keycloak-scim/docs/documentation/server_admin/topics/organizations/managing-organization.adoc

87 lines
3.6 KiB
Text
Raw Normal View History

[id="managing-organization_{context}"]
[[_enabling_organization_]]
= Enabling Organizations
To use organizations, you enable the feature for the current realm.
.Procedure
. Click *Realm Settings* in the menu.
. Toggle *Organizations* to *On*.
Once the feature is enabled, you are able to manage organizations through the *Organizations* section available from the
menu.
= Managing an organization
[role="_abstract"]
From the *Organizations* section, you can manage all the organizations in your realm.
.Procedure
. Click *Create Organization*.
If organizations already exist, you see a list of organizations and options to search, edit, or delete an organization.
An organization has the following settings:
Name::
A user-friendly name for the organization. The name is unique within a realm.
Alias::
An alias for this organization, used to reference the organization internally. The alias is unique within a realm.
If not set, the value is the same as the organization name. The alias cannot change afterwards.
Domains::
A set of one or more domains that belongs to this organization. A domain cannot be shared by different organizations
within a realm.
Description::
A free-text field to describe the organization.
Once you create an organization, you can manage the additional settings that are described in the following sections:
* <<_managing_attributes_,Manage attributes>>
* <<_managing_members_,Manage members>>
* <<_managing_identity_provider_,Manage identity providers>>
== Understanding organization domains
When managing an organization, the domain associated with an organization plays an important role in how
organization members authenticate to a realm and how their profiles are validated.
One of the key roles of a domain is to help to identify the organizations where a user is a member. By looking at their
email address, {project_name} will match a corresponding organization using the same domain and eventually change the
authentication flow based on the organization requirements.
The domain also allows organizations to enforce that users are not allowed to use a domain in their emails
other than those associated with an organization. This restriction is especially useful when users, and their identities, are federated from
identity providers associated with an organization and you want to force a specific email domain for their email addresses.
== Disabling an organization
To disable an organization, toggle *Enabled* to *Off*.
When an organization is disabled, you can still manage it through the management interfaces, but the organization members
cannot authenticate to the realm, including authenticating through the identity providers associated with the
organization as they are also automatically disabled.
However, the unmanaged members of an organization are still able to authenticate to the realm as they are also realm users, but
tokens will not hold metadata about their relationship with an organization that is disabled.
For more details about managed and unmanaged users, see <<_managed_unmanaged_members_,Managed and unmanaged members>> section.
== Remove an organization
To remove an organization, you can click the *Delete* action for the corresponding organization in the listing page or
when editing an organization.
When removing an organization, all data associated with it will be deleted, including any managed member.
Unmanaged users and identity providers remain in the realm, but they are no longer linked to the
organization.
For more details about managed and unmanaged users, see <<_managed_unmanaged_members_,Managed and unmanaged members>>.