Organizations (orgs) are groupings of accounts (users) with common access select products, login options, and anything else you decide. Organizations can represent customers, departments, or any other entity that your business needs to carve out for administrative reasons. Typically, organizations are used to define your customers.
Organizations are the basis of B2B features within UE Auth. Accounts (users) that have been attributed to an organization are considered B2B accounts, regardless of any B2C applications to which they may also have access. Typically, these accounts will be the employees of your customer; however, this is not a requirement and not enforced by default by any system in UE Auth.
You can access organizations by clicking the start button in the lower left, hovering over UE Auth, and selecting Organizations.
Domains allow you to create a higher fidelity of product access control within an organization. To understand why, its important to first understand that all product access in UE Auth is inherited through domain assignment.
All Product Access is inherited through Domain Assignment
As a result, when products are assigned to a domain, and that domain is then assigned to a user, the user has access to every product in that domain. For this reason, its beneficial to have multiple domains where some products can be assigned as needed to ensure every user within a domain does not have access to every product licensed to the organization.
Domains are managed within the organization window.
United Effects uses UE Auth to manage access to everything we build as well, for that reason, we use the exact same model for access to the platform as you will use for access to your products.
The first time you use the UE platform, you'll notice that there is already an organization listed. This organization is YOUR organization and represents access to your instance of UE Auth and UE Streams. You should only ever add your company employees or those you trust to this organization. You'll know it because the organization will be named after your platform.
ONLY ADD YOUR EMPLOYEES TO YOUR ORGANIZATION
Any other organization you create is safe to add users to however you need.
Whenever a new organization is created (and also as a pre-existing domain within the platform organization above) there is an administrative domain created by default. This domain exists to allow product access to the UE platform portal for organization admins. Every product that is licensed to an organization is also automatically applied to this domain.
It is highly recommended that you do not utilize this domain for general access to products within your organization. Instead, create at least one other domain where only the products you wish to assign to every day users are mapped. This way, you avoid every user having access to every product. You can create as many domains as you wish.
DO NOT ASSIGN ALL USERS TO THE ADMIN DOMAIN
Instead, create at least one other domain for non-admin users.
To create an organization, follow these steps:
- Click the "Start" button in the lower left of the UE platform UI
- Hover over UE Auth and select Organizations
- Click "Add" on the window and you'll see the following screen.
- Provide a name for the organization, a description, and a contact email (required). The contact email can be a person or shared inbox for that organization. For example, the organization admin or a [email protected] email address.
- Once created, you'll see details about the organization in the right window. At the top is the organization unique ID which UE Auth uses to identify this organization; however, just below that is an "external ID" field which you can use to map this organization to your own internal customer ID or tenant ID. Once mapped, you can use the UE Auth API to query by either organization ID or external ID.
- Scroll down the right window to add additional contact information for your organization admin.
UE Auth organizations have a few security features to protect your customers and users. Scroll down to the bottom of the right window and you'll see the following options.
To ensure that only email address with a specific domain are allowed to be added to this organization, flip the "Restrict Email Domains" toggle and enter in the domain to which you wish to be restricted. For example, if you only want people with the email domain "unitedeffects.com" to be allowed, you can flip that toggle and add this domain in the now visible field. Don't forget to click once you've entered the domain.
If you wish to ensure that users who are provided access to this organization must agree to a specific set of terms and conditions, toggle the "Require access terms acceptance" option and either paste your text based terms or a URL to the terms you wish to use.
And finally, if you wish to notify people when the information you are storing about them has changed (organization profile), toggle the final option.
The magic of UE Auth is that it can communicate what a user should be able to access as a function of the products that have been sold to that user's organization. As you define products within UE Auth, you can then license them to organizations.
The first time you click "Licensed Products" for an organization, you'll notice that one product is already licensed. This is the UE Auth Customer Portal product. It allows your organization admin to access UE Auth without your help to manage settings, SSO, and other factors, while ensuring that they cannot access anything else about your platform level UE Auth solution or settings.
If you were to scroll through the list of products to add, you'll see that there are two UE Auth products listed. One is the "super admin portal" which is the one you and those who are employed by you might use, and the other is the "customer portal" which we've just described. You are not able to add the "super admin portal" to any Organization other than the platform organization itself and even then you should try never to add or remove that product unless working with United Effects support directly.
Never attempt to add or remove the Super Admin Portal from an organization
Unless you are working with and under the supervision of United Effects support.
Any other product defined within UE Auth is fair game to add to an organization. Simply select the product and click "Add this product".
REMINDER: Only adding the product to the org is not enough for user access
You'll also have to add the product to one of the domains within the organization. Domains are what are ultimately assigned to users.
Scroll down to the domains section and select one. You'll immediatley see another product selection dropdown. This one is limited to only those products which have been licensed to the organization. Select your product and add it to the domain.
Domains allow us to be specific about how users access products
This will be described in detail in the User Access docs (coming soon!)
If your organizations are customers or some other form of external entity, they may want to use their own authentication solution (usernames and passwords) to access your products. This is called Enterprise SSO and its very easy to set up with UE Auth.
To get started, select SSO for the organization. You'll then see security and configuration options in the right window.
Under Security, there are two options:
- SSO Only - When selected, this options tells UE Auth to remove all other login options that may be globally configured for your platform whenever a user from this organization is identified. For this to work properly, you must also provide an SSO Email Domain so that UE Auth can ask for an email address and map that address to this organization.
For SSO Only to work, you must map an SSO Email Domain
This is an email domain that is unique to the organization. For example, if the organization is Apple, Inc. the domain would likely be apple.com.
- Automatically add users to Organization - When selected, this option tells UE Auth to allow users that have not yet been added to your platform to automatically be copied over and allowed access to the organization whenever they are appropriately authenticated through the Enterprise SSO identity provider. If this toggle is not enabled and a user that has not been added to your platform as an account attempts to log into the product with Enterprise SSO, they will not be authenticated, even if they have a valid login with the federated identity provider. If you decide to enable this feature, it is HIGHLY recommended that you lock the organization to a specific email domain as described earlier in this doc.
DO NOT auto-add users to an org without locking down allowed email domains
Enterprise SSO with UE Auth allows for three options: OIDC, OAuth, and SAML.
Simply select the provider specification desired and fill in the appropriate fields to enable Enterprise SSO for the organization.
Detailed instructions per option are on the way
Setup for each operates in much the same way as it does for all federated configurations you may be familiar with; however, we are in the process of providing detailed documentation which will be linked here when ready. In the meantime, feel free to reach out for assistance: [email protected]
Updated 6 days ago