Managing Organizations
Organizations in Auris provide B2B multi-tenancy within a single Auris tenant. They allow you to group users into separate entities — each representing a customer company, team, or business unit — with their own member roles, invitation workflows, and enterprise SSO configuration.
Organizations are appropriate when your product is sold to other businesses, each of which manages its own users and may require isolated access control or SSO federation.
Overview
Each organization in Auris has:
- A name and optional display name used in the UI and emails
- A list of members, each assigned one of four roles
- An invitation system for onboarding new members by email
- Optional Enterprise SSO connections (SAML 2.0 or OIDC) for domain-based federated login
Organizations do not impose data isolation at the storage level — all users exist in the same Auris tenant. What organizations provide is membership context (which organization a user belongs to, in what role) and SSO routing (which identity provider to use for a given email domain).
Organization List
Go to Console → Organizations to view all organizations in your tenant.
The list shows:
| Column | Description |
|---|---|
| Name | Organization name |
| Display Name | Human-readable name shown to users |
| Members | Count of current members |
| Created | Organization creation date |
Use the Search field to filter organizations by name. The list paginates at 25 organizations per page.
Creating an Organization
Click Create
From the Organization list, click Create in the top-right corner.
Fill in the organization details
| Field | Required | Description |
|---|---|---|
| Name | Yes | A URL-safe identifier for the organization (no spaces). Used in API references. |
| Display Name | No | A human-readable name shown to members and in emails |
| Description | No | Internal administrative notes |
Save
Click Create. The organization is created and you are taken to its detail page.
Organization Detail Page
The organization detail page is organized into four tabs: Details, Members, Invitations, and Enterprise SSO.
Details Tab
The Details tab shows the organization’s current configuration and allows editing.
Editable Fields
- Display Name
- Description
- Metadata (arbitrary key-value pairs that can be read via the API and included in tokens)
Click Save after making changes.
Delete Organization
At the bottom of the Details tab, click Delete Organization to permanently remove the organization. A confirmation dialog requires you to type the organization name before proceeding.
Deleting an organization removes all membership records and invitations. It does not delete the user accounts themselves — users continue to exist in the tenant without an organization affiliation. Any SSO connections associated with the organization are also deleted, which may prevent those users from logging in via SSO if no other connection is configured.
Members Tab
The Members tab shows all current members of the organization in a table.
| Column | Description |
|---|---|
| Name | Member’s full name |
| Member’s email address | |
| Role | Organization role badge |
| Joined | Date the member joined the organization |
Member Roles
Each member has exactly one organization role. Roles determine what that member can manage within the organization through the Auris API and Console:
| Role | Permissions |
|---|---|
| OWNER | Full control: edit organization settings, manage members, configure SSO, delete organization |
| ADMIN | Manage members and invitations, configure SSO. Cannot delete the organization or change the OWNER. |
| MEMBER | Standard access. Permissions are application-defined beyond what Auris enforces. |
| VIEWER | Read-only access. Can view organization membership but cannot make changes. |
Note: There must always be at least one OWNER in each organization. You cannot change the last OWNER’s role or remove them from the organization.
Adding a Member
- Click Add Member
- Enter the user’s Auris user ID or email address
- Select their initial role
- Click Add
The user is added to the organization immediately. No email notification is sent for direct member addition — use the Invitations flow if you want to send an email.
Changing a Member’s Role
- Click the role badge or the options menu (
...) on the member’s row - Select Change Role
- Choose the new role
- Confirm
The role change takes effect immediately. The user’s next token refresh will include the updated organization role.
Removing a Member
- Click the options menu (
...) on the member’s row - Click Remove
- Confirm in the dialog
The user retains their Auris account but loses their membership in this organization.
Invitations Tab
The Invitations tab shows all pending (not yet accepted) invitations for this organization.
| Column | Description |
|---|---|
| The email address the invitation was sent to | |
| Role | The role that will be assigned when the invitation is accepted |
| Sent | When the invitation was created |
| Expires | When the invitation will no longer be valid |
| Status | Pending, Accepted, Expired, or Cancelled |
Sending an Invitation
Click Invite Member
Click the Invite Member button on the Invitations tab.
Enter the invitee’s email address
Type the email address of the person you want to invite. This does not need to be an existing Auris user — new users will be prompted to create an account when accepting the invitation.
