Select authentication options
Auth and access
Mixed auth set up for B2B and B2C
If you have an app or site that supports a mix of business customers and direct customers, this guide shows you how to set up authentication in Kinde to meet both these needs.
For example, say you run a finance business and you have separate sign-ins for accounting business partners and direct customers. Accounting businesses sign in with an enterprise identity, e.g. SAML and direct customers sign in with email and an OTP.
This topic explains how to create a simple, unified experience for both groups.
You’ll need the Kinde Scale plan
Link to this sectionTo set up authentication for a mixed B2B and B2C business, you need to be on the Kinde Scale plan. This is the only Kinde plan that gives you access to the features you need:
- Multiple enterprise connections (e.g. SAML)
- Advanced organizations - for managing users and access for business customers
You get 5 enterprise connections and 5 advanced organizations included with Kinde Scale. You can add more, but costs apply.
How to build a unified sign-in experience
Link to this sectionA unified experience is where everyone signs in through the same sign in screen, and they are routed to the relevant workflow for authentication.
This simplifies the sign in experience for all your users, including your enterprise connections.
Example of a unified authentication experience
Link to this sectionThis is what happens behind the scenes with the auth setup.
Step 1: Set up auth for your B2C users
Link to this sectionIn this scenario, your direct customers will sign in with email and a one-time-passcode (OTP). To set this up:
- Enable email + code authentication in your business.
- Set email + code as the sign in method in your default organization.
- (Optional) Set an organization policy to allow users to sign up to the default org using an email address.
Step 2: Set up auth for your B2B users
Link to this sectionAuthentication for business customers can be more complex, with additional security considerations and set up time involved. For example, a partner business may require employees to only access your web app using their business email and for authentication to be centralised with their own identity provider via SAML.
Let’s go through the process for setting up 5 SAML enterprise connections for 5 different business customers.
-
Add 5 separate enterprise connections to Kinde. E.g. EC1, EC2, EC3, and so on.
- Configure each connection with the domain information, including email domains in the home realm discovery field. You may need to ask the customer’s IT team for this information.
- (Recommended) Switch on the Create user on sign up option to enable JIT provisioning.
-
Create 5 organizations, one for each business customer (and connection), and select only the relevant enterprise connection for each organization.
For example:
For this org… Switch on this auth connection… Organization 1 EC1 (domain x home realm) Organization 2 EC2 (domain y home realm) Organization 3 EC3 (domain a home realm) Organization 4 EC4 (domain b home realm) Organization 5 EC5 (domain c home realm) -
In each organization:
- Go to Policies and add the relevant domain to the Allowed domains field.
- Select Auto-add users from allowed domains. This activates JIT provisioning for users signing up from this domain.
- Select Save.
With home realm discovery and allowed domains set, when a user enters an email that matches the domain name they will be routed through that enterprise connection. There is no need for them to self-select which connection they belong to.
Step 3: Enable authentication for your application
Link to this sectionTo achieve the above scenario, all the supported sign-in methods need to be switched on in your application. For example, switch on Email + code, EC1, EC2, EC3, EC4, and EC5.
Optimize your auth flow
Link to this sectionThis unified model of authentication can be extended to 10’s or 100’s of organizations, all while maintaining the same sign in screen.
Other situations you can cater for include: