Customizable Tenant Settings
Below are the list of settings that you can customize for your tenants. These affect all aspects of your tenant including certain authentication methods and security configuration. These can be configured by going to Descope Console>Settings>Tenants, then selecting the tenant in which you would like to configure.
Tenant Details
Tenant name
When creating your tenant, you can configure the tenant name. This is editable in the future as well. If a tenant is created automatically within a Descope flow/etc, a name will be generated for it, you can always change this name in the future.
Tenant ID
When creating a tenant, you can configure the Tenant ID; however, if not provided during tenant creation, it will be autogenerated. The Tenant ID is not configurable after tenant creation.
Email Domain
Users with these configured email domains can sign up to the tenant; this is in addition to SSO configuration and user invitation
Session Management
Descope allows you to configure some of the session management configurations at a per tenant level. You can configure
these items within the Descope Console by going to the tenants page, selecting
the tenant you want to configure, and then select Custom under the Session Management section.
Once you have enabled these configurations at the tenant level, the tenant level configuration will take precedence over the project level configuration.
Note
If a user exists in multiple tenants, a merged policy favoring stricter security will be chosen.
Token Expiration
Refresh Token Timeout
This value sets the validity period for refresh token. For more details please read session management article.
Session Token Timeout
Expiry time of the session token, used for accessing the application's resources. Value needs to be at least 3 minutes and can't be longer than the Refresh Token Timeout.
Session Inactivity
You can enable session inactivity detection by checking the box for Enable session inactivity detection within
the session management configuration. Once enabled, Descope will detect idle sessions and close them on behalf
of the user, to protect sensitive information.
After enabling this configuration, you can configure the Inactivity timeout per your desired configuration.
This timeout will determine the amount of time until Descope will detect and close the idle sessions.
Authentication Methods
SSO
Within a Descope tenant, you can configure whether you want the tenant to have SSO via SAML or OIDC. If you do not wish to have SAML or OIDC configured on the tenant, you will select None for the tenant's SSO authentication protocol.
Details about which option to select, as well as guides to configuring either SSO with SAML or OIDC can be found within the SSO Auth Method Guide.
Passwords
Descope allows you to configure some of the password policy configurations at a per tenant level. You can configure
these items within the Descope Console by going to the tenants page, selecting
the tenant you want to configure, and then select Custom under the Authentication Methods > Passwords section.
Note
If a user exists in multiple tenants, a merged policy favoring stricter security will be chosen.
| Setting | Details | Range[default] |
|---|---|---|
| Minimum Password Length | Require users to choose a password equal to or longer than the number of characters specified. | 5-64 [8] |
| Require at least one lowercase character | Require users to use at least one lowercase character in their password. | [Checked]/Unchecked |
| Require at least one uppercase character | Require users to use at least one uppercase character in their password. | [Checked]/Unchecked |
| Require at least one number | Require users to use at least one numeric character (0-9) in their password. | [Checked]/Unchecked |
| Require at least one special character | Require users to use at least one non-alphanumeric character in their password. | [Checked]/Unchecked |
| Enable Password Expiration | When enabled, the user's password will expire after a specified period (in weeks), and the user will have to change their password. | Checked/[Unchecked] 1-999 [26] weeks |
| Prevent Password Reuse | Specify how many previously used user passwords Descope will remember. When selecting a new password (e.g., after reset or password expiration), Descope will not allow using any previously used passwords. | Checked/[Unchecked] 10-50 [10] |
| Lock account after x attempts | When a user enters an incorrect password more than x times, the user will be locked and unable to log in again. | Checked/[Unchecked] 2-10 [5] |