Skip to Content
Admin ConsoleOrganizations

Managing Organizations

Organizations in Auris provide B2B multi-tenancy within a single Auris tenant. They allow you to group users into separate entities — each representing a customer company, team, or business unit — with their own member roles, invitation workflows, and enterprise SSO configuration.

Organizations are appropriate when your product is sold to other businesses, each of which manages its own users and may require isolated access control or SSO federation.


Overview

Each organization in Auris has:

  • A name and optional display name used in the UI and emails
  • A list of members, each assigned one of four roles
  • An invitation system for onboarding new members by email
  • Optional Enterprise SSO connections (SAML 2.0 or OIDC) for domain-based federated login

Organizations do not impose data isolation at the storage level — all users exist in the same Auris tenant. What organizations provide is membership context (which organization a user belongs to, in what role) and SSO routing (which identity provider to use for a given email domain).


Organization List

Go to ConsoleOrganizations to view all organizations in your tenant.

The list shows:

ColumnDescription
NameOrganization name
Display NameHuman-readable name shown to users
MembersCount of current members
CreatedOrganization creation date

Use the Search field to filter organizations by name. The list paginates at 25 organizations per page.


Creating an Organization

Click Create

From the Organization list, click Create in the top-right corner.

Fill in the organization details

FieldRequiredDescription
NameYesA URL-safe identifier for the organization (no spaces). Used in API references.
Display NameNoA human-readable name shown to members and in emails
DescriptionNoInternal administrative notes

Save

Click Create. The organization is created and you are taken to its detail page.


Organization Detail Page

The organization detail page is organized into four tabs: Details, Members, Invitations, and Enterprise SSO.


Details Tab

The Details tab shows the organization’s current configuration and allows editing.

Editable Fields

  • Display Name
  • Description
  • Metadata (arbitrary key-value pairs that can be read via the API and included in tokens)

Click Save after making changes.

Delete Organization

At the bottom of the Details tab, click Delete Organization to permanently remove the organization. A confirmation dialog requires you to type the organization name before proceeding.

Deleting an organization removes all membership records and invitations. It does not delete the user accounts themselves — users continue to exist in the tenant without an organization affiliation. Any SSO connections associated with the organization are also deleted, which may prevent those users from logging in via SSO if no other connection is configured.


Members Tab

The Members tab shows all current members of the organization in a table.

ColumnDescription
NameMember’s full name
EmailMember’s email address
RoleOrganization role badge
JoinedDate the member joined the organization

Member Roles

Each member has exactly one organization role. Roles determine what that member can manage within the organization through the Auris API and Console:

RolePermissions
OWNERFull control: edit organization settings, manage members, configure SSO, delete organization
ADMINManage members and invitations, configure SSO. Cannot delete the organization or change the OWNER.
MEMBERStandard access. Permissions are application-defined beyond what Auris enforces.
VIEWERRead-only access. Can view organization membership but cannot make changes.

Note: There must always be at least one OWNER in each organization. You cannot change the last OWNER’s role or remove them from the organization.

Adding a Member

  1. Click Add Member
  2. Enter the user’s Auris user ID or email address
  3. Select their initial role
  4. Click Add

The user is added to the organization immediately. No email notification is sent for direct member addition — use the Invitations flow if you want to send an email.

Changing a Member’s Role

  1. Click the role badge or the options menu (...) on the member’s row
  2. Select Change Role
  3. Choose the new role
  4. Confirm

The role change takes effect immediately. The user’s next token refresh will include the updated organization role.

Removing a Member

  1. Click the options menu (...) on the member’s row
  2. Click Remove
  3. Confirm in the dialog

The user retains their Auris account but loses their membership in this organization.


Invitations Tab

The Invitations tab shows all pending (not yet accepted) invitations for this organization.

ColumnDescription
EmailThe email address the invitation was sent to
RoleThe role that will be assigned when the invitation is accepted
SentWhen the invitation was created
ExpiresWhen the invitation will no longer be valid
StatusPending, Accepted, Expired, or Cancelled

Sending an Invitation

Click Invite Member

Click the Invite Member button on the Invitations tab.

