@@ -41,8 +44,6 @@ export const sendConfirmationEmail = async ({ userId }: SendConfirmationEmailPro
 
   const assetBaseUrl = NEXT_PUBLIC_WEBAPP_URL() || 'http://localhost:3000';
   const confirmationLink = `${assetBaseUrl}/verify-email/${verificationToken.token}`;
-  const senderName = NEXT_PRIVATE_SMTP_FROM_NAME || 'Documenso';
-  const senderAddress = NEXT_PRIVATE_SMTP_FROM_ADDRESS || 'noreply@documenso.com';
 
   const confirmationTemplate = createElement(ConfirmEmailTemplate, {
     assetBaseUrl,
@@ -61,10 +62,7 @@ export const sendConfirmationEmail = async ({ userId }: SendConfirmationEmailPro
       address: user.email,
       name: user.name || '',
     },
-    from: {
-      name: senderName,
-      address: senderAddress,
-    },
+    from: DOCUMENSO_INTERNAL_EMAIL,
     subject: i18n._(msg`Please confirm your email`),
     html,
     text,
diff --git a/packages/lib/server-only/organisation/accept-organisation-invitation.ts b/packages/lib/server-only/organisation/accept-organisation-invitation.ts
index 653731470..26133ba89 100644
--- a/packages/lib/server-only/organisation/accept-organisation-invitation.ts
+++ b/packages/lib/server-only/organisation/accept-organisation-invitation.ts
@@ -1,3 +1,4 @@
+import type { OrganisationGroup, OrganisationMemberRole } from '@prisma/client';
 import { OrganisationGroupType, OrganisationMemberInviteStatus } from '@prisma/client';
 
 import { prisma } from '@documenso/prisma';
@@ -23,11 +24,7 @@ export const acceptOrganisationInvitation = async ({
     include: {
       organisation: {
         include: {
-          groups: {
-            include: {
-              teamGroups: true,
-            },
-          },
+          groups: true,
         },
       },
     },
@@ -45,6 +42,9 @@ export const acceptOrganisationInvitation = async ({
     where: {
       email: organisationMemberInvite.email,
     },
+    select: {
+      id: true,
+    },
   });
 
   if (!user) {
@@ -55,10 +55,49 @@ export const acceptOrganisationInvitation = async ({
 
   const { organisation } = organisationMemberInvite;
 
-  const organisationGroupToUse = organisation.groups.find(
+  const isUserPartOfOrganisation = await prisma.organisationMember.findFirst({
+    where: {
+      userId: user.id,
+      organisationId: organisation.id,
+    },
+  });
+
+  if (isUserPartOfOrganisation) {
+    return;
+  }
+
+  await addUserToOrganisation({
+    userId: user.id,
+    organisationId: organisation.id,
+    organisationGroups: organisation.groups,
+    organisationMemberRole: organisationMemberInvite.organisationRole,
+  });
+
+  await prisma.organisationMemberInvite.update({
+    where: {
+      id: organisationMemberInvite.id,
+    },
+    data: {
+      status: OrganisationMemberInviteStatus.ACCEPTED,
+    },
+  });
+};
+
+export const addUserToOrganisation = async ({
+  userId,
+  organisationId,
+  organisationGroups,
+  organisationMemberRole,
+}: {
+  userId: number;
+  organisationId: string;
+  organisationGroups: OrganisationGroup[];
+  organisationMemberRole: OrganisationMemberRole;
+}) => {
+  const organisationGroupToUse = organisationGroups.find(
     (group) =>
       group.type === OrganisationGroupType.INTERNAL_ORGANISATION &&
-      group.organisationRole === organisationMemberInvite.organisationRole,
+      group.organisationRole === organisationMemberRole,
   );
 
   if (!organisationGroupToUse) {
@@ -72,8 +111,8 @@ export const acceptOrganisationInvitation = async ({
       await tx.organisationMember.create({
         data: {
           id: generateDatabaseId('member'),
-          userId: user.id,
-          organisationId: organisation.id,
+          userId,
+          organisationId,
           organisationGroupMembers: {
             create: {
               id: generateDatabaseId('group_member'),
@@ -83,20 +122,11 @@ export const acceptOrganisationInvitation = async ({
         },
       });
 
-      await tx.organisationMemberInvite.update({
-        where: {
-          id: organisationMemberInvite.id,
-        },
-        data: {
-          status: OrganisationMemberInviteStatus.ACCEPTED,
-        },
-      });
-
       await jobs.triggerJob({
         name: 'send.organisation-member-joined.email',
         payload: {
-          organisationId: organisation.id,
-          memberUserId: user.id,
+          organisationId,
+          memberUserId: userId,
         },
       });
     },
diff --git a/packages/lib/server-only/organisation/create-organisation.ts b/packages/lib/server-only/organisation/create-organisation.ts
index 32f6510d9..3cdcbafe4 100644
--- a/packages/lib/server-only/organisation/create-organisation.ts
+++ b/packages/lib/server-only/organisation/create-organisation.ts
@@ -75,6 +75,16 @@ export const createOrganisation = async ({
       },
     });
 
