Overview
Organizations are the core unit in Hanzo IAM for managing users and applications.
An organization is the primary unit in Hanzo IAM for managing users and applications. Once a user signs in to an organization, they can access all applications in that organization without signing in again.
When configuring applications and providers, the chosen organization determines which users can access the application and which providers apply.
The organization’s display name (or its name if no display name is set) is used as the issuer in TOTP authenticator apps, helping users distinguish accounts when they have multiple TOTP entries.
LDAP can be configured per organization. For details, see LDAP.
Hanzo IAM supports multiple password storage algorithms, configurable on the organization edit page. New organizations use bcrypt by default for secure password hashing.
| Name | Algorithm | Description | Typical use |
|---|---|---|---|
| plain | — | Passwords stored in cleartext. Not recommended for production. | — |
| salt | SHA-256 | SHA-256 is a cryptographic hash function that produces a 256-bit value. | — |
| md5-salt | MD5 | MD5 is a widely used but cryptographically weak hash (128-bit). | Discuz! |
| bcrypt | bcrypt | bcrypt hashes and salts passwords securely. Default for new organizations. | Spring Boot, WordPress |
| pbkdf2-salt | SHA-256 and PBKDF2 | PBKDF2 is a key derivation function resistant to dictionary and rainbow-table attacks. Use when importing users via the Keycloak syncer. | Keycloak |
Password Salt Configuration
For algorithms that use salts (salt, md5-salt, pbkdf2-salt), set the Password salt on the organization edit page:
- Organization-level salt: When Password salt is set, all users in the organization share the same salt. Use this when you need consistency (e.g. compatibility with another system).
- Per-user random salt: When Password salt is left empty, Hanzo IAM generates a unique random salt per user. This improves security by limiting the impact of precomputed hash tables.
Recommendation: Use per-user salt for new deployments to strengthen protection against rainbow-table attacks. Salts are stored with the password hash and managed by Hanzo IAM.
Use email as username
Organizations can enable Use email as username so that the user’s email is used as their username when the username field is not shown at sign-up. This simplifies registration by avoiding a separate username.
When enabled:
- At sign-up, if the username field is hidden, the email is used as the username.
- If a user changes their email, their username is updated to match.
- Email and username stay in sync.
To enable it, check Use email as username on the organization edit page.
:::tip
Besides signing in through an application (which redirects to Hanzo IAM for SSO), users can sign in directly on an organization’s login page: /login/<organization_name> (e.g. https://iam.hanzo.ai/login/casbin on the demo site).
If a user signs in via an organization-specific URL, Hanzo IAM remembers that organization. When the session expires, they are redirected back to that organization’s login page for a simpler re-authentication flow.
:::
How is this guide?
Last updated on