I’m trying to setup Organization auto-membership. I appreciate there are a number of configuration options here, but from the docs, I believe my configuration should work:
Application - Login Experience is set to “Both” and “Prompt for Credentials”
Organization - only 1 organization in the tenant, with the Enterprise Okta Connection linked with “Auto-Membership” turned on
Logging in with a user on the universal login page, with NO org_id or connection_id parametesr, with the correct domain from Home Realm Discovery DOES successfully log-in via the Okta account, however the user is not added as a member of the Organization.
I had understood that if the connection was linked to a single organization (which it is, I only have one organization while testing) and the user signs in with that connection (which they are, because I am signing in on the Okta side before redirecting back to Auth0) then the user should get added as a member.
Is there any other configuration that I should check that could be blocking this?
I do have a post-login action setup which is adding some custom claims, but I have tested this with the action removed and it still doesn’t work.
After writing this message, I realised there was one combination I hadn’t tried - setting Application Login Experience “Types of Users” to “Business Users“.
I just tried this, and it did successfully add the user to the Organization as a member.
However, when I tried logging in as a user via a different flow (passwordless email), it failed with the error “Message contains error: ‘invalid_request’, error_description: ‘client requires organization membership, but user does not belong to any organization’“
This does not suit my scenario - I need some users to be a member of an organization and some to not - which is why I chose “Both”.
It would make sense to me that even when choosing “Both”, if the user is signing in with a Connection that is linked to an organization, that they would be assigned a member of that organization.
Is there any way to make this feature work while using “Both” for the Types of Users?
I think I may have found a way to do this - create a ‘Default Organization’ and link as a connection all the other authentication approaches (passwordless, social, etc.). Any non-org user will end up as a member of this organization.
Is this the recommended approach? If so, it might be helpful to update the documentation for this scenario.
Thank you for sharing this with the community. I think you’ve come up with is the best solution to this problem. I will raise this internally to have the documentation updated. Thanks for bringing this to our attention.