+    const organisationAuthenticationPortal = await tx.organisationAuthenticationPortal.create({
+      data: {
+        id: generateDatabaseId('org_sso'),
+        enabled: false,
+        clientId: '',
+        clientSecret: '',
+        wellKnownUrl: '',
+      },
+    });
+
     const orgIdAndUrl = prefixedId('org');
 
     const organisation = await tx.organisation
@@ -87,6 +97,7 @@ export const createOrganisation = async ({
           ownerUserId: userId,
           organisationGlobalSettingsId: organisationSetting.id,
           organisationClaimId: organisationClaim.id,
+          organisationAuthenticationPortalId: organisationAuthenticationPortal.id,
           groups: {
             create: ORGANISATION_INTERNAL_GROUPS.map((group) => ({
               ...group,
diff --git a/packages/lib/server-only/user/generate-confirmation-token.ts b/packages/lib/server-only/user/generate-confirmation-token.ts
deleted file mode 100644
index 5676890ec..000000000
--- a/packages/lib/server-only/user/generate-confirmation-token.ts
+++ /dev/null
@@ -1,41 +0,0 @@
-import crypto from 'crypto';
-
-import { prisma } from '@documenso/prisma';
-
-import { ONE_HOUR } from '../../constants/time';
-import { sendConfirmationEmail } from '../auth/send-confirmation-email';
-
-const IDENTIFIER = 'confirmation-email';
-
-export const generateConfirmationToken = async ({ email }: { email: string }) => {
-  const token = crypto.randomBytes(20).toString('hex');
-
-  const user = await prisma.user.findFirst({
-    where: {
-      email: email,
-    },
-  });
-
-  if (!user) {
-    throw new Error('User not found');
-  }
-
-  const createdToken = await prisma.verificationToken.create({
-    data: {
-      identifier: IDENTIFIER,
-      token: token,
-      expires: new Date(Date.now() + ONE_HOUR),
-      user: {
-        connect: {
-          id: user.id,
-        },
-      },
-    },
-  });
-
-  if (!createdToken) {
-    throw new Error(`Failed to create the verification token`);
-  }
-
-  return sendConfirmationEmail({ userId: user.id });
-};
diff --git a/packages/lib/server-only/user/get-most-recent-email-verification-token.ts b/packages/lib/server-only/user/get-most-recent-email-verification-token.ts
new file mode 100644
index 000000000..c43276a34
--- /dev/null
+++ b/packages/lib/server-only/user/get-most-recent-email-verification-token.ts
@@ -0,0 +1,21 @@
+import { prisma } from '@documenso/prisma';
+
+import { USER_SIGNUP_VERIFICATION_TOKEN_IDENTIFIER } from '../../constants/email';
+
+export type getMostRecentEmailVerificationTokenOptions = {
+  userId: number;
+};
+
+export const getMostRecentEmailVerificationToken = async ({
+  userId,
+}: getMostRecentEmailVerificationTokenOptions) => {
+  return await prisma.verificationToken.findFirst({
+    where: {
+      userId,
+      identifier: USER_SIGNUP_VERIFICATION_TOKEN_IDENTIFIER,
+    },
+    orderBy: {
+      createdAt: 'desc',
+    },
+  });
+};
diff --git a/packages/lib/server-only/user/get-most-recent-verification-token-by-user-id.ts b/packages/lib/server-only/user/get-most-recent-verification-token-by-user-id.ts
deleted file mode 100644
index d9adc4498..000000000
--- a/packages/lib/server-only/user/get-most-recent-verification-token-by-user-id.ts
+++ /dev/null
@@ -1,18 +0,0 @@
-import { prisma } from '@documenso/prisma';
-
-export type GetMostRecentVerificationTokenByUserIdOptions = {
-  userId: number;
-};
-
-export const getMostRecentVerificationTokenByUserId = async ({
-  userId,
-}: GetMostRecentVerificationTokenByUserIdOptions) => {
-  return await prisma.verificationToken.findFirst({
-    where: {
-      userId,
-    },
-    orderBy: {
-      createdAt: 'desc',
-    },
-  });
-};
diff --git a/packages/lib/server-only/user/send-confirmation-token.ts b/packages/lib/server-only/user/send-confirmation-token.ts
index d2bc0a3aa..43e6887c9 100644
--- a/packages/lib/server-only/user/send-confirmation-token.ts
+++ b/packages/lib/server-only/user/send-confirmation-token.ts
@@ -3,11 +3,10 @@ import { DateTime } from 'luxon';
 
 import { prisma } from '@documenso/prisma';
 
+import { USER_SIGNUP_VERIFICATION_TOKEN_IDENTIFIER } from '../../constants/email';
 import { ONE_HOUR } from '../../constants/time';
 import { sendConfirmationEmail } from '../auth/send-confirmation-email';
-import { getMostRecentVerificationTokenByUserId } from './get-most-recent-verification-token-by-user-id';
-
-const IDENTIFIER = 'confirmation-email';
+import { getMostRecentEmailVerificationToken } from './get-most-recent-email-verification-token';
 
 type SendConfirmationTokenOptions = { email: string; force?: boolean };
 
@@ -31,7 +30,7 @@ export const sendConfirmationToken = async ({
     throw new Error('Email verified');
   }
 
-  const mostRecentToken = await getMostRecentVerificationTokenByUserId({ userId: user.id });
+  const mostRecentToken = await getMostRecentEmailVerificationToken({ userId: user.id });
 
   // If we've sent a token in the last 5 minutes, don't send another one
   if (
@@ -44,7 +43,7 @@ export const sendConfirmationToken = async ({
 
   const createdToken = await prisma.verificationToken.create({
     data: {
-      identifier: IDENTIFIER,
+      identifier: USER_SIGNUP_VERIFICATION_TOKEN_IDENTIFIER,
       token: token,
       expires: new Date(Date.now() + ONE_HOUR),
       user: {
diff --git a/packages/lib/server-only/user/verify-email.ts b/packages/lib/server-only/user/verify-email.ts
index 1b3a44e71..760cf29c9 100644
--- a/packages/lib/server-only/user/verify-email.ts
+++ b/packages/lib/server-only/user/verify-email.ts
@@ -2,7 +2,10 @@ import { DateTime } from 'luxon';
 
 import { prisma } from '@documenso/prisma';
 
