How to build multi-tenant, organization-based authentication experience
Tenant‑specific sign‑in for B2B SaaS with Logto: customize branding and email templates, route via enterprise SSO, require MFA, and auto‑provision users with JIT.
Product & Design
When building SaaS for businesses, one of the most common requirements is to deliver a sign-in experience that feels tailored for each organization or tenant. Users expect to see their company’s branding, use familiar authentication methods, and have a frictionless onboarding process—whether that’s through enterprise SSO, custom login flows, or instant membership via JIT provisioning. Getting this right not only boosts user trust and engagement, but also helps you meet enterprise security and compliance needs.
Logto makes it easy to build a per-organization authentication flow that’s flexible, secure, and highly customizable. In this tutorial, we’ll walk through practical scenarios and real-world examples to help you leverage Logto for multi-tenant sign-in experiences.
1. Organization-specific branding & custom UI
Scenario: You want each organization to see their own logo, brand color, and custom styles on the sign-in page.
How Logto helps:
In Logto Console, navigate to Organization > Details. Here, you can set a unique Logo, Favicon, Brand color, and even inject Custom CSS for each organization. This ensures that users instantly recognize their company’s branding when signing in.
Logto provides a prebuilt, organization-specific sign-in UI out of the box. You can trigger a Per org SIE by passing the organization_id as an authentication parameter when redirecting users to the sign-in page or using the Logto SDK:
Once the organization_id is provided, Logto automatically applies the correct UI for that organization, delivering a familiar experience for end users.
This prebuilt UI saves you from manually building and maintaining separate sign-in pages for each tenant, while ensuring consistency and scalability.
Reference: Organization-specific branding
2. Organization-based email templates
Scenario: You want verification and notification emails to reflect each organization’s identity.
How Logto helps:
Logto supports email variables, allowing you to customize email templates per organization. When a user triggers a verification email, you can pass organization-specific parameters like organization name, logo, favicon, User info, and specific locale.
Example email template (registration, en-GB):
Reference: Email templates
3. Enterprise SSO: Organization domain & IdP integration
Scenario: You want to restrict and guide enterprise users to sign in via their company’s SSO provider.
How Logto helps:
Example:
- Email domain prompt SSO: By specifying an enterprise domain, Logto can prompt users to use SSO based on their email domain.
- IdP-identifier SSO: Enable your enterprise customers to add your app to their IdP portal (e.g., Microsoft, Okta portal), making employee onboarding seamless.
Reference: Enterprise SSO
4. Custom authentication methods per organization
Scenario: You want to offer different sign-in options for different organizations (e.g., only email login for some, social login for others).
How Logto helps:
While Logto Console doesn’t allow toggling login methods per org directly, you can use authentication parameters like Direct sign-in, Login hint, and First screen to build self-hosted sign-in pages or embedded components in a dialog.
Example:
For Org A, build your own authentication request URL with authentication parameters to drive an email-first identifier screen and pass the user’s email as a hint:
If you want to drop Org A users straight into an enterprise SSO experience, add an enterprise button (e.g., Continue with Microsoft SSO) and append a Direct Sign-In parameter targeting the SSO connector:
Reference: Authentication parameters
5. Enable multi-factor authentication (MFA) for organizations
Scenario: You want to enforce Multi-Factor Authentication (MFA) for specific organizations.
How Logto helps:
You can enable MFA requirements per organization, ensuring that only users from selected tenants must complete an extra verification step. Navigate to Organization > Details in Logto Console and toggle the MFA setting.
Reference: Manage organization
6. Just-in-time (JIT) user provisioning for organizations
Scenario: You want users to be automatically added to their organization when they sign in via SSO or with a company email. E.g., a new employee at Acme Corp signs in with SSO or their acme.com email and is instantly added to the Acme organization in your app.
How Logto helps:
- Configure Enterprise connectors for JIT in each Organization’s details page.
- Set Email domain for JIT, so users with matching domains are auto-provisioned into the organization.
Reference: Just-in-Time provisioning
Conclusion
Logto empowers you to deliver a seamless, secure, and branded sign-in experience for every organization or tenant. Whether you’re building a B2B SaaS platform or supporting multiple enterprise clients, Logto’s flexible features—custom branding, email templates, SSO, authentication parameters, MFA, and JIT—make multi-tenant authentication simple and scalable.
Ready to get started?
Explore Logto’s documentation and try customizing your organization’s sign-in experience today!