Skip to content

Configure tenant-based adaptive authentication

This page guides you through configuring tenant-based adaptive authentication for a sample web application.


Consider a scenario with two tenant domains, and For users logging into the application through, the login flow in applications should be stepped up with TOTP as follows:

  1. Basic authentication (username and password)
  2. TOTP


Configure tenant-based authentication

  1. On the management console, go to Main > Identity > Service Providers > List.

  2. Click Edit on the service provider.

  3. Select SaaS application under Basic Information, to enable users from other tenant domains to log in to your application.

    Enable servie provider as a SaaS application

  4. Expand the Local and Outbound Authentication Configuration section and click Advanced Configuration.

  5. You will be redirected to Advanced Configuration, expand Script Based Conditional Authentication.

  6. In the Templates section, click on the + corresponding to the Tenant-Based template.

    Tenant based template

  7. Click Ok to add the authentication script. The authentication script and authentication steps will be configured.


    • The authentication script prompts the second step of authentication for users that belong to the tenant domains named and
    • By default, TOTP will be added as the second authentication step.
  8. Click Update to save the configurations.

Try it out

  1. Log out of the management console and log in with the tenant admin's credentials (i.e., [email protected]).

  2. Create a new user in the tenant named chris with login permission.

  3. Access the following sample Pickup Dispatch application URL:

  4. Click Login and enter Chris's credentials. The username should be appended with the domain to which Chris belongs, i.e., [email protected].

  5. You will be prompted to enter your TOTP code, enter the code and click Sign In.

    TOTP authenticator

  6. Logout from the application and log in with Kim's credentials. Kim is the admin of the tenant domain, which is not in the tenant domains specified in the script.

Note that you are successfully logged in to the application after only going through the basic authentication step.