-import { EMAIL_VERIFICATION_STATE } from '../../constants/email';
+import {
+  EMAIL_VERIFICATION_STATE,
+  USER_SIGNUP_VERIFICATION_TOKEN_IDENTIFIER,
+} from '../../constants/email';
 import { jobsClient } from '../../jobs/client';
 
 export type VerifyEmailProps = {
@@ -22,6 +25,7 @@ export const verifyEmail = async ({ token }: VerifyEmailProps) => {
     },
     where: {
       token,
+      identifier: USER_SIGNUP_VERIFICATION_TOKEN_IDENTIFIER,
     },
   });
 
diff --git a/packages/lib/types/organisation.ts b/packages/lib/types/organisation.ts
index 64f7306bf..28002dc86 100644
--- a/packages/lib/types/organisation.ts
+++ b/packages/lib/types/organisation.ts
@@ -1,4 +1,4 @@
-import type { z } from 'zod';
+import { z } from 'zod';
 
 import OrganisationClaimSchema from '@documenso/prisma/generated/zod/modelSchema/OrganisationClaimSchema';
 import { OrganisationSchema } from '@documenso/prisma/generated/zod/modelSchema/OrganisationSchema';
@@ -43,3 +43,19 @@ export const ZOrganisationLiteSchema = OrganisationSchema.pick({
  * A version of the organisation response schema when returning multiple organisations at once from a single API endpoint.
  */
 export const ZOrganisationManySchema = ZOrganisationLiteSchema;
+
+export const ZOrganisationAccountLinkMetadataSchema = z.object({
+  type: z.enum(['link', 'create']),
+  userId: z.number(),
+  organisationId: z.string(),
+  oauthConfig: z.object({
+    providerAccountId: z.string(),
+    accessToken: z.string(),
+    expiresAt: z.number(),
+    idToken: z.string(),
+  }),
+});
+
+export type TOrganisationAccountLinkMetadata = z.infer<
+  typeof ZOrganisationAccountLinkMetadataSchema
+>;
diff --git a/packages/lib/types/subscription.ts b/packages/lib/types/subscription.ts
index 0d17fea06..ea740b3e6 100644
--- a/packages/lib/types/subscription.ts
+++ b/packages/lib/types/subscription.ts
@@ -28,6 +28,8 @@ export const ZClaimFlagsSchema = z.object({
   embedSigningWhiteLabel: z.boolean().optional(),
 
   cfr21: z.boolean().optional(),
+
+  authenticationPortal: z.boolean().optional(),
 });
 
 export type TClaimFlags = z.infer<typeof ZClaimFlagsSchema>;
@@ -76,6 +78,10 @@ export const SUBSCRIPTION_CLAIM_FEATURE_FLAGS: Record<
     key: 'cfr21',
     label: '21 CFR',
   },
+  authenticationPortal: {
+    key: 'authenticationPortal',
+    label: 'Authentication portal',
+  },
 };
 
