|
| 1 | +--- |
| 2 | +page_id: 10b52ab6-95e4-47ab-be62-b1c7f7cfcddd |
| 3 | +title: Guide to enterprise auth and user identities |
| 4 | +sidebar: |
| 5 | + order: 3 |
| 6 | +relatedArticles: |
| 7 | + - fcf28a71-c3a8-4474-9564-ad089d3f2105 |
| 8 | + - e519f56a-603a-44dd-a946-3aaf6fb256ce |
| 9 | +--- |
| 10 | + |
| 11 | +At Kinde, each user can only have one enterprise identity provider (IdP) connection as part of their user profile. This is because we want to keep things simple, secure, and reliable. |
| 12 | + |
| 13 | +We get asked about this regularly, so this document explains our reasoning from a security and architectural perspective. |
| 14 | + |
| 15 | +## What is an enterprise connection? |
| 16 | + |
| 17 | +An enterprise connection allows users to sign in to your product using their organization’s identity provider — such as Okta, Azure AD, or Google Workspace. This enables Single Sign-On (SSO), centralized user management, and improved security for enterprise customers. |
| 18 | + |
| 19 | +## Why only one identity per user? |
| 20 | + |
| 21 | +Many customer identity platforms, including Kinde, enforce a one-to-one relationship between a user and an enterprise connection. Here’s why: |
| 22 | + |
| 23 | +### 1. Prevents identity conflicts |
| 24 | + |
| 25 | +If a user could sign in through multiple enterprise providers, it becomes difficult to determine whether those identities belong to the same person. This can result in: |
| 26 | + |
| 27 | +- Duplicate accounts for the same user |
| 28 | +- Conflicting user attributes (email, name, roles, etc.) |
| 29 | +- Confusion around permissions and organization membership |
| 30 | + |
| 31 | +Restricting to a single enterprise connection ensures a consistent and predictable identity model. |
| 32 | + |
| 33 | +### 2. Security and account Integrity |
| 34 | + |
| 35 | +Allowing multiple enterprise connections introduces significant security risks: |
| 36 | + |
| 37 | +- **Risk of account hijacking:** If a user can link multiple IdPs, and identity claims like email or subject ID (`sub`) overlap or are not verified consistently, it becomes possible for unauthorized users to gain access to another user’s account. |
| 38 | +- **Inconsistent identity claims:** Different IdPs use different formats and identifiers. One provider may use an email address, another a unique internal ID. Reconciling these automatically increases the risk of incorrect mappings and privilege escalation. |
| 39 | +- **Reduced auditability:** Security audits and access logs rely on a single, traceable identity. If a user can authenticate through multiple IdPs, it becomes harder to guarantee that all actions are traceable to a single, verified identity. |
| 40 | +- **Clear accountability:** With one connection per user, the responsibility for identity management, password resets, session revocation, and breach response remains clearly with the source identity provider. |
| 41 | + |
| 42 | +### 3. Simplified tenant and access management |
| 43 | + |
| 44 | +In multi-tenant applications, each enterprise typically has its own workspace or organization. Supporting one IdP per user: |
| 45 | + |
| 46 | +- Keeps tenant boundaries clean |
| 47 | +- Prevents role or permission leakage between organizations |
| 48 | +- Simplifies access control logic |
| 49 | + |
| 50 | +## What if someone needs access to multiple organizations? |
| 51 | + |
| 52 | +We support users belonging to multiple organizations within Kinde. In edge cases (such as contractors working across companies) we recommend adding [enterprise connections at the organization level](/authenticate/enterprise-connections/enterprise-connections-b2b/). This means the user signs in directly to the relevant organization, with no confusion about where to be routed. This feature is only available on the Kinde Scale plan. |
| 53 | + |
| 54 | +If you are not on the relevant plan, other ways to handle this include: |
| 55 | + |
| 56 | +- Use separate emails for each organization |
| 57 | +- Use different auth methods per organization |
| 58 | + |
| 59 | +## Built for security, designed for clarity |
| 60 | + |
| 61 | +This choice to allow only one enterprise identity per user aligns with industry best practices and helps keep your users, data, and systems secure. By enforcing this, Kinde provides a stable and trusted identity layer you can build on with confidence. |
| 62 | + |
| 63 | +If you have any questions about more advanced SSO or identity configurations, [contact our team](https://kinde.com/contact). We’re happy to help. |
0 commit comments