Auth0 Home Blog Docs

Connecting multiple tenants as identity providers for a single mobile app

Hi Gurus,

I am new to Auth0, Just a quick question about the following link:

How can we connect more than two tenants as a single identity provider using this OIDC for a single client. This is kind of urgent question so I would appreciate if you can answer or suggest a better way interms of a concrete solution and better in performance.

Thanks in advance.
Saif

Hi Saif,

I’m not sure I understand the question well.

If you have two auth0 tenants (e.g. tenant1.auth0.com and tenant2.auth0.com) and you want to have a single identity provider that allows you to login to either one, you have two options:

  • Create a third tenant, create an OIDC connection to tenant1 and tenant2. The login page will have a ‘Continue to Tenant1’ button and a ‘Continue to Tenant2’ button.

  • Add an OIDC connection from Tenant1 to Tenant2. The login page will prompt for username / password for Tenant1 and will have a ‘Continue to Tenant2’ button.

Does that make sense?

Regards,

Andres

Hi Andres,

This looks interesting and making sense. But customer requirement is quite complex. Please consider the following example for its description:

  1. Our customer is a big enterprise group having multiple business units A, B, C, and D where each unit has its own end user base authenticating on their respective mobile of web-apps.
  2. Now the main enterprise has came up with a single mobile app and wants the end users of all business units to be authenticated on this mobile App seamlessly using their existing credentials(end user profile and passwords can be lazy fetch from exiting external customer DB)
  3. Business units on the other hand now wants to have their own separate tenant so that they can still have the boundaries with governance and analytics and yet still support the enterprise single app as well

We do not want to have this continue to unit A, or B or C or D. It should be seamless. Is it possible?

Thanks,
Saif

Hi Saif,

You can model the business units in two ways:

  1. One database connection per unit, with lazy fetch from an external customer DB
  2. One tenant per unit, with a database connection with lazy fetch from an external customer DB, and another tenant with 4 OIDC connections, one to each business unit tenant.

In either way, if you want to avoid prompting the end-user for which business unit you want to log-in to, you’ll need to know in advance which business unit they belong to. If you do, you can pass a ‘connection=<connection name’> parameter to the /authorize endpoint.

If you used the approach described in #1, it will prompt for username/password for one of those DB connections. If you used #2, it will skip the page with buttons like “Continue with Business Unit A” and redirect to the corresponding tenant.

Hope it helps,.

Andres

Hi Andres,

Pardon me for late response. But this really really helped me alot to convince a client going multi-tenant. Thumbs up to you and thank for this level of detailed support from you. Really appreciate it.

Best Regards,
Saif