Customizable Tenant Settings

Below are the list of settings that you can customize for your tenants. These affect all aspects of your tenant including certain authentication methods and security configuration. These can be configured by going to Descope Console>Settings>Tenants, then selecting the tenant in which you would like to configure.

Tenant Details

Tenant name

When creating your tenant, you can configure the tenant name. This is editable in the future as well. If a tenant is created automatically within a Descope flow/etc, a name will be generated for it, you can always change this name in the future.

Tenant ID

When creating a tenant, you can configure the Tenant ID; however, if not provided during tenant creation, it will be autogenerated. The Tenant ID is not configurable after tenant creation.

Email Domain

Users with these configured email domains can sign up to the tenant; this is in addition to SSO configuration and user invitation

Session Management

Descope allows you to configure some of the session management configurations at a per tenant level. You can configure these items within the Descope Console by going to the tenants page, selecting the tenant you want to configure, and then select Custom under the Session Management section.

Once you have enabled these configurations at the tenant level, the tenant level configuration will take precedence over the project level configuration.

Note

If a user exists in multiple tenants, a merged policy favoring stricter security will be chosen.

Token Expiration

Refresh Token Timeout

This value sets the validity period for refresh token. For more details please read session management article.

Session Token Timeout

Expiry time of the session token, used for accessing the application's resources. Value needs to be at least 3 minutes and can't be longer than the Refresh Token Timeout.

Session Inactivity

You can enable session inactivity detection by checking the box for Enable session inactivity detection within the session management configuration. Once enabled, Descope will detect idle sessions and close them on behalf of the user, to protect sensitive information.

After enabling this configuration, you can configure the Inactivity timeout per your desired configuration. This timeout will determine the amount of time until Descope will detect and close the idle sessions.

Authentication Methods

SSO

Within a Descope tenant, you can configure whether you want the tenant to have SSO via SAML or OIDC. If you do not wish to have SAML or OIDC configured on the tenant, you will select None for the tenant's SSO authentication protocol.

Details about which option to select, as well as guides to configuring either SSO with SAML or OIDC can be found within the SSO Auth Method Guide.

Passwords

Descope allows you to configure some of the password policy configurations at a per tenant level. You can configure these items within the Descope Console by going to the tenants page, selecting the tenant you want to configure, and then select Custom under the Authentication Methods > Passwords section.

Note

If a user exists in multiple tenants, a merged policy favoring stricter security will be chosen.

SettingDetailsRange[default]
Minimum Password LengthRequire users to choose a password equal to or longer than the number of characters specified.5-64 [8]
Require at least one lowercase characterRequire users to use at least one lowercase character in their password.[Checked]/Unchecked
Require at least one uppercase characterRequire users to use at least one uppercase character in their password.[Checked]/Unchecked
Require at least one numberRequire users to use at least one numeric character (0-9) in their password.[Checked]/Unchecked
Require at least one special characterRequire users to use at least one non-alphanumeric character in their password.[Checked]/Unchecked
Enable Password ExpirationWhen enabled, the user's password will expire after a specified period (in weeks), and the user will have to change their password.Checked/[Unchecked] 1-999 [26] weeks
Prevent Password ReuseSpecify how many previously used user passwords Descope will remember. When selecting a new password (e.g., after reset or password expiration), Descope will not allow using any previously used passwords.Checked/[Unchecked] 10-50 [10]
Lock account after x attemptsWhen a user enters an incorrect password more than x times, the user will be locked and unable to log in again.Checked/[Unchecked] 2-10 [5]
Was this helpful?

On this page