Organizations is a broad update to our platform that improves support for Auth0 customers that build and maintain business-to-business and software-as-a-service applications.
As of today, Organizations is available to Auth0 customers on our Enterprise and Startup subscription plans. Using this new set of features, you can:
Represent the teams, business customers and partners that use your applications as organizations in Auth0
Set up branded, federated login flows for each organization
Manage organization members in a variety of ways, including via just-in-time membership and email invitations
Define roles to represent what end-users can do in your applications and assign those roles to organization members, so they can have different roles in different orgs.
Build administration capabilities into your products so that administrators in those organizations can manage their own membership and access levels
Hi, this is a great start to the feature set, and I’m looking forward to seeing what else can be done with it.
I’m wondering whether it would be possible to embed a user’s organization IDs into a JWT authorization token. One of the real advantages of switching from our current organization management implementation to Auth0’s would be remove the requirement for an additional look-up on this information when doing resource-based authorization. So “Does this authenticated entity (user, application, etc) have access to this org’s data?” is a question we want to answer not just at authentication time but at authorization time as well.
And along those lines, are there any plans in the works for associating an Auth0 “Application” with an Auth0 “Organization”? We leverage Auth0 to federate M2M access for our clients’ applications, and if we migrated to Auth0 organizations, it would be nice to have consistency across user access and machine access.
Currently, users’ organization memberships are not included in the JWTs. Only the organization that a user is authenticating with will be present in the ID & Access token (including other claims associated with that membership like permissions).
That being said, there is a Management API endpoint you can use to get a given user’s Organization membership: Retrieve User's Organization Memberships, but it is not often recommended to call the MGMT API from within a Rule due to rate limiting concerns – at a minimum code defensively in case of rate limit exceeded. You can also call that endpoint using a confidential m2m client as a proxy to the MGMT API from your application. In addition, a user could potentially have a huge number of organization memberships, so it might not be feasible to cram all of that into a token.
Re: associating Auth0 Application w/ Auth0 Organization – yes indeed there are. Tell me more about your expectations there? Do you generate an Auth0 m2m client for each of your customers currently?
Hey I’m wondering if custom database connections will be supported with the organizations feature?
Right now we just have access to the users email and password within the custom database connection script, but if we also had access to the organization, we could scope our database query for the login flow to check against the organization id to ensure we are loading up and checking against the correct user within the database.
@adam.housman thanks for the thorough response. I’ll take a close look at rules and rate limiting for our purposes. I theoretically like that better than requiring a m2m client option, and we are already looking into a defensive posture against rate limits.
Re: application/org associations, yes we are provisioning m2m apps for our customers to programmatically access our APIs. Roughly one per-use-case, per-customer. We have the same needs as we do for users - limiting access to specific resources based on organizational affiliations.
Is there any plan to support Passwordless connections with organizations? We have a B2B use case and our customers love passwordless. It makes everyone’s lives easier.
I don’t understand why this feature is accessible in Starter plan (Free Plan) as we can create and administrate orgs in a production environment tenant, but it’s written " Want to use this feature in production? Upgrade Plan"?
Also, we need Organization feature but not Enterprise Connections (with LDAP, etc.) but both come together in the Enterprise plan.
As it’s a common need for any SaaS application, will it be available in other Auth0 plans than Entreprise (or Startup)?