 export enum INTERNAL_CLAIM_ID {
@@ -157,6 +163,7 @@ export const internalClaims: InternalClaims = {
       embedSigning: true,
       embedSigningWhiteLabel: true,
       cfr21: true,
+      authenticationPortal: true,
     },
   },
   [INTERNAL_CLAIM_ID.EARLY_ADOPTER]: {
diff --git a/packages/lib/universal/id.ts b/packages/lib/universal/id.ts
index a6fb55ad5..d56d923fd 100644
--- a/packages/lib/universal/id.ts
+++ b/packages/lib/universal/id.ts
@@ -16,6 +16,7 @@ type DatabaseIdPrefix =
   | 'org_email'
   | 'org_claim'
   | 'org_group'
+  | 'org_sso'
   | 'org_setting'
   | 'member'
   | 'member_invite'
diff --git a/packages/lib/utils/organisation-authentication-portal.ts b/packages/lib/utils/organisation-authentication-portal.ts
new file mode 100644
index 000000000..69836b628
--- /dev/null
+++ b/packages/lib/utils/organisation-authentication-portal.ts
@@ -0,0 +1,13 @@
+import { NEXT_PUBLIC_WEBAPP_URL } from '../constants/app';
+
+export const formatOrganisationLoginUrl = (organisationUrl: string) => {
+  return NEXT_PUBLIC_WEBAPP_URL() + formatOrganisationLoginPath(organisationUrl);
+};
+
+export const formatOrganisationLoginPath = (organisationUrl: string) => {
+  return `/o/${organisationUrl}/signin`;
+};
+
+export const formatOrganisationCallbackUrl = (organisationUrl: string) => {
+  return `${NEXT_PUBLIC_WEBAPP_URL()}/api/auth/callback/oidc/org/${organisationUrl}`;
+};
diff --git a/packages/prisma/migrations/20250807011918_add_organisation_sso_portal/migration.sql b/packages/prisma/migrations/20250807011918_add_organisation_sso_portal/migration.sql
new file mode 100644
index 000000000..52c4bbd6f
--- /dev/null
+++ b/packages/prisma/migrations/20250807011918_add_organisation_sso_portal/migration.sql
@@ -0,0 +1,75 @@
+/*
+  Warnings:
+
+  - A unique constraint covering the columns `[organisationAuthenticationPortalId]` on the table `Organisation` will be added. If there are existing duplicate values, this will fail.
+  - Added the required column `organisationAuthenticationPortalId` to the `Organisation` table without a default value. This is not possible if the table is not empty.
+
+*/
+-- AlterEnum
+-- This migration adds more than one value to an enum.
+-- With PostgreSQL versions 11 and earlier, this is not possible
+-- in a single migration. This can be worked around by creating
+-- multiple migrations, each migration adding only one value to
+-- the enum.
+
+
+ALTER TYPE "UserSecurityAuditLogType" ADD VALUE 'ACCOUNT_SSO_UNLINK';
+ALTER TYPE "UserSecurityAuditLogType" ADD VALUE 'ORGANISATION_SSO_LINK';
+ALTER TYPE "UserSecurityAuditLogType" ADD VALUE 'ORGANISATION_SSO_UNLINK';
+
+-- AlterTable
+ALTER TABLE "Account" ADD COLUMN     "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP;
+
+-- [CUSTOM_CHANGE] This is supposed to be NOT NULL but we reapply it at the end.
+ALTER TABLE "Organisation" ADD COLUMN     "organisationAuthenticationPortalId" TEXT;
+
+-- AlterTable
+ALTER TABLE "VerificationToken" ADD COLUMN     "metadata" JSONB;
+
+-- CreateTable
+CREATE TABLE "OrganisationAuthenticationPortal" (
+    "id" TEXT NOT NULL,
+    "enabled" BOOLEAN NOT NULL DEFAULT false,
+    "clientId" TEXT NOT NULL DEFAULT '',
+    "clientSecret" TEXT NOT NULL DEFAULT '',
+    "wellKnownUrl" TEXT NOT NULL DEFAULT '',
+    "defaultOrganisationRole" "OrganisationMemberRole" NOT NULL DEFAULT 'MEMBER',
+    "autoProvisionUsers" BOOLEAN NOT NULL DEFAULT true,
+    "allowedDomains" TEXT[] DEFAULT ARRAY[]::TEXT[],
+    "organisationId" TEXT, -- [CUSTOM_CHANGE] This is a temporary column for migration purposes.
+
+    CONSTRAINT "OrganisationAuthenticationPortal_pkey" PRIMARY KEY ("id")
+);
+
+-- [CUSTOM_CHANGE] Create default OrganisationAuthenticationPortal for all organisations
+INSERT INTO "OrganisationAuthenticationPortal" ("id", "enabled", "clientId", "clientSecret", "wellKnownUrl", "defaultOrganisationRole", "autoProvisionUsers", "allowedDomains", "organisationId")
+SELECT
+  generate_prefix_id('org_sso'),
+  false,
+  '',
+  '',
+  '',
+  'MEMBER',
+  true,
+  ARRAY[]::TEXT[],
+  o."id"
+FROM "Organisation" o
+WHERE o."organisationAuthenticationPortalId" IS NULL;
+
+-- [CUSTOM_CHANGE] Update organisations with their corresponding organisationAuthenticationPortalId
+UPDATE "Organisation" o
+SET "organisationAuthenticationPortalId" = oap."id"
+FROM "OrganisationAuthenticationPortal" oap
+WHERE oap."organisationId" = o."id" AND o."organisationAuthenticationPortalId" IS NULL;
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Organisation_organisationAuthenticationPortalId_key" ON "Organisation"("organisationAuthenticationPortalId");
+
+-- AddForeignKey
+ALTER TABLE "Organisation" ADD CONSTRAINT "Organisation_organisationAuthenticationPortalId_fkey" FOREIGN KEY ("organisationAuthenticationPortalId") REFERENCES "OrganisationAuthenticationPortal"("id") ON DELETE RESTRICT ON UPDATE CASCADE;
+
+-- [CUSTOM_CHANGE] Reapply NOT NULL constraint.
+ALTER TABLE "Organisation" ALTER COLUMN "organisationAuthenticationPortalId" SET NOT NULL;
+
+-- [CUSTOM_CHANGE] Drop temporary column.
+ALTER TABLE "OrganisationAuthenticationPortal" DROP COLUMN "organisationId";
\ No newline at end of file
diff --git a/packages/prisma/schema.prisma b/packages/prisma/schema.prisma
index 14eb7f626..8337ab754 100644
--- a/packages/prisma/schema.prisma
+++ b/packages/prisma/schema.prisma
@@ -90,6 +90,9 @@ model TeamProfile {
 enum UserSecurityAuditLogType {
   ACCOUNT_PROFILE_UPDATE
   ACCOUNT_SSO_LINK
+  ACCOUNT_SSO_UNLINK
+  ORGANISATION_SSO_LINK
+  ORGANISATION_SSO_UNLINK
   AUTH_2FA_DISABLE
   AUTH_2FA_ENABLE
   PASSKEY_CREATED
@@ -157,6 +160,7 @@ model VerificationToken {
   completed   Boolean  @default(false)
   expires     DateTime
   createdAt   DateTime @default(now())
+  metadata    Json?
   userId      Int
   user        User     @relation(fields: [userId], references: [id], onDelete: Cascade)
 }
@@ -277,13 +281,15 @@ model OrganisationClaim {
 }
 
 model Account {
-  id                String  @id @default(cuid())
+  id                String   @id @default(cuid())
+  // When this record was created, unrelated to anything passed back by the provider.
+  createdAt         DateTime @default(now())
   userId            Int
   type              String
   provider          String
   providerAccountId String
-  refresh_token     String? @db.Text
-  access_token      String? @db.Text
+  refresh_token     String?  @db.Text
+  access_token      String?  @db.Text
   expires_at        Int?
   // Some providers return created_at so we need to make it optional
   created_at        Int?
@@ -291,7 +297,7 @@ model Account {
   ext_expires_in    Int?
   token_type        String?
   scope             String?
-  id_token          String? @db.Text
+  id_token          String?  @db.Text
   session_state     String?
   password          String?
 
