Manage enterprise connections
Auth and access
At Kinde, each user can only have one enterprise identity provider (IdP) connection as part of their user profile. This is because we want to keep things simple, secure, and reliable.
We get asked about this regularly, so this document explains our reasoning from a security and architectural perspective.
An enterprise connection allows users to sign in to your product using their organization’s identity provider — such as Okta, Azure AD, or Google Workspace. This enables Single Sign-On (SSO), centralized user management, and improved security for enterprise customers.
Many customer identity platforms, including Kinde, enforce a one-to-one relationship between a user and an enterprise connection. Here’s why:
If a user could sign in through multiple enterprise providers, it becomes difficult to determine whether those identities belong to the same person. This can result in:
Restricting to a single enterprise connection ensures a consistent and predictable identity model.
Allowing multiple enterprise connections introduces significant security risks:
sub
) overlap or are not verified consistently, it becomes possible for unauthorized users to gain access to another user’s account.In multi-tenant applications, each enterprise typically has its own workspace or organization. Supporting one IdP per user:
We support users belonging to multiple organizations within Kinde. In edge cases (such as contractors working across companies) we recommend adding enterprise connections at the organization level. This means the user signs in directly to the relevant organization, with no confusion about where to be routed. This feature is only available on the Kinde Scale plan.
If you are not on the relevant plan, other ways to handle this include:
This choice to allow only one enterprise identity per user aligns with industry best practices and helps keep your users, data, and systems secure. By enforcing this, Kinde provides a stable and trusted identity layer you can build on with confidence.
If you have any questions about more advanced SSO or identity configurations, contact our team. We’re happy to help.