Introduction

Okta CIC (Auth0) provides an Organizations feature that enables multi-tenant authentication and authorization in applications. In July 2023, the following two updates were made to the Organizations function.

• Improved login flow when using the Organizations feature
  Improved Login Flow for SaaS Users - Auth0 Changelog
• Auth0 tenant member role added permission to edit Organizations settings only
  Added Editor - Organizations Role to Auth0 Management Dashboard - Auth0 Changelog

On this page, we will introduce the contents, setting method, and actual login behavior of the above update.

Feature update overview

The summary of this update is as follows.

• If you belong to multiple organizations, you can now select from the organization list display, eliminating the need to enter the organization name.

• The authentication method is automatically determined by the domain of the email address

• Auth0 tenant member role added permission to edit Organizations settings only

Setting and operation example

We will introduce the setting and operation example using this update function.

(1) Setting example: Login behavior of users belonging to multiple organizations

We assume the following as implementation requirements.

• Authentication method: Use only Auth0 authentication (Database Connection)
• Some users belong to multiple organizations

The required settings are as follows.

• Applications setting: Prompt for Credentials
  On the Auth0 management screen, click [Applications] > [Applications] > (select the target application) > [Organizations] tab and set as follows

• Authentication Profile settings: Identifier + Password
  On the Auth0 management screen, click [Authentication] > [Authentication Profile] and select [Identifier + Password] *Default setting

(1) Operation example: Login behavior of users belonging to multiple organizations

Prepare the following users and check their login behavior.

• User A: Only belongs to Company XYZ ⇒ Log in to the application without being asked to select an organization

• User B: Belongs to Company ABC and Company XYZ ⇒ Log in to the application with the organization selected by the user

(2) Setting example: Automatic selection of authentication method by email address domain

We assume the following as implementation requirements.

• Authentication method: Use external IdP authentication (Enterprise Connection) for Company ABC, use Auth0 authentication (Database Connection) for Company XYZ

The required settings are as follows.

• On the Auth0 management screen, click [Applications] > [Applications] > (select the target application) > [Organizations] tab and set as follows

• Authentication Profile setting: Identifier First
  On the Auth0 management screen, click [Authentication] > [Authentication Profile] and select [Identifier First]

• Enterprise Connection Settings: Home Realm Discovery
  On the Auth0 management screen, click [Authentication] > [Enterprise] > (select the target external IdP) > [Login Experience] tab and set Home Realm Discovery
  *In the example below that uses Azure AD, no additional settings are required if only the domain specified in the Microsoft Azure AD Domain field is targeted.

(2) Operation example: Automatic selection of authentication method by email address domain

Prepare the following users and check their login behavior.

• User A: Company ABC ⇒ After entering the email address, transition to external IdP authentication

• User B: Belongs to Company XYZ ⇒ After entering the email address, transition to password authentication

in conclusion

This time, we introduced an update to the Organizations feature. We will continue to update the information according to the updates that will be implemented in the future.

If you are interested in multi-tenant authentication realized by Auth0, please contact us.