We’re currently creating a SaaS for bigger companies, mainly focussed on companies that use the MS AAD. We would like our app to be displayed on different subdomains, for example:
company2.oursaas.com
etc…
Every domain would preferably only have 1 login button for the specified company.
We managed to connect our own test tenant to the auth0 tenant, so we’re able to log in into our app by using our MS AAD.
We were wondering what the tenant setup would look like within auth0 (and MS AAD) if we would want to enable logins per company and per domain. Meaning, the users from company1.oursaas.com can only log in over that specific URL and won’t be allowed to log in over another companies URL.
It seems like the most used solution would be that users should be able to log in over their companies own MS AAD tenant through the subdomain provided by us, then we would connect their MS AAD tenant to our Auth0 tenant.
For now, it looks like we’re having 2 options:
connecting the individual company MS AAD tenants to multiple Auth0 tenants (or is it possible to do this all within one Auth0 tenant?) and therefore giving each company access over their own subdomain.
creating a multi-tenant in MS AAD and connecting this to Auth0, limiting the login option per subdomain based on the company from within our own MS AAD.
We’re unsure what the standard would be within Auth0 to connect these tenants, and what the tenant setup would look like when there are multiple companies included. Any help is appreciated!
Any additional or clarification questions are also more than welcome!
Fixed the problem, unorthodox and I think Auth0 should implement a solution for this problem.
Within Auth0, there is the option to use multiple organization login screens (organizations). This is only possible when you’re not using the Auth0 management API. Which we are using, and we aren’t able to allow multiple domains using Auth0 organizations. Therefore, the solution to create a SaaS product, with multiple subdomains, where companies can log in through their MS AAD tenant on their own subdomain is as follows:
I’ve created a multiple AAD tenant application.
I’ve created one Auth0 tenant per subdomain.
Every single Auth0 tenant will be connected to our own multiple AAD tenant application
Within every single Auth0 tenant, you can add rules (in the future actions), in here we can check if the user trying to log in has a matching tenant ID with the allowed tenant ID’s. If the user’s tenant ID is from a different company, it won’t be on our whitelist.The rules within the auth0 pipeline look like this for now.
// Auth0 pipeline rules
function (user, context, callback) {
var ownAADTenantID = 'lotsofnumbersandletters';
var companyAADTenantID = 'lotsofnumbersandletters';
//authorized Azure AD tenants.
var whitelist = [ ownAADTenantID, companyAADTenantID ];
var userHasAccess = whitelist.some(
function (tenantId) {
return tenantId === user.tenantid;
});
if (!userHasAccess) {
return callback(new UnauthorizedError('Access denied.'));
}
return callback(null, user, context);
}
The rules will be depreciated in November 2024, I hope Auth0 will have a solution to use the actions by then…
Honestly, the solution will be expensive in the end, Auth0 should really come up with a solution for supporting multiple subdomains.