Customize available authentication methods per organization.
While your application provides a set of authentication methods, certain organizations may want to restrict their users to a subset of those methods for customized security constraints. These organization-level customizations can be configured on the organization page in the Dashboard.
When an organization has a verified domain, the organization has full control over the authentication methods for its domain-captured users. The organization can enable any subset of the authentication methods that your application enables at the environment level.
Additionally, if the MFA setting for the environment is set to Optional, meaning that users who choose to enroll in MFA would get challenged at authentication time, an organization can require its domain-captured users to enroll in MFA.
When an SSO connection is first setup on an organization, all non-SSO authentication methods for the organization are automatically disabled. It’s usually the case that an IT admin that sets up SSO wants that to be the only method of authentication. If an organization wants additional methods enabled, they can be manually turned on.
When a user is domain-captured, their own organization can enforce specific authentication controls on them. The organizations the user may be a guest member of does not have the same set of controls for guests, as it may conflict with the controls of the domain-capturing organization.
An organization may only require that its guest members authenticate through its own SSO connection. When this is enabled, guest members would login as they normally do, and upon selecting this organization to log into, the user would be prompted to sign-in at the organization’s SSO IdP. This acts as a secondary authentication method that this organization controls.
Organizations may also require that its guests enroll in MFA.