Skip to main content
Auth0 Organizations allows leaders of B2B products or SaaS applications to build multi-tenant architectures, store identification tokens appropriately, and minimize end user login friction.

Configure the login experience of your application

Your application can be configured in the Login Experience tab to support three user types:
  1. Individuals
  2. Business Users
  3. Both
Applications designed explicitly for consumers - for example, Netflix or Spotify - likely do not need Organization management. By choosing Individuals, users log in to the application directly and Organization context is not provided. B2B or SaaS applications - for example, Slack or Jira - are better-served by Business Users, so end users can only access your application in the context of an Auth0 Organization. Users in multiple Organizations are directed to the Organization Picker after the login flow, which displays the first 20 organizations they joined.
Choose Both if your end user may maintain both a personal and business account with your application. For example, Github often stores both personal and professional code repositories. You can configure your application’s user type through the (as described above) or the . Specifically, use the organization_usage parameter of the Update a client endpoint to set the appropriate type of user. For more information on both methods, review Define Organization Behavior.

Configure the Login Flow for your Application

After selecting Business Users or Both, you can further customize the experience that your users have when logging into your application. Most organizations should choose Prompt for Credentials, then enable Identifier First Authentication. If you already know the Organization with which a user is attempting to log in, the No Prompt option along with Custom Development with Organizations allows your app to maintain a branded and customized login flow.
Administrators can further curate the end user experience by enabling the Prompt for Organization toggle, which requires users to identify the Organization they’re logging into by either the Organization Name or Organization Email.
Note: Even when selecting Prompt for Credentials, you can still direct users to log in with a specific organization’s login prompt as needed.
You can configure the login flow for your application through the Auth0 Dashboard (as described above) or the Management API. Specifically, use the organization_require_behavior parameter of the Update a client endpoint to set the appropriate flow. For more information on both methods, review Define Organization Behavior.

Identifier First Authentication with prompt for credentials

If your enterprise application uses Enterprise Federation, you can activate Identifier First Authentication with Home Realm Discovery in its Authentication Profile. Once enabled, Home Realm Discovery detects email addresses from a known domain and automatically sends them to the proper Workforce login.
In this flow, exactly one Auth0 Database Connection can be used as a fallback when a user’s email domain does not match the (IdP) domain of any enterprise connections. Users are shown your application’s login prompt instead of an organization’s login prompt, and Connections that are enabled for the Application are visible to the user. After a user provides an email address, Auth0 matches it with Enterprise Connections enabled for this application and all Enterprise Connections enabled for Organizations. If a match is found, the user is directed to authenticate with the associated IdP. If no match is found, a password field is displayed.

Identifier First Authentication with prompt for Organization

Auth0 also supports Organization Domain Discovery, which can optionally be used to detect the user’s Organization before Identifier First Authentication runs. Together, these features streamline enterprise login flows while maintaining clarity and control across multi-organization environments. When a user begins authentication, Auth0 first determines the Organization (if applicable) and then identifies the correct Identity Provider (IdP) or connection for authentication.

User input

The user begins by entering either:
  • Their email address (for example, alice@rockymountainadventures.com)
  • Their organization name (for example, Rocky Mountain High Adventures)

Organization Domain Discovery (optional)

If a tenant has configured verified Organization domains and no organization parameter is provided, Auth0 attempts to determine the user’s organization automatically:
  • If exactly one Organization matches, Auth0 automatically selects it and continues the Identifier First Authentication flow in that Organization’s context.
  • If multiple Organizations share the same domain or name (for example, both AdventureZ and Granite Outpost each configured travelco.com), Auth0 displays an Organization selector so the user can choose. Once chosen, Auth0 continues the Identifier First Authentication flow.
  • Only verified domains are used for discovery; pending domains are ignored.
  • If no match is found, Auth0 proceeds with standard Identifier First Authentication.
If the application’s Login Experience > Type of Users setting is configured as:
  • Both: The prompt screen will include both the Organization Prompt and an option to Continue with Personal Account.
  • Business Users: The option to continue with a personal account will not be displayed, and the user must log in with an Organization.
In both cases, Organization Domain Discovery attempts to determine whether the user belongs to a specific organization or should continue with a personal account if permitted before moving into Identifier First Authentication.

Identifier First Authentication

The goal of Identifier First Authentication is to determine which connection or Identity Provider (IdP) to route the user. Once the organization (if any) is determined, Auth0 applies Identifier First Authentication with Home Realm Discovery:
  • If a connection parameter is provided, Auth0 uses it to route the user to that specific connection.
  • Otherwise, Auth0 examines all Enterprise Connections enabled for both the application and the organization (if applicable).
If a matching IdP is found based on the user’s email domain, Auth0 redirects the user to that IdP for authentication. If no match is found, or if the user’s email domain does not correspond to any enabled IdP, Auth0 falls back to the Auth0 Database Connection (if one is enabled for the application). In this fallback state, users see your application’s login prompt instead of an organization’s login prompt, and all connections enabled for the application.
There are use cases - such as multiple database configurations assigned to different Organizations - in which Auth0 cannot determine which IdP an user’s email is associated with. In these cases, select Prompt for Organization as your login initiation prompt or send the organization parameter to Auth0.
You can use the Management API to configure Identifier First Authentication. Specifically, use the identifier_first parameter of the Update prompts settings endpoint.

Auto-Membership

Instead of inviting or assigning users to an Organization directly, you may want to allow any user that is able to authenticate with a federated IdP to be granted access to an Organization. For these scenarios, Auth0 recommends the Auto-Membership setting. Auto-membership is typically triggered by directing a user to log in using the Organization’s login prompt, which can pass the connection and organization parameters on the user’s behalf. If a user’s desired organization cannot be determined prior to login, the Prompt for Credentials flow grants membership to the sole organization with auto-membership configured. However, there may be scenarios in which you cannot determine a user’s desired organization prior to sending them to log in. In this case, you can use the aforementioned Prompt for Credentials flow but note that the user will only be granted membership in the organization if one and only one organization has this connection set as an enabled connection for the organization with auto-membership activated. You can use the Management API to configure auto-membership. Specifically, use the assign_membership_on_login parameter of the Modify an organization’s connection endpoint.