Best Architecture for a multi-application setup

christiaan · October 13, 2023, 2:38pm

Hi Auth0 Community,
We are seeking guidance on configuring Auth0 to accommodate our specific use case:

Tenancy Setup:

We have separate tenancies for development, staging, and production environments.

Applications:

Each tenancy hosts multiple applications, including a base application (basically, an extension to all the other applications).

SSO Requirement:

All applications need Single Sign-On (SSO) functionality using the new universal login.
When a user logs into one app (e.g., App A), they should be automatically logged into other apps (e.g., App B and C) and logged out simultaneously.

Customization Needs:

Individual applications require unique authentication branding.
Different text within the MFA SMS for each application.

Base Application:

The base application is exclusively accessible through other applications for regular users.
It will be white-labeled to match the branding of other applications.
Sign-ups should be disabled for the base application, with login restricted to admins (to be handled through actions).

Questions:

Disabling Sign-Ups:

How can we disable sign-ups for the base application, including social sign-up methods, but keep it enabled for the others?

Customization:

Is it possible to customize branding, MFA SMS, etc., for each application, or are we limited to a generic login/signup screen and MFA for all apps?

Organizational Split:

Should we consider separating the applications into different organizations in this scenario?

Your guidance on these questions would be greatly appreciated.
Thank you!

dan.woda · October 19, 2023, 4:24pm

Hi @christiaan,

Welcome to the Auth0 Community!

Thanks for the thorough breakdown.

You can disable signups for database connections in their settings. For social, see this thread: How to disable sign up via social login?

There isn’t a turn-key way to customize per application like there is for the global branding settings. Some customers will use separate tenants for their different branding, or there are some workarounds for the branding using page templates and application variables listed there.

It sounds like organizations would probably be a good fit here. It’s certainly worth looking at:

christiaan · October 19, 2023, 4:56pm

Thank you so much for your reply @dan.woda!

Just one or two follow-ups:

“You can disable signups for database connections in their settings.”

Would this not disable signups for database connections over all the applications within the tenant? We need to disable this for only some of the applications within the tenant.

“Some customers will use separate tenants for their different branding”
As far as I’m aware when using different tenants, we will lose sso capabilities over the different applications (logged into A, and then automatically logged in B, etc). Unless I am missing something?

We will definitely look into the other suggestions you made.

Thanks!

dan.woda · October 19, 2023, 5:00pm

I see. So you want to enable signups for certain applications, and disable it for others.

This is currently not available through the connection settings. Further, what would stop a user from simply signing up in one of the other apps, then going back and logging in to the base app?

I think the more typical design would be to have a connection that blocks all signups, and would be for, say, admin only, or something of that nature.

christiaan · October 19, 2023, 5:24pm

That makes sense, thanks!

For more context on the base application:
The base application (accessed through the other applications) could be used by any user and an admin.

Basically, it is a management app “extension” to all the other applications where there is admin functionality and it is a place where a user can manage their profile etc.

We would want a normal user to sign up only through the other applications.

Only the admin should be able to log in directly to the base application. - but if for any reason a user gets to the base application’s admin login without having a profile - they should not be able to sign up.

dan.woda · October 19, 2023, 6:43pm

@christiaan,

Okay that makes sense.

You should be able to set up a Pre User Registration Flow Action and block registrations based on the event.client param and spits an error saying ‘signups are disabled for this client’ or something to that effect.

Does that sound like what you’re looking for?

christiaan · October 20, 2023, 6:27am

That definitely sounds like something we are looking for.

Thanks for the advice @dan.woda!

Just to mention some key takeaways:

To disable signups on only the base application:

Create a Pre User Registration action that checks the event.client and throws an exception if it was hit by the base application.

To only allow log-in for the admin on the base application:

Create a login action that checks the role and throws an exception if the user is not an admin

Branding different applications:

Using page templates for branding different applications log in / register. (Tenants not used due to the need for shared authentication between the apps - Tenants only for different environments)

Organizations:

Consider looking into Organizations for big multi-application set-ups

system · November 8, 2023, 4:11pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.