Skip to content
Visit Kinde’s marketing website Kinde Docs
  • Auth and access
  • Enterprise connections

Enterprise connections for B2B

Enterprise connections are common for B2B setups where each business customer is represented as an organization in Kinde, and that organization is linked to one or more connections.

There are a number of ways to manage auth at the organization level. This topic discusses access control for organizations with enterprise connections.

Restrict org access via connections

Link to this section

When you set custom authentication for an organization, you can restrict access via specific enterprise connections.

  1. Open the relevant organization in Kinde and select Authentication in the menu.
  2. Deselect all auth methods except the enterprise connection you want.
  3. Select Save.

Here’s what happens:

  • When the org_code is passed to Kinde as part of the authentication url, the correct sign-in option is shown.
  • Users can only self-join the organization if they sign up via the enabled authentication connection.
  • Organization access is locked down to allow access based only on connection - including switches between organizations.
  • If you are using home realm discovery, connections do not have to be enabled at the application level to support redirects to the correct IDP.

This behaviour is domain-agnostic and is purely concerned with the connection being used.

Org provisioning and access via allowed domains

Link to this section

To manage organization access, you can set policies that restrict access to a list of allowed domains. You can also enable just-in-time (JIT) provisioning via allowed domains.

  1. Open the relevant organization in Kinde and select Policies in the menu.
  2. Select Allow org members to be auto-added.
  3. Enter all the allowed domains in the Allowed domains list.
  4. Enable JIT provisioning for all new organization members by selecting Auto-add users from allowed domains.
  5. Select Save.

Here’s what happens:

  • When the org_code is passed to Kinde as part of the authentication url, the correct sign-in option is shown.
  • Kinde checks that users belong to one of the allowed domains before authorizing access.
  • The user joins the organization if the domain matches any of the allowed domains.
  • Because this check only happens during sign up, you can still separately add users with email domains which fall outside of this restriction. This can be useful if you wish to add contractors or auditors who may have email addresses not in the domain allowlist.

Related articles

Useful links

  • Join the community

    Get support from the Kinde team and expert users in the Kinde community

    Join via Slack or Discord

  • Contact support

    Chat to support through the Kinde help widget, or send a question via email

    Send an email