@@ -632,6 +638,9 @@ model Organisation {
 
   organisationGlobalSettingsId String                     @unique
   organisationGlobalSettings   OrganisationGlobalSettings @relation(fields: [organisationGlobalSettingsId], references: [id])
+
+  organisationAuthenticationPortalId String                           @unique
+  organisationAuthenticationPortal   OrganisationAuthenticationPortal @relation(fields: [organisationAuthenticationPortalId], references: [id])
 }
 
 model OrganisationMember {
@@ -1026,3 +1035,18 @@ model OrganisationEmail {
   organisationGlobalSettings OrganisationGlobalSettings[]
   teamGlobalSettings         TeamGlobalSettings[]
 }
+
+model OrganisationAuthenticationPortal {
+  id           String        @id
+  organisation Organisation?
+
+  enabled Boolean @default(false)
+
+  clientId     String @default("")
+  clientSecret String @default("")
+  wellKnownUrl String @default("")
+
+  defaultOrganisationRole OrganisationMemberRole @default(MEMBER)
+  autoProvisionUsers      Boolean                @default(true)
+  allowedDomains          String[]               @default([])
+}
diff --git a/packages/prisma/seed/organisations.ts b/packages/prisma/seed/organisations.ts
index 89ece9960..c2c3a6c7c 100644
--- a/packages/prisma/seed/organisations.ts
+++ b/packages/prisma/seed/organisations.ts
@@ -1,10 +1,8 @@
 import type { OrganisationMemberRole, OrganisationType } from '@prisma/client';
-import { OrganisationMemberInviteStatus, type User } from '@prisma/client';
-import { nanoid } from 'nanoid';
+import { OrganisationGroupType, type User } from '@prisma/client';
 
 import { hashSync } from '@documenso/lib/server-only/auth/hash';
-import { acceptOrganisationInvitation } from '@documenso/lib/server-only/organisation/accept-organisation-invitation';
-import { prefixedId } from '@documenso/lib/universal/id';
+import { addUserToOrganisation } from '@documenso/lib/server-only/organisation/accept-organisation-invitation';
 
 import { prisma } from '..';
 import { seedTestEmail } from './users';
@@ -27,6 +25,13 @@ export const seedOrganisationMembers = async ({
 
   const createdMembers: User[] = [];
 
+  const organisationGroups = await prisma.organisationGroup.findMany({
+    where: {
+      organisationId,
+      type: OrganisationGroupType.INTERNAL_ORGANISATION,
+    },
+  });
+
   for (const member of members) {
     const email = member.email ?? seedTestEmail();
 
@@ -53,33 +58,15 @@ export const seedOrganisationMembers = async ({
       email: newUser.email,
       organisationRole: member.organisationRole,
     });
+
+    await addUserToOrganisation({
+      userId: newUser.id,
+      organisationId,
+      organisationGroups,
+      organisationMemberRole: member.organisationRole,
+    });
   }
 
-  await prisma.organisationMemberInvite.createMany({
-    data: membersToInvite.map((invite) => ({
-      id: prefixedId('member_invite'),
-      email: invite.email,
-      organisationId,
-      organisationRole: invite.organisationRole,
-      token: nanoid(32),
-    })),
-  });
-
-  const invites = await prisma.organisationMemberInvite.findMany({
-    where: {
-      organisationId,
-      status: OrganisationMemberInviteStatus.PENDING,
-    },
-  });
-
-  await Promise.all(
-    invites.map(async (invite) => {
-      await acceptOrganisationInvitation({
-        token: invite.token,
-      });
-    }),
-  );
-
   return createdMembers;
 };
 
diff --git a/packages/trpc/server/enterprise-router/create-organisation-email-domain.types.ts b/packages/trpc/server/enterprise-router/create-organisation-email-domain.types.ts
index 3dcb3fc3b..cac774c63 100644
--- a/packages/trpc/server/enterprise-router/create-organisation-email-domain.types.ts
+++ b/packages/trpc/server/enterprise-router/create-organisation-email-domain.types.ts
@@ -2,7 +2,7 @@ import { z } from 'zod';
 
 import { ZEmailDomainSchema } from '@documenso/lib/types/email-domain';
 
-const domainRegex =
+export const domainRegex =
   /^(?!https?:\/\/)(?!www\.)([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$/;
 
