Login Flows for Organizations
Auth0 Organizations allows leaders of B2B products or SaaS applications to build multi-tenant architectures, store identification tokens appropriately, and minimize end user login friction.
Configure Your Application to Use Organizations
Applications designed explicitly for consumers - for example, Netflix or Spotify - likely do not need Organization management. By choosing Individuals, users log in to the application directly and Organization context is not provided.
B2B or SaaS applications - for example, Slack or Jira - are better-served by Business Users, so end users can only access your application in the context of an Auth0 Organization. Users in multiple Organizations are directed to the Organization Picker after the login flow, which displays the previous 20 organizations they joined.
Choose Both if your end user may maintain both a personal and business account with your application. For example, Github often stores both personal and professional code repositories.
Configure the Login Flow for your Application
After selecting Business Users or Both, you can further customize the experience that your users have when logging into your application.
Most organizations should choose Prompt for Credentials, then enable Identifier First Authentication. If you already know the Organization with which a user is attempting to log in, the No Prompt option along with Custom Development with Organizations allows your app to maintain a branded and customized login flow. Administrators can further curate the end user experience by enabling the Prompt for Organization toggle, which requires users to identify the Organization they’re logging into.
Identifier First Authentication
If your enterprise application uses Enterprise Federation, you can activate Identifier First Authentication with Home Realm Discovery in its Authentication Profile. Once enabled, Home Realm Discovery detects email addresses from a known domain and automatically sends them to the proper Workforce login.
In this flow, exactly one Auth0 Database Connection can be used as a fallback when a user’s email domain does not match the identity provider (IdP) domain of any enterprise connections. Users are shown your application’s login prompt instead of an organization’s login prompt, and Connections that are enabled for the Application are visible to the user.
After a user provides an email address, Auth0 matches it with Enterprise Connections enabled for this application and all Enterprise Connections enabled for Organizations. If a match is found, the user is directed to authenticate with the associated IdP. If no match is found, a password field is displayed.
Instead of inviting or assigning users to an Organization directly, you may want to allow any user that is able to authenticate with a federated IdP to be granted access to an Organization. For these scenarios, Auth0 recommends the Auto-Membership setting.
Auto-membership is typically triggered by directing a user to log in using the Organization’s login prompt, which can pass the connection and organization parameters on the user’s behalf. If a user’s desired organization cannot be determined prior to login, the Prompt for Credentials flow grants membership to the sole organization with auto-membership configured.