Best way to handle cross-domain authentication using SSO

Hello Auth0 community,

I would like to know what would be the best scenario for my use case.

I have a production tenant registered with a custom domain (

I have a Saas at that uses to authenticate users.

For a client, I would like to whitelabel my Saas and provide him with a version of my platform available at the domain of their choice (let’s say

What would be the best architectural scenario for this use case ? Should I create a tenant available at the same domain than my client domain ( or could I use my current domain name ( to authenticate their users.
Am I going to encounter issues if I do the latter ?

Hi @jonlg

I assume that will have a different set of users than Correct?

In this case, have two tenants: and, each tenant should have the same config (using your CI/CD deploy stack) but will have their own users.

You can share your domain, but this will mean that the client app will authenticate using which is not a great user experience.


Hey @john.gateley,

Thanks for your prompt response.

Indeed, the users originate from their system so they will definitely be different from the ones in

One thing that I want to stress out here is that users are not meant to login (filling the login form) on but instead they will login on their own authentication system and then, later, being recognized on only using an SSO flow.

Could this extra piece of information make the one tenant to rule them all scenario more relevant ?

I’m also afraid of having all my client authentication providers spread over multiple and multiple tenants. I know CI/CD helps here but the overhead of setting everything up and maintain it does not worth the (somehow subjective) poor user experience. Moreover knowing that users are not meant to login directly on