Tenant Settings Best Practices

Here are some best practices for configuring tenants in Auth0.

Visit Auth0 Support Center > Tenants and specify your production tenant. Production tenants get higher rate limits than non-production tenants. On non-enterprise plans, only one tenant per subscription can be set as a production tenant.

Go to your tenant's general settings and provide your branding information:

Application or company name
Logo image file URL
Support email address
Support URL

The support email address and URL are shown on the default error page, so users can contact your support if they have an issue. We recommend that you host your own custom error page and configure Auth0 to use it instead of the Auth0 default. This allows you to provide more complete and customized explanations to users about what to do in the event of an error.

Set up custom domain early

If you can, we recommend that you use a custom domain name for the Universal Login page, set up the custom domain early to minimize changes you’ll need to make later.

If you will use SAML connections to authenticate users against remote SAML identity providers, set up the custom domain before you configure the SAML providers because changing the domain across multiple SAML providers is cumbersome.

The SSO session timeout value in tenant settings specifies the time until a user's session expires. By default the value is 7 days which is the amount of time users can access your Auth0-integrated applications without re-entering their credentials.

Adjust this value to fit your application’s desired user experience and security requirements. For example, enterprise environments may choose 8 hours or shorter to ensure users authenticate at least once per shift. But for customer-facing environments, where long sessions are desirable for the user experience, the value might be set to much longer than 7 days.

On a regular basis, review the list of dashboard administrators with access to your Auth0 tenant and make sure that:

Each person has a legitimate need for admin access
Admins are registered with a company account
Former employees no longer have access
There's more than one Dashboard admin

For further protection, turn on multi-factor authentication (MFA) for your Dashboard admins. If a Dashboard admin is locked out and needs their MFA reset, another admin can open an Auth0 support ticket on their behalf. Auth0 can reset MFA for that admin after a verification process.

In your tenant's advanced settings, turn off Enable application connections. If this setting is on, all configured connections are enabled for new applications you create, so users may be able to login to an application with an unintended connection. By having connections disabled by default, you can explicitly enable the connections appropriate for each application.

To protect against brute force attacks and breached passwords, turn on and configure Auth0 Anomaly Detection.

Docs