This page is the detail for Setup overview — Step 6: Configure org roles & auth.
Assign role groups to each organization and configure how the org's members authenticate — inheriting app settings or overriding with their own IdP.
Continuing with the holiday booking platform example, you now have the organizations from the previous step and the role groups you already defined. The next decision is: which role group should each organization receive, and how should that organization's staff sign in?
In the main path of this guide, the Retail travel agency receives the broader Retail storefront role group, while New York branch receives the narrower Retail sales only role group exposed by the parent. This means head-office staff can receive a wider set of app roles, while branch staff remain limited to the branch-level scope.
This step also lets you decide whether an organization keeps the application's default authentication settings or uses its own authentication override. In the example below, Back-office / finance partner is used only to show an organization that signs in through its own corporate identity system.
| Organization | Assigned role group | How their staff signs in |
|---|---|---|
| Retail travel agency | Retail storefront | Platform default |
| New York branch | Retail sales only | Platform default |
| Back-office / finance partner | Not part of the main role-group path in this example | Their own corporate identity system |
This step connects the previous setup decisions: the organizations you created now receive the role groups you defined earlier, and each organization either keeps the application's default sign-in settings or gets its own authentication override. In the next step, members of that organization will be able to receive only the app roles allowed by the role groups assigned here.
Role groups are assigned per organization-application pair: an organization connected to two applications can have a different set of role groups for each. In the Admin Portal, open B2B Identity > Organizations > [your org] > Applications. For each application associated with the org, select Assign roles and choose the role groups this org should have access to for that application.
Once role groups are assigned, the org's admins can assign member roles to their members — but only from the roles that belong to those groups.
To assign member roles, role groups must already be assigned to the organization. If you haven’t created the required role groups yet, see Create app role groups.
When organizations are structured as parent and managed children, go to B2B Identity > Organizations > [your org] > Applications > Assign roles for each org. What you assign depends on which org you have selected:
- If it's a parent org: assign the role groups you designated as parent role groups in Step 4 (e.g. Retail storefront).
- If it's a managed child org: assign the role groups you designated as child role groups in Step 4 (e.g. Retail sales only for New York branch). The picker shows only the role groups the parent has exposed.
Always assign role groups to the parent org before the managed child. The child org's picker is populated from what the parent has already been assigned — if the parent has no role groups yet, the picker will be empty.
An organization can be associated with more than one application. This lets you give the same organization access to different products or services on your platform. For example, the Back-office / finance partner is associated with the Holiday booking platform and could also be linked to a second application, with different role groups assigned for each.
Managed child organizations are bound to a single application and cannot be associated with additional ones — see What a managed child organization can and cannot do.
In the Admin Portal, go to B2B Identity > Organizations > [your org] > Applications > +Add app, select the application, and assign the relevant role groups.
Authentication settings are scoped to each organization-application pair: an organization connected to two applications can have different authentication for each. By default, every org-app pair inherits the application-level hosted experience — login flow, branding, and authentication methods. For details on these app-level defaults, see B2B hosted login experience. To review the current values before overriding them:
- For the login flow and branding, go to Admin Portal > B2B Identity > Experience Management.
- For the enabled auth methods, go to Admin Portal > B2B Identity > Authentication Methods.
To override these behaviors for a specific org-app pair, in the Admin Portal, go to B2B Identity > Organizations > [your org] > Applications > [your app] > Authentication methods tab. From here you can either:
- Override platform auth methods: Replace the app's default authenticators with a different set for this org. The configuration mirrors the application-level settings — see Customize login methods.
- Configure federated access: Let the org's members sign in through their own corporate identity provider via OIDC or SAML.
Authentication overrides apply only to that organization's members. Changes to app-level authentication settings made later will not affect organizations that already have an override configured.