Overview
When configuring applications within Auth0, organizations significantly alter access behavior across various connection types. This article outlines how organizational settings interact with connections and client configurations to determine user access.
Applies To
- Organizations
- Strict connection-to-application access control
Cause
When Organizations are enabled for a client, client-level connection assignments are overridden. Instead, access decisions are governed by:
User Membership in the Organization:
- Users must either belong to the specified organization or be eligible for auto-membership.
Connections Enabled for the Organization:
- The connection used for login must be explicitly enabled for the organization.
Client-level enabled connections act only as visual cues during the login process and do not enforce access restrictions.
This behavior is applicable across all connection types.
Expected Behavior
Scenario 1: Connections Not Linked to Applications
Setup:
- Application A linked to Connection 1.
- Application B linked to Connection 2.
Behavior:
- Users from Connection 2 can still access Application A if the organization enables that connection.
- Similarly, users from Connection 1 can access Application B.
Reason: The organization’s configuration determines access, not the client-to-connection link.
Scenario 2: Disabled Connections
Setup: All connections are disabled for both Applications A and B.
Behavior: Users can still authenticate and access applications if the organization allows it and the user is a member.
Reason: Organizational membership and connection enablement override client-specific settings.
Solution
To achieve expected access behavior:
- Validate Organizational Settings
- Confirm that the connection used is explicitly enabled for the organization.
- Ensure that users are members of the correct organization or auto-membership is configured appropriately.
- Disable auto-membership if stricter control is required.
Important Notes
The observed behavior is by design when organizations are enabled for a client.
Properly configuring organization and connection settings is critical to achieving the desired security outcomes.