Convert your tenant into a CIAM (Customer Identity Access Management)
Organizations & OIDC Token Mapping
Objective :
Configure your Multi-Pass tenant to support Customer Identity and Access Management (CIAM), enabling secure registration, login, and profile management for external users (customers or partners).
Step 1 - Create a dedicated Tenant
- Login to your dashboard.
- Click on "New tenant"
- Complete the fields
- Company Name
- Tenant ID
- Click on advanced console
- on the left side, click on "realm settings"
- Enable "Organizations"
- Click Save
- A new section called "Organization" will appear on the left side.
Enable Self-Registration (Optional)
- In Realm Settings, change tab to "Login"
- Enable the following parameters :
- User registration
- Email as username (recommended)
- Verify email (SMTP setup required)
Step 2 - Manage Organizations
- Go to Organizations, click on Create Organization
- and set :
- Name
- Alias (unique URL-friendly identifier)
- Domains (match users via email)
- Redirect URL and optional attributes
- Description
- Customize onboarding, domain restrictions, IDPs, invitations per organization.
- You can disable or delete organizations to prevent login within their context.
Step 3 - Assign Roles to Users or Groups
Assign to Users
- Go to Users, on the left side
- Select the users
- open the tab "Role Mappings"
- Click Assign Role,
- select realm or client roles, and click Assign.
Assign to Groups
- Move to the groupe section on the left side
- select the appropriate group.
- Under Role Mappings, assign roles. Members inherit them.
Restrict Roles in Tokens
- Go to clients
- Select the application you need
- Go to Client scope tab and select the line of your client,
- Go to the tab "Scope" and make sure Full scope allowed is enabled
Step 4 - Include Organization Info in OIDC Token
- Create a Client Scope (e.g.
organization:*). - Add a mapper of type Organization Membership.
- Configure it to include organization
aliasand/orID. - Set the scope as Default or assign as Optional for your client.
{
"organization": [
{"alias": "org1", "name": "Org One"}
],
"organizationId": "a56bea03-5904-470a-b21c-92b7f1069d44"
}
Step 5 - Include Roles and Groups in Tokens
"realm_access": {
"roles": ["admin", "user"]
},
"resource_access": {
"my-client-id": {
"roles": ["app-role"]
}
},
"groups": ["/group1/subgroup", "admins"]
Summary Table
| Steps | Description |
|---|---|
| Enable Organizations | Realm Settings → General → Toggle ON |
| Manage Orgs | Create orgs with alias, domain, redirect |
| Assign Roles | Via user or group Role Mappings |
| Org Claim in Token | Create organization:* scope and mapper |
| Limit Roles in Token | Set Full Scope Allowed = OFF; define explicitly |
| Include Groups | Group Membership mapper |
Step 6 - Sample OIDC Authentication Flow
- User initiates login to your app
- OIDC request includes:
scope=openid profile organization:* - Token includes:
organization&organizationIdclaimsrealm_access,resource_accessrolesgroups(if mapped)
- Your app enforces authorization using these claims
- Important endpoints, you need to take care :
- Use organization:* scope to fetch all orgs if user has more than one.
- Composite roles automatically include their children roles in tokens.
- Disable Full Scope and map scopes explicitly to limit exposure.
If you need JSON config samples, client scope exports, or tailored examples for your stack (Node.js, Spring, etc.), just ask!
Related Articles
OpenID Connect (OIDC) SSO Integration Guide
This guide provides a general overview and step-by-step instructions for configuring OpenID Connect (OIDC) authentication between Multi-Pass (IdP) and a third-party Service Provider (SP). OIDC is a modern identity layer built on top of OAuth 2.0 that ...Zoho Desk - CIAM Passwordless configuration
This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up MPAS as the CIAM passwordless authentication method for your customers. This integration enhances security and ...Entra IDP integration
Entra IDP integration This guide walks you through the steps to configure Azure Active Directory (Azure AD) as an Identity Provider (IdP) in the Kelvin Zero Multi-Pass Authentication Service (MPAS) using OpenID Connect. Prerequisites : - An Azure ...Syncro - SSO configuration
This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Syncro using MPAS. SSO simplifies user authentication by allowing access to multiple ...SCIM for Multi-Pass with Microsoft Azure AD
SCIM Provisioning - MPAS with Microsoft Entra ID This guide configures automatic user/group provisioning from Azure AD to MPAS via the SCIM extension Step 1 - Enable SCIM in MPAS Install and enable the SCIM extension on your MPAS instance. In the ...