Organizations

Organizations are tenants in SqlOS. Each organization has its own users (via memberships), optional SSO configuration, and a slug for URL-friendly identification.

Create an organization#

Dashboard: Auth Server > Organizations

SDK:

var org = await adminService.CreateOrganizationAsync(new CreateOrganizationRequest
{
    Name = "Acme Corp",
    Slug = "acme",
    PrimaryDomain = "acme.com"
});

Admin API:

curl -X POST http://localhost:5062/sqlos/admin/auth/api/organizations \
  -H "Content-Type: application/json" \
  -d '{"name": "Acme Corp", "slug": "acme", "primaryDomain": "acme.com"}'

Primary domain#

When you set a primary domain, AuthServer uses it for home realm discovery. Users with matching email domains are automatically routed to SSO instead of password login.

Create a membership#

Users join organizations through memberships. Each membership has a role. Public signup does not accept an organizationId as permission to join an existing organization; use an invitation, trusted SSO/SCIM provisioning, or an admin-owned workflow to create memberships for existing tenants.

var membership = await adminService.CreateMembershipAsync(new CreateMembershipRequest
{
    OrganizationId = org.Id,
    UserId = user.Id,
    Role = "admin"
});

Multi-org login#

When a user belongs to multiple organizations and logs in without specifying one, AuthServer returns a RequiresOrganizationSelection response with the list of available organizations. Your app presents the list and calls SelectOrganizationAsync to complete login.

var result = await authService.LoginWithPasswordAsync(
    new SqlOSPasswordLoginRequest(email, password, clientId),
    httpContext, ct);
 
if (result.RequiresOrganizationSelection)
{
    // result.Organizations contains the options
    // result.PendingAuthToken is used to complete selection
}

Organization switching#

Users can switch organizations without re-authenticating by passing a different organizationId during token refresh.