Select the role
Choose the organization role to assign when the invitation is accepted.
Send
Click Send Invitation. Auris sends an invitation email containing a unique acceptance link.
Invitation Lifecycle
- Invitations are valid for 7 days from the time they are sent
- Each invitation link is single-use
- If the invited email already belongs to an Auris user, they are added directly to the organization upon acceptance
- If the invited email does not have an Auris account, the acceptance flow prompts the user to register first
- Expired invitations remain visible in the Invitations tab with an “Expired” status badge and can be resent
Resending and Cancelling
| Action | How |
|---|---|
| Resend | Click Resend on the invitation row — generates a new link and sends a new email. The previous link is invalidated. |
| Cancel | Click Cancel on the invitation row — invalidates the link. The invited person cannot accept it. |
Enterprise SSO Tab
The Enterprise SSO tab manages identity provider connections for this specific organization. When an SSO connection is active, users logging in with an email address matching the configured domain are automatically routed to the organization’s SSO provider rather than the standard login form.
This tab supports creating and managing SAML 2.0 and OIDC connections.
How Domain-Based SSO Routing Works
When a user enters their email on the hosted login page, Auris checks whether the domain portion matches any organization’s configured SSO connection. If a match is found and the connection is active, the user is redirected to the organization’s identity provider instead of the Auris login form.
This is called Home Realm Discovery or domain-based SSO detection.
Creating an SSO Connection
Click Add Connection
On the Enterprise SSO tab, click Add Connection.
Choose the protocol
Select SAML 2.0 or OIDC depending on what your customer’s identity provider supports.
SAML 2.0 configuration fields:
| Field | Description |
|---|---|
| Connection Name | An internal name for this connection |
| SSO URL | The IdP’s SAML SSO endpoint (Single Sign-On URL) |
| Entity ID (Issuer) | The unique identifier for the IdP’s SAML entity |
| X.509 Certificate | The IdP’s signing certificate (PEM format) |
| Attribute Mapping | Map SAML attributes to Auris user fields |
OIDC configuration fields:
| Field | Description |
|---|---|
| Connection Name | An internal name for this connection |
| Discovery URL | The IdP’s OIDC discovery endpoint (.well-known/openid-configuration) |
| Client ID | OAuth 2.0 client ID from the IdP |
| Client Secret | OAuth 2.0 client secret from the IdP |
Add email domains
Enter the email domains that should be routed to this SSO connection (for example, acme-corp.com). Users with an email address matching any of these domains will be routed to this SSO provider.
Verify domain ownership
Auris requires DNS-based verification to confirm you have control over the domains before activating SSO routing. The Console displays a DNS TXT record to add:
Type: TXT
Name: _auris-domain-verify.[yourdomain.com]
Value: auris-verify=[verification-token]Add this record at your DNS provider and click Verify Domain in the Console. Verification typically takes a few minutes.
Activate the connection
Once domain verification succeeds, click Activate to make the SSO connection live.
Connection Statuses
| Status | Meaning |
|---|---|
| Draft | Connection created but not verified or activated |
| Verifying | Domain verification in progress |
| Active | Connection is live — matching users are routed to this IdP |
| Inactive | Connection is paused — users fall back to the standard login form |
Just-In-Time User Provisioning
When a user authenticates via SSO for the first time, Auris automatically creates an Auris user account using the identity data returned by the IdP (email, name, etc.) and adds them to the organization. This is called Just-In-Time (JIT) provisioning.
On subsequent logins, the existing account is used. You do not need to pre-create user accounts for SSO users.
For full SSO implementation details, see Enterprise SSO.
Organization Context in Tokens
When a user is a member of one or more organizations, their access token includes an org_id claim identifying their current organization context. Applications can use this claim to apply organization-level access control.
{
"sub": "user_id_here",
"email": "[email protected]",
"roles": ["member"],
"org_id": "org_abc123",
"org_role": "ADMIN"
}For multi-organization users, the token reflects the organization context of the current session. Users can switch organization context by initiating a new login flow with the organization parameter.
Related Guides
- Enterprise SSO (SAML 2.0 + OIDC) — Complete SSO configuration guide including IdP-side setup for common providers
- SCIM Provisioning — Automated user lifecycle sync for organizations
- Organizations API — Manage organizations programmatically
- Fine-Grained Authorization for Organizations — Object-level access control within organizations