Improved login for SaaS users

Home Realm Discovery for organizations and multi-organization selection

Businesses are discerning customers and they need your application to work with every part of their Identity stack. In a bygone era, their users might tolerate a clunky login experience when accessing the SaaS applications that they need to get their job done, but now they’re expecting the same low-friction experience that they have with the consumer apps they use every day. This is true whether they’re accessing your application via their Workforce Identity dashboard, like Okta Workforce Identity Cloud, or navigating directly to your website. 

You also need to support complex use-cases where a single user, like a consultant, has multiple business’ organizations they need to access. With our new Improved Login for SaaS Users, we’ve got you covered.

Home Realm Discovery for organizations

Home Realm Discovery (HRD) is the process of identifying which Identity provider (IdP) the user belongs to before authenticating them. So, when I sign into an application with HRD with my @okta.com email address, it knows to forward me to Okta’s installation of Okta Workforce Identity Cloud (WIC).

Now, Okta  Customer Identity Cloud (CIC) looks at all the different IdP connections associated with Organizations in your tenant, and forwards the enterprise user to the one corresponding to their email identifier. If the IdP authenticates them as a known user, Okta CIC will issue a JSON Web Token (JWT) with the corresponding organization ID that the connection was associated with in your tenant.

Multi-organization selection prompt

There are many reasons for a user to be a member of multiple organizations. However, your application needs to understand which business data sets they should be accessing. Getting this wrong can lead to data leaking across tenants, an embarrassing and costly problem in a SaaS application. Our new Multi-Organization Selection Prompt guides the user to the tenant they want to work in to quickly get them into your application.

After a user has gone through Home Realm Discovery or a username/password database login, we query the connection to pull the different organizations the user is a member of into the login process. If there is more than one, we show a simple selection prompt to the user to allow them to pick which organization they want to work in. If the user only belongs to one organization, we forward them to the application with the appropriate organization ID.

If your application supports independent users with no organization, don’t worry. We have them covered as well! They can either select their personal account or an organization where they have membership. If they only have a personal account, we forward them to the application without asking them to choose an organization.

Diving in

Getting this setup takes a matter of minutes. Check out our documentation to get started. With a tenant configuration and some application settings, you can start to utilize this in your business-to-business app. Have any questions? We’re happy to help in the Okta Customer Identity Cloud developer community or you can reach out to your technical account manager to learn more.