How to extend/map users to customers?

Hi there

I‘m quite new with IAM and would love to deploy Auth0 within our organization with our ecommerce webshop. Maybe someone can help with some of my blind spots:

  • We have customers that have their unique customer numbers and can have multiple logins, eg for billing, the other for ordering. I sorted out that this can be solved with RBAC roles.
    What‘s best practice for grouping the customers together? A custom field on the user that maps to the number?

We have different applications, some for our internal team, one for external b2b customers and some for third party customers. It should be possible whenever for some to use two or theee apps, that would speak for a common database. But the UI and app names should be different.

What‘s would be a good setup? Is there a need for a different application to administer the users, or will this be done directly on Auth0?

Best regards

Hi @silvan,

Welcome to the Community!

You could certainly add a customer_id (call it whatever you want of course) attribute to a user’s app_metadata. You could then identify all the user accounts that map to the same customer ID.

Are you planning to store you users in an Auth0 hosted database, or a 3rd party database (Auth0 will connect to just about any user data store / Identity Provider). Where the users are stored will impact how you manage them. Auth0 does provide the Delegated Administration Dashboard, but its functionality is limited to actions like password reset, change email, etc. For a more comprehensive user management solution, you will need to build that yourself.

Hi Mark
Many thanks for the warm welcome and your help.
To keep it simple, I’d like to store the users in a hosted database by Auth0. So I understand best practice would be to build a simple backend to manage the users and be able to match them with our customers, right?

What do you suggest about multi-tenancy-applications?
I have one central application that has multiple stores and have two different user groups that have different roles:

The question is arisen: Smart enough for one Auth0 instance, or shall we create two - and depending on the tenant, choose which one?

I don’t think there is any reason for you to use multiple tenants. Doing so is unnecessarily complicated and, if I understand your requirements correctly, you can do what you need to do with some combination of Auth0’s core authorization feature and / or some customization of app_metadata. E.g., you might have app_metadata that looks like:

"app_metadata": {
  "customer_id": "ABC123",
  "groups": [ "group_a" ],
  "roles": [

You can also consider asking Auth0 about getting access to the “groups” beta, which is adding “groups” to core authorization.