Approach to a multi-tenant enterprise app

I’m working on a software application that will be multi-tenant for enterprise-level customers.

I’m trying to find out the best approach for setup on Auth0, which will steer both the technical build on our application and budgeting around authentication/security.

Here’s the best way to describe some of the tenants:

  • Tenant 1: 80K users, needs SAML with their own database, custom domain
  • Tenant 2: 5K users, wants SSO with their own database, custom domain
  • Tenant 3: 10K users, requires 2FA, needs new database, custom domain

Here’s a description of the app:

  • The application code will reside on a single build, but each tenant will have their own database (a multi-tenant SaaS).
  • The application is strictly an API that interacts with browser, mobile, and desktop clients.
  • The application will use a few different means to determine the tenant based on API requests.

Each tenant has specific authentication needs that we must provide, without forcing the same authentication features on each tenant.

So, my question is with a single API and diverse tenants, what is the recommended Auth0 setup?

  • Do I create a separate Auth0 Application for each tenant and have our application swap credentials in my server code?
  • Do I create a separate Auth0 API for each tenant and handle the credential swaps?
  • Is this product approach feasible with Auth0? Has anyone else tried this?

We have a very similar use-case, are currently also evaluating and as far as I can say the best approach to handle that is to have one application and database connection (if applicable) for every of your tenants. You can have a maximum of 50 database connections but this is per application not per Auth0 tenant (to my knowledge).

So, for your three example tenants you’d have the following setup:

  • Auth0 application for “Tenant 1” that has the following connections: Database connection for “Tenant 1” and SAML enterprise connection
  • Auth0 application for “Tenant 2” that has the a separate database connection “Tenant 2”
  • Auth0 application for “Tenant 3” that also has a separate connected “Tenant 3” database connection (2FA for this specific tenant can be enforced with “Rules” as far as I know)

A separate Auth0 tenant for every of your tenants is also mentioned sometimes but I don’t think that’s feasible as Auth0 doesn’t allow to create a new Auth0 tenant via the Management API. Also, it’s a lot of setup work for every new tenant of yours which could be automated with the Management API, though.

I’ve also seen people recommending to only have one Auth0 application and one database connection for all your tenants and then use “app_metadata” to manage the access as it’s apparently easier to manage. However, from experience I can only strongly recommend to not even consider that approach.

That being said, the only major downside I see to having one Auth0 application and database connection for every of your tenants is that you need to manage different client IDs and secrets for all your tenants on your end. E.g., if tenant 1 wants to login on tenant1.yourapplication.com and you are using auth0.js to redirect the user to the hosted login page, you need to know the client id for tenant 1 at that point and pass it over to the authorize() method of auth0.js (https://auth0.github.io/auth0.js/global.html#authorize). Also, I could see some potential issues with social connections (if you use them) and the mentioned approach but I haven’t tested that in detail yet and I am not even sure if there’s an ideal solution to that problem (unless you use a separate Auth0 tenant for all of your tenants of course).

Hope that helps.

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?