Skip to main content

Configuring Your Organization

This guide walks step by step through the organization portal — from authentication settings to a working end-to-end login.

What you'll set up

By the end of this guide you will have:

  1. Authentication configured (email/password, optionally social login)
  2. An OAuth application registered
  3. Users added to the organization
  4. A working login flow verified with curl

Step 1: Open your organization portal

Navigate to:

https://app.lumoauth.dev/orgs/{your-organization-slug}/portal/

The portal dashboard is the landing page for all organization settings.

Find your organization ID

The organization ID is the URL-safe identifier you chose when signing up (e.g., acme-corp). It appears in the URL of your portal.

Step 2: Configure authentication settings

Go to Configuration → Auth Settings at /orgs/acme-corp/portal/configuration/auth-settings.

Basic settings

  • Allow registration — enable or disable self-registration
  • Require email verification — users must verify their email before they can sign in
  • Password policy — minimum length and complexity rules

Enable MFA (optional)

Under the MFA section:

  1. Enable TOTP (authenticator app) — works with Google Authenticator, Authy, 1Password, etc.
  2. Enable Email MFA — one-time codes sent by email
  3. Enable SMS MFA — one-time codes by SMS (requires an SMS provider)

Enable Adaptive MFA (optional)

Toggle Adaptive Authentication to have LumoAuth score each sign-in and step up only when needed:

  • Low risk → no MFA prompt
  • Medium risk → prompt for MFA
  • High risk → block and alert

The risk engine looks at device fingerprint, IP reputation, geolocation, impossible travel, and behavioral patterns.

Step 3: Add social login providers (optional)

Go to Configuration → Social Login at /orgs/acme-corp/portal/configuration/social-login.

To add Google login:

  1. Click Add Provider → Google.
  2. Enter your Google OAuth client ID and secret (from Google Cloud Console).
  3. Save and enable the provider.

Repeat for GitHub, Microsoft, Facebook, Apple, or LinkedIn as needed. Users will then see the corresponding buttons on the hosted login page.

Step 4: Create an OAuth application

Go to Applications at /orgs/acme-corp/portal/applications.

  1. Click Create Application.
  2. Fill in:
    • Name: My Web App
    • Type: Web Application
    • Redirect URIs: https://myapp.example.com/callback
    • Allowed Grant Types: Authorization Code, Refresh Token
    • Scopes: openid, profile, email
  3. Click Save.

You will receive:

  • Client ID: client_abc123...
  • Client Secret: secret_xyz789...

Save these — you will need them to integrate your application.

Step 5: Add users

Option A — self-registration

If registration is enabled, users can sign up at the organization's hosted login page:

https://app.lumoauth.dev/orgs/acme-corp/login

Option B — create users manually

Go to Access Management → Users at /orgs/acme-corp/portal/access-management/users.

  1. Click Create User.
  2. Fill in email, name, and optionally a temporary password.
  3. Assign roles and groups.
  4. Click Create.

Option C — invite users

Go to Access Management → Invite Users at /orgs/acme-corp/portal/access-management/invite-users.

  1. Enter email addresses (one per line).
  2. Select roles to assign on signup.
  3. Click Send Invitations.

Invited users receive an email with a registration link.

Step 6: Set up roles and permissions

Go to Access Management → Roles at /orgs/acme-corp/portal/access-management/roles.

Create a role

  1. Click Create Role.
  2. Enter:
    • Name: Editor
    • Description: Can read and edit content
  3. Assign permissions:
    • content:read
    • content:write
    • content:publish
  4. Click Save.

Assign roles to users

  1. Go to Users and select a user.
  2. Under Roles, click Assign Role.
  3. Select one or more roles and save.

Step 7: Test the login flow

OIDC discovery

Verify the organization's OIDC configuration is reachable:

curl https://app.lumoauth.dev/orgs/acme-corp/api/v1/.well-known/openid-configuration

Initiate login

Open this URL in a browser (replace YOUR_CLIENT_ID):

https://app.lumoauth.dev/orgs/acme-corp/api/v1/oauth/authorize?
  response_type=code&
  client_id=YOUR_CLIENT_ID&
  redirect_uri=https://myapp.example.com/callback&
  scope=openid profile email&
  state=random_state_value

What happens:

  1. LumoAuth shows the hosted login page.
  2. The user enters credentials (or clicks a social login button).
  3. If MFA is enabled, LumoAuth prompts for the second factor.
  4. LumoAuth redirects back to redirect_uri with an authorization code.
  5. Your app exchanges the code for tokens (next step).

Step 8: Verify with the API

Exchange the authorization code for tokens:

curl -X POST https://app.lumoauth.dev/orgs/acme-corp/api/v1/oauth/token \
  -d grant_type=authorization_code \
  -d code=YOUR_AUTH_CODE \
  -d redirect_uri=https://myapp.example.com/callback \
  -d client_id=YOUR_CLIENT_ID \
  -d client_secret=YOUR_CLIENT_SECRET

Call the userinfo endpoint with the access token:

curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  https://app.lumoauth.dev/orgs/acme-corp/api/v1/oauth/userinfo

Done

You now have:

  • Authentication configured
  • An OAuth application registered
  • Users in the organization
  • An end-to-end login flow verified

Next steps

What to doGuide
Enable enterprise SSOEnterprise SSO
Set up adaptive MFAAdaptive MFA
Configure fine-grained authorizationZanzibar
Enable SCIM provisioningSCIM 2.0
Set up audit loggingAudit Logs
Configure webhooksWebhooks