TenantAuthenticationConfig
Authentication configuration and requirements for a tenant workspace, defining which authentication methods are allowed, whether multi-factor authentication is required, session management policies, and login restrictions. This entity enables tenant-specific authentication policies where different organizations can enforce different security standards based on their risk profile and compliance requirements. It supports multiple authentication methods (password, SSO, SAML, OIDC, magic links), mandatory 2FA enforcement, session timeout policies, and authentication method restrictions. The entity works in conjunction with TenantSSOProvider for SSO configurations and TenantPasswordPolicy for password requirements. It serves as the authentication policy layer for multi-tenant platforms, enabling flexible authentication strategies across healthcare (HIPAA), finance (PCI-DSS), government, and enterprise applications.
Properties
| Property | Type | Mode | Description | Required |
|---|---|---|---|---|
| tenant | Tenant | stored | Reference to the Tenant this authentication configuration applies to | Required |
| require2FA | boolean | stored | Whether two-factor authentication is mandatory for all users in this tenant Example: | Required |
| allowPasswordLogin | boolean | stored | Whether password-based login is allowed (some tenants may require SSO-only) Example: | Required |
| allowedAuthMethods | string[] | stored | Allowed authentication methods for this tenant Values: Example: | Optional |
| sessionTimeoutSeconds | number | stored | Session timeout in seconds (user is logged out after this period of inactivity) Example: | Required |
| absoluteSessionTimeoutSeconds | number | stored | Absolute session timeout in seconds (user must re-authenticate after this period regardless of activity) Example: | Optional |
| allowMultipleSessions | boolean | stored | Whether users can have multiple active sessions simultaneously Example: | Optional |
| maxConcurrentSessions | number | stored | Maximum number of concurrent sessions per user (null for unlimited) Example: | Optional |
| requireEmailVerification | boolean | stored | Whether email verification is required for new user accounts Example: | Required |
| requirePhoneVerification | boolean | stored | Whether phone verification is required for new user accounts | Optional |
| metadata | json | stored | Additional authentication configuration metadata | Optional |
Examples
Example 1
{
"@type": "TenantAuthenticationConfig",
"tenant": {
"@type": "Tenant",
"slug": "acme-corp",
"name": "ACME Corporation"
},
"require2FA": true,
"allowPasswordLogin": true,
"allowedAuthMethods": [
"password",
"sso",
"saml"
],
"sessionTimeoutSeconds": 3600,
"absoluteSessionTimeoutSeconds": 28800,
"allowMultipleSessions": true,
"maxConcurrentSessions": 5,
"requireEmailVerification": true,
"requirePhoneVerification": false
}Example 2
{
"@type": "TenantAuthenticationConfig",
"tenant": {
"@type": "Tenant",
"slug": "techstart",
"name": "TechStart Inc"
},
"require2FA": false,
"allowPasswordLogin": true,
"allowedAuthMethods": [
"password"
],
"sessionTimeoutSeconds": 7200,
"allowMultipleSessions": true,
"requireEmailVerification": true,
"requirePhoneVerification": false
}