Enter the invitee’s email address

Type the email address of the person you want to invite. This does not need to be an existing Auris user — new users will be prompted to create an account when accepting the invitation.

Select the role

Choose the organization role to assign when the invitation is accepted.

Send

Click Send Invitation. Auris sends an invitation email containing a unique acceptance link.

Invitation Lifecycle

  • Invitations are valid for 7 days from the time they are sent
  • Each invitation link is single-use
  • If the invited email already belongs to an Auris user, they are added directly to the organization upon acceptance
  • If the invited email does not have an Auris account, the acceptance flow prompts the user to register first
  • Expired invitations remain visible in the Invitations tab with an “Expired” status badge and can be resent

Resending and Cancelling

ActionHow
ResendClick Resend on the invitation row — generates a new link and sends a new email. The previous link is invalidated.
CancelClick Cancel on the invitation row — invalidates the link. The invited person cannot accept it.

Enterprise SSO Tab

The Enterprise SSO tab manages identity provider connections for this specific organization. When an SSO connection is active, users logging in with an email address matching the configured domain are automatically routed to the organization’s SSO provider rather than the standard login form.

This tab supports creating and managing SAML 2.0 and OIDC connections.

How Domain-Based SSO Routing Works

When a user enters their email on the hosted login page, Auris checks whether the domain portion matches any organization’s configured SSO connection. If a match is found and the connection is active, the user is redirected to the organization’s identity provider instead of the Auris login form.

This is called Home Realm Discovery or domain-based SSO detection.

Creating an SSO Connection

Click Add Connection

On the Enterprise SSO tab, click Add Connection.

Choose the protocol

Select SAML 2.0 or OIDC depending on what your customer’s identity provider supports.

SAML 2.0 configuration fields:

FieldDescription
Connection NameAn internal name for this connection
SSO URLThe IdP’s SAML SSO endpoint (Single Sign-On URL)
Entity ID (Issuer)The unique identifier for the IdP’s SAML entity
X.509 CertificateThe IdP’s signing certificate (PEM format)
Attribute MappingMap SAML attributes to Auris user fields

OIDC configuration fields:

FieldDescription
Connection NameAn internal name for this connection
Discovery URLThe IdP’s OIDC discovery endpoint (.well-known/openid-configuration)
Client IDOAuth 2.0 client ID from the IdP
Client SecretOAuth 2.0 client secret from the IdP

Add email domains

Enter the email domains that should be routed to this SSO connection (for example, acme-corp.com). Users with an email address matching any of these domains will be routed to this SSO provider.

Verify domain ownership

Auris requires DNS-based verification to confirm you have control over the domains before activating SSO routing. The Console displays a DNS TXT record to add:

Type: TXT Name: _auris-domain-verify.[yourdomain.com] Value: auris-verify=[verification-token]

Add this record at your DNS provider and click Verify Domain in the Console. Verification typically takes a few minutes.

Activate the connection

Once domain verification succeeds, click Activate to make the SSO connection live.

Connection Statuses

StatusMeaning
DraftConnection created but not verified or activated
VerifyingDomain verification in progress
ActiveConnection is live — matching users are routed to this IdP
InactiveConnection is paused — users fall back to the standard login form

Just-In-Time User Provisioning

When a user authenticates via SSO for the first time, Auris automatically creates an Auris user account using the identity data returned by the IdP (email, name, etc.) and adds them to the organization. This is called Just-In-Time (JIT) provisioning.

On subsequent logins, the existing account is used. You do not need to pre-create user accounts for SSO users.

For full SSO implementation details, see Enterprise SSO.


Organization Context in Tokens

When a user is a member of one or more organizations, their access token includes an org_id claim identifying their current organization context. Applications can use this claim to apply organization-level access control.

{ "sub": "user_id_here", "email": "[email protected]", "roles": ["member"], "org_id": "org_abc123", "org_role": "ADMIN" }

For multi-organization users, the token reflects the organization context of the current session. Users can switch organization context by initiating a new login flow with the organization parameter.