• Organizations
• Strict connection-to-application access control

User Membership in the Organization:

• Users must either belong to the specified organization or be eligible for auto-membership.

Connections Enabled for the Organization:

• The connection used for login must be explicitly enabled for the organization.

Client-level enabled connections act only as visual cues during the login process and do not enforce access restrictions.

Expected Behavior

Scenario 1: Connections Not Linked to Applications

Setup:

• Application A linked to  Connection 1.
• Application B linked to Connection 2.

Behavior:

• Users from Connection 2 can still access Application A if the organization enables that connection.
• Similarly, users from Connection 1 can access Application B.

Reason: The organization’s configuration determines access, not the client-to-connection link.

Scenario 2: Disabled Connections

Setup: All connections are disabled for both Applications A and B.

Behavior: Users can still authenticate and access applications if the organization allows it and the user is a member.

Reason: Organizational membership and connection enablement override client-specific settings.

To achieve expected access behavior:

• Validate Organizational Settings
• Confirm that the connection used is explicitly enabled for the organization.
• Ensure that users are members of the correct organization or auto-membership is configured appropriately.
• Disable auto-membership if stricter control is required.

Important Notes

The observed behavior is by design when organizations are enabled for a client.

Properly configuring organization and connection settings is critical to achieving the desired security outcomes.