About Kinde authentication
Auth and access
About enterprise connections
Enterprise authentication is a common method for managing user access to systems in large organizations.
Kinde supports a number of enterprise connection types, including:
- Custom SAML
- Microsoft Entra ID (was Azure AD) WS Federated or Open ID
- Google Workspace (via SAML)
- Okta (via SAML)
- Cloudflare (via SAML)
Provisioning for enterprise connections
Link to this sectionKinde offer a number of provisioning options for enterprise connections, including just in time (JIT) provisioning and pre-provisioning options.
See Provisioning users with enterprise connections
How identities are handled in enterprise conenctions
Link to this sectionUsers with enterprise identities in Kinde can’t also have other identity types in Kinde. E.g. a user can have an email identity and a social identity. But if a user has an enterprise identity, they cannot have other identities. In this case, identity information is sourced with the identity provider and is managed via the identity provider, not in Kinde. Learn more about identities in Kinde.
Enterprise connections for B2B businesses
Link to this sectionMany businesses have businesses for customers (B2B), and use Kinde organizations to manage authentication and access. Kinde lets you set a number of enterprise authentication features at the organization level, see Enterprise authentication for B2B.
Routing in enterprise connections
Link to this sectionWhen users sign up via an enterprise connection with single-sign-on (SSO), they are routed to the identity provider (IdP) for identity verification. This happens when they select the SSO button on the home screen. You can set up a more seamless routing option using home realm discovery.
Home realm discovery
Link to this sectionHome realm discovery routes users based on their email domain. So when a user enters their email and selects the continue button, they are routed to their IdP based on the email domain, to authenticate. For example if the user enters chris@acme.com Kinde checks which IdP uses the acme.com domain and silently verifies his identity. He only signs in once.
Note that this feature has nothing to do with security or access control and everything to do with routing. Not to be confused with setting access restrictions for domain allowlists.
Learn more about home realm discovery.
Show or hide the SSO sign-in button on the auth page
Link to this sectionWhen you set up enterprise auth in Kinde, an SSO button appears on the authentication page which is linked to the IdP by default. Users can select this as a sign up method, similar to how they might select a Google or Facebook sign-in option. For a more seamless experience, you can hide the SSO button by entering a home realm domain for the connection (more info above). Users will be routed silently via their IdP when they enter their credentials.
If you have multiple enterprise auth methods (E.g. SAML and Entra ID), you may not want to show multiple SSO buttons. Here’s the options for showing and hiding, depending how many enterprise auth methods you add:
(Option 1) Hide all SSO buttons
Link to this sectionIf you configure home realm discovery in each enterprise auth method, all SSO buttons will be hidden by default. The user enters their credentials and they are silently authenticated against the relevant IdP based on email domain.
(Option 2) Show a universal SSO button for all
Link to this sectionIf you would prefer users explicitly choose to sign in with SSO, you can add a universal button to the sign in screen.
- Go to Settings > Applications > Your application.
- On the Details page scroll down to the Authentication experience section.
- Switch on Show ‘Sign in with SSO’ button.
Users click the universal button, enter their credentials, and get routed silently to the IdP for verification.