 export const ZDomainSchema = z
diff --git a/packages/trpc/server/enterprise-router/decline-link-organisation-account.ts b/packages/trpc/server/enterprise-router/decline-link-organisation-account.ts
new file mode 100644
index 000000000..a8f4884c4
--- /dev/null
+++ b/packages/trpc/server/enterprise-router/decline-link-organisation-account.ts
@@ -0,0 +1,25 @@
+import { ORGANISATION_ACCOUNT_LINK_VERIFICATION_TOKEN_IDENTIFIER } from '@documenso/lib/constants/organisations';
+import { prisma } from '@documenso/prisma';
+
+import { procedure } from '../trpc';
+import {
+  ZDeclineLinkOrganisationAccountRequestSchema,
+  ZDeclineLinkOrganisationAccountResponseSchema,
+} from './decline-link-organisation-account.types';
+
+/**
+ * Unauthenicated procedure, do not copy paste.
+ */
+export const declineLinkOrganisationAccountRoute = procedure
+  .input(ZDeclineLinkOrganisationAccountRequestSchema)
+  .output(ZDeclineLinkOrganisationAccountResponseSchema)
+  .mutation(async ({ input }) => {
+    const { token } = input;
+
+    await prisma.verificationToken.delete({
+      where: {
+        token,
+        identifier: ORGANISATION_ACCOUNT_LINK_VERIFICATION_TOKEN_IDENTIFIER,
+      },
+    });
+  });
diff --git a/packages/trpc/server/enterprise-router/decline-link-organisation-account.types.ts b/packages/trpc/server/enterprise-router/decline-link-organisation-account.types.ts
new file mode 100644
index 000000000..8ae08f615
--- /dev/null
+++ b/packages/trpc/server/enterprise-router/decline-link-organisation-account.types.ts
@@ -0,0 +1,11 @@
+import { z } from 'zod';
+
+export const ZDeclineLinkOrganisationAccountRequestSchema = z.object({
+  token: z.string(),
+});
+
+export const ZDeclineLinkOrganisationAccountResponseSchema = z.void();
+
+export type TDeclineLinkOrganisationAccountRequest = z.infer<
+  typeof ZDeclineLinkOrganisationAccountRequestSchema
+>;
diff --git a/packages/trpc/server/enterprise-router/get-organisation-authentication-portal.ts b/packages/trpc/server/enterprise-router/get-organisation-authentication-portal.ts
new file mode 100644
index 000000000..a57887a44
--- /dev/null
+++ b/packages/trpc/server/enterprise-router/get-organisation-authentication-portal.ts
@@ -0,0 +1,84 @@
+import { ORGANISATION_MEMBER_ROLE_PERMISSIONS_MAP } from '@documenso/lib/constants/organisations';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { buildOrganisationWhereQuery } from '@documenso/lib/utils/organisations';
+import { prisma } from '@documenso/prisma';
+
+import { authenticatedProcedure } from '../trpc';
+import {
+  ZGetOrganisationAuthenticationPortalRequestSchema,
+  ZGetOrganisationAuthenticationPortalResponseSchema,
+} from './get-organisation-authentication-portal.types';
+
+export const getOrganisationAuthenticationPortalRoute = authenticatedProcedure
+  .input(ZGetOrganisationAuthenticationPortalRequestSchema)
+  .output(ZGetOrganisationAuthenticationPortalResponseSchema)
+  .query(async ({ input, ctx }) => {
+    const { organisationId } = input;
+
+    ctx.logger.info({
+      input: {
+        organisationId,
+      },
+    });
+
+    return await getOrganisationAuthenticationPortal({
+      userId: ctx.user.id,
+      organisationId,
+    });
+  });
+
+type GetOrganisationAuthenticationPortalOptions = {
+  userId: number;
+  organisationId: string;
+};
+
+export const getOrganisationAuthenticationPortal = async ({
+  userId,
+  organisationId,
+}: GetOrganisationAuthenticationPortalOptions) => {
+  const organisation = await prisma.organisation.findFirst({
+    where: buildOrganisationWhereQuery({
+      organisationId,
+      userId,
+      roles: ORGANISATION_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_ORGANISATION'],
+    }),
+    include: {
+      organisationClaim: true,
+      organisationAuthenticationPortal: {
+        select: {
+          defaultOrganisationRole: true,
+          enabled: true,
+          clientId: true,
+          wellKnownUrl: true,
+          autoProvisionUsers: true,
+          allowedDomains: true,
+          clientSecret: true,
+        },
+      },
+    },
+  });
+
+  if (!organisation) {
+    throw new AppError(AppErrorCode.NOT_FOUND, {
+      message: 'Organisation not found',
+    });
+  }
+
+  if (!organisation.organisationClaim.flags.authenticationPortal) {
+    throw new AppError(AppErrorCode.NOT_FOUND, {
+      message: 'Authentication portal not found',
+    });
+  }
+
+  const portal = organisation.organisationAuthenticationPortal;
+
+  return {
+    defaultOrganisationRole: portal.defaultOrganisationRole,
+    enabled: portal.enabled,
+    clientId: portal.clientId,
+    wellKnownUrl: portal.wellKnownUrl,
+    autoProvisionUsers: portal.autoProvisionUsers,
+    allowedDomains: portal.allowedDomains,
+    clientSecretProvided: Boolean(portal.clientSecret),
+  };
+};
diff --git a/packages/trpc/server/enterprise-router/get-organisation-authentication-portal.types.ts b/packages/trpc/server/enterprise-router/get-organisation-authentication-portal.types.ts
new file mode 100644
index 000000000..b4565ca0d
--- /dev/null
+++ b/packages/trpc/server/enterprise-router/get-organisation-authentication-portal.types.ts
@@ -0,0 +1,28 @@
+import { z } from 'zod';
+
+import { OrganisationAuthenticationPortalSchema } from '@documenso/prisma/generated/zod/modelSchema/OrganisationAuthenticationPortalSchema';
+
+export const ZGetOrganisationAuthenticationPortalRequestSchema = z.object({
+  organisationId: z.string(),
+});
+
+export const ZGetOrganisationAuthenticationPortalResponseSchema =
+  OrganisationAuthenticationPortalSchema.pick({
+    defaultOrganisationRole: true,
+    enabled: true,
+    clientId: true,
+    wellKnownUrl: true,
+    autoProvisionUsers: true,
+    allowedDomains: true,
+  }).extend({
+    /**
+     * Whether we have the client secret in the database.
+     *
+     * Do not expose the actual client secret.
+     */
+    clientSecretProvided: z.boolean(),
+  });
+
+export type TGetOrganisationAuthenticationPortalResponse = z.infer<
+  typeof ZGetOrganisationAuthenticationPortalResponseSchema
+>;
diff --git a/packages/trpc/server/enterprise-router/link-organisation-account.ts b/packages/trpc/server/enterprise-router/link-organisation-account.ts
new file mode 100644
index 000000000..84619859f
--- /dev/null
+++ b/packages/trpc/server/enterprise-router/link-organisation-account.ts
@@ -0,0 +1,22 @@
+import { linkOrganisationAccount } from '@documenso/ee/server-only/lib/link-organisation-account';
+
+import { procedure } from '../trpc';
+import {
+  ZLinkOrganisationAccountRequestSchema,
+  ZLinkOrganisationAccountResponseSchema,
+} from './link-organisation-account.types';
+
+/**
+ * Unauthenicated procedure, do not copy paste.
+ */
+export const linkOrganisationAccountRoute = procedure
+  .input(ZLinkOrganisationAccountRequestSchema)
+  .output(ZLinkOrganisationAccountResponseSchema)
+  .mutation(async ({ input, ctx }) => {
+    const { token } = input;
+
+    await linkOrganisationAccount({
+      token,
+      requestMeta: ctx.metadata.requestMetadata,
+    });
+  });
diff --git a/packages/trpc/server/enterprise-router/link-organisation-account.types.ts b/packages/trpc/server/enterprise-router/link-organisation-account.types.ts
new file mode 100644
index 000000000..d39e99144
--- /dev/null
+++ b/packages/trpc/server/enterprise-router/link-organisation-account.types.ts
@@ -0,0 +1,9 @@
+import { z } from 'zod';
+
+export const ZLinkOrganisationAccountRequestSchema = z.object({
+  token: z.string(),
+});
+
+export const ZLinkOrganisationAccountResponseSchema = z.void();
+
+export type TLinkOrganisationAccountRequest = z.infer<typeof ZLinkOrganisationAccountRequestSchema>;
diff --git a/packages/trpc/server/enterprise-router/router.ts b/packages/trpc/server/enterprise-router/router.ts
index 3fcac5708..85b1c7b5e 100644
--- a/packages/trpc/server/enterprise-router/router.ts
+++ b/packages/trpc/server/enterprise-router/router.ts
@@ -2,15 +2,19 @@ import { router } from '../trpc';
 import { createOrganisationEmailRoute } from './create-organisation-email';
 import { createOrganisationEmailDomainRoute } from './create-organisation-email-domain';
 import { createSubscriptionRoute } from './create-subscription';
+import { declineLinkOrganisationAccountRoute } from './decline-link-organisation-account';
 import { deleteOrganisationEmailRoute } from './delete-organisation-email';
 import { deleteOrganisationEmailDomainRoute } from './delete-organisation-email-domain';
 import { findOrganisationEmailDomainsRoute } from './find-organisation-email-domain';
 import { findOrganisationEmailsRoute } from './find-organisation-emails';
 import { getInvoicesRoute } from './get-invoices';
+import { getOrganisationAuthenticationPortalRoute } from './get-organisation-authentication-portal';
 import { getOrganisationEmailDomainRoute } from './get-organisation-email-domain';
 import { getPlansRoute } from './get-plans';
 import { getSubscriptionRoute } from './get-subscription';
+import { linkOrganisationAccountRoute } from './link-organisation-account';
 import { manageSubscriptionRoute } from './manage-subscription';
+import { updateOrganisationAuthenticationPortalRoute } from './update-organisation-authentication-portal';
 import { updateOrganisationEmailRoute } from './update-organisation-email';
 import { verifyOrganisationEmailDomainRoute } from './verify-organisation-email-domain';
 
