Organization Auto-Membership is not adding members

Hi there,

I’m trying to setup Organization auto-membership. I appreciate there are a number of configuration options here, but from the docs, I believe my configuration should work:

  • Application - Login Experience is set to “Both” and “Prompt for Credentials”
  • Authentication Profile - “Identifier First”
  • Enterprise Okta Connection - “Home Realm Discovery” activated
  • Organization - only 1 organization in the tenant, with the Enterprise Okta Connection linked with “Auto-Membership” turned on

Logging in with a user on the universal login page, with NO org_id or connection_id parametesr, with the correct domain from Home Realm Discovery DOES successfully log-in via the Okta account, however the user is not added as a member of the Organization.

I had understood that if the connection was linked to a single organization (which it is, I only have one organization while testing) and the user signs in with that connection (which they are, because I am signing in on the Okta side before redirecting back to Auth0) then the user should get added as a member.

Is there any other configuration that I should check that could be blocking this?

I do have a post-login action setup which is adding some custom claims, but I have tested this with the action removed and it still doesn’t work.

Thanks for your support.

-Chris

After writing this message, I realised there was one combination I hadn’t tried - setting Application Login Experience “Types of Users” to “Business Users“.

I just tried this, and it did successfully add the user to the Organization as a member.

However, when I tried logging in as a user via a different flow (passwordless email), it failed with the error “Message contains error: ‘invalid_request’, error_description: ‘client requires organization membership, but user does not belong to any organization’“

This does not suit my scenario - I need some users to be a member of an organization and some to not - which is why I chose “Both”.

It would make sense to me that even when choosing “Both”, if the user is signing in with a Connection that is linked to an organization, that they would be assigned a member of that organization.

Is there any way to make this feature work while using “Both” for the Types of Users?

I think I may have found a way to do this - create a ‘Default Organization’ and link as a connection all the other authentication approaches (passwordless, social, etc.). Any non-org user will end up as a member of this organization.

Is this the recommended approach? If so, it might be helpful to update the documentation for this scenario.

1 Like

Hi @chris.simon,

Welcome to the Auth0 Community!

Thank you for sharing this with the community. I think you’ve come up with is the best solution to this problem. I will raise this internally to have the documentation updated. Thanks for bringing this to our attention.

Have a good one,
Vlad