@@ -29,6 +33,12 @@ export const enterpriseRouter = router({
       delete: deleteOrganisationEmailDomainRoute,
       verify: verifyOrganisationEmailDomainRoute,
     },
+    authenticationPortal: {
+      get: getOrganisationAuthenticationPortalRoute,
+      update: updateOrganisationAuthenticationPortalRoute,
+      linkAccount: linkOrganisationAccountRoute,
+      declineLinkAccount: declineLinkOrganisationAccountRoute,
+    },
   },
   billing: {
     plans: {
diff --git a/packages/trpc/server/enterprise-router/update-organisation-authentication-portal.ts b/packages/trpc/server/enterprise-router/update-organisation-authentication-portal.ts
new file mode 100644
index 000000000..8d8842c37
--- /dev/null
+++ b/packages/trpc/server/enterprise-router/update-organisation-authentication-portal.ts
@@ -0,0 +1,109 @@
+import { IS_BILLING_ENABLED } from '@documenso/lib/constants/app';
+import { DOCUMENSO_ENCRYPTION_KEY } from '@documenso/lib/constants/crypto';
+import { ORGANISATION_MEMBER_ROLE_PERMISSIONS_MAP } from '@documenso/lib/constants/organisations';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { symmetricEncrypt } from '@documenso/lib/universal/crypto';
+import { buildOrganisationWhereQuery } from '@documenso/lib/utils/organisations';
+import { prisma } from '@documenso/prisma';
+
+import { authenticatedProcedure } from '../trpc';
+import {
+  ZUpdateOrganisationAuthenticationPortalRequestSchema,
+  ZUpdateOrganisationAuthenticationPortalResponseSchema,
+} from './update-organisation-authentication-portal.types';
+
+export const updateOrganisationAuthenticationPortalRoute = authenticatedProcedure
+  .input(ZUpdateOrganisationAuthenticationPortalRequestSchema)
+  .output(ZUpdateOrganisationAuthenticationPortalResponseSchema)
+  .mutation(async ({ input, ctx }) => {
+    const { organisationId, data } = input;
+    const { user } = ctx;
+
+    ctx.logger.info({
+      input: {
+        organisationId,
+      },
+    });
+
+    if (!IS_BILLING_ENABLED()) {
+      throw new AppError(AppErrorCode.INVALID_REQUEST, {
+        message: 'Billing is not enabled',
+      });
+    }
+
+    const organisation = await prisma.organisation.findFirst({
+      where: buildOrganisationWhereQuery({
+        organisationId,
+        userId: user.id,
+        roles: ORGANISATION_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_ORGANISATION'],
+      }),
+      include: {
+        organisationAuthenticationPortal: true,
+        organisationClaim: true,
+      },
+    });
+
+    if (!organisation) {
+      throw new AppError(AppErrorCode.UNAUTHORIZED);
+    }
+
+    if (!organisation.organisationClaim.flags.authenticationPortal) {
+      throw new AppError(AppErrorCode.INVALID_REQUEST, {
+        message: 'Authentication portal is not allowed for this organisation',
+      });
+    }
+
+    const {
+      defaultOrganisationRole,
+      enabled,
+      clientId,
+      clientSecret,
+      wellKnownUrl,
+      autoProvisionUsers,
+      allowedDomains,
+    } = data;
+
+    if (
+      enabled &&
+      (!wellKnownUrl ||
+        !clientId ||
+        (!clientSecret && !organisation.organisationAuthenticationPortal.clientSecret))
+    ) {
+      throw new AppError(AppErrorCode.INVALID_BODY, {
+        message:
+          'Client ID, client secret, and well known URL are required when authentication portal is enabled',
+      });
+    }
+
+    // Allow empty string to be passed in to remove the client secret from the database.
+    let encryptedClientSecret: string | undefined = clientSecret;
+
+    // Encrypt the secret if it is provided.
+    if (clientSecret) {
+      const encryptionKey = DOCUMENSO_ENCRYPTION_KEY;
+
+      if (!encryptionKey) {
+        throw new Error('Missing DOCUMENSO_ENCRYPTION_KEY');
+      }
+
+      encryptedClientSecret = symmetricEncrypt({
+        key: encryptionKey,
+        data: clientSecret,
+      });
+    }
+
+    await prisma.organisationAuthenticationPortal.update({
+      where: {
+        id: organisation.organisationAuthenticationPortal.id,
+      },
+      data: {
+        defaultOrganisationRole,
+        enabled,
+        clientId,
+        clientSecret: encryptedClientSecret,
+        wellKnownUrl,
+        autoProvisionUsers,
+        allowedDomains,
+      },
+    });
+  });
diff --git a/packages/trpc/server/enterprise-router/update-organisation-authentication-portal.types.ts b/packages/trpc/server/enterprise-router/update-organisation-authentication-portal.types.ts
new file mode 100644
index 000000000..ebe5858ee
--- /dev/null
+++ b/packages/trpc/server/enterprise-router/update-organisation-authentication-portal.types.ts
@@ -0,0 +1,24 @@
+import { z } from 'zod';
+
+import OrganisationMemberRoleSchema from '@documenso/prisma/generated/zod/inputTypeSchemas/OrganisationMemberRoleSchema';
+
+import { domainRegex } from './create-organisation-email-domain.types';
+
+export const ZUpdateOrganisationAuthenticationPortalRequestSchema = z.object({
+  organisationId: z.string(),
+  data: z.object({
+    defaultOrganisationRole: OrganisationMemberRoleSchema,
+    enabled: z.boolean(),
+    clientId: z.string(),
+    clientSecret: z.string().optional(),
+    wellKnownUrl: z.union([z.string().url(), z.literal('')]),
+    autoProvisionUsers: z.boolean(),
+    allowedDomains: z.array(z.string().regex(domainRegex)),
+  }),
+});
+
+export const ZUpdateOrganisationAuthenticationPortalResponseSchema = z.void();
+
+export type TUpdateOrganisationAuthenticationPortalRequest = z.infer<
+  typeof ZUpdateOrganisationAuthenticationPortalRequestSchema
+>;
diff --git a/packages/trpc/server/organisation-router/delete-organisation.ts b/packages/trpc/server/organisation-router/delete-organisation.ts
index edf7952d4..f20fede2d 100644
--- a/packages/trpc/server/organisation-router/delete-organisation.ts
+++ b/packages/trpc/server/organisation-router/delete-organisation.ts
@@ -1,4 +1,7 @@
-import { ORGANISATION_MEMBER_ROLE_PERMISSIONS_MAP } from '@documenso/lib/constants/organisations';
+import {
+  ORGANISATION_MEMBER_ROLE_PERMISSIONS_MAP,
+  ORGANISATION_USER_ACCOUNT_TYPE,
+} from '@documenso/lib/constants/organisations';
 import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
 import { buildOrganisationWhereQuery } from '@documenso/lib/utils/organisations';
 import { prisma } from '@documenso/prisma';
@@ -37,9 +40,18 @@ export const deleteOrganisationRoute = authenticatedProcedure
       });
     }
 
-    await prisma.organisation.delete({
-      where: {
-        id: organisation.id,
-      },
+    await prisma.$transaction(async (tx) => {
+      await tx.account.deleteMany({
+        where: {
+          type: ORGANISATION_USER_ACCOUNT_TYPE,
+          provider: organisation.id,
+        },
+      });
+
+      await tx.organisation.delete({
+        where: {
+          id: organisation.id,
+        },
+      });
     });
   });