I would like to gather some feedback/suggestions on a design approach most suitable with Auth0, based on the following requirements/structure.
Requirements:
- Consider that we will need to provide authentication/authorisation for our many customers.
- Each customer may require access to one or more of our 5 software products.
- Each customer will also require authentication, using the same credentials(SSO) as the above 5 products, to an external support software i.e. Zendesk etc.
- We want to provide “admins” from each customer with a portal allowing them to manage their own users - I’m aware there is DAE - Delegated Admin for this purpose, more on this below.
- Such “admins” however, should only of course be able to view the roles for their relevant applications ie customer X should not see roles that can be assigned to customer Y users.
My proposals
Proposal 1:
- One tenant for each customer.
- Each tenant would have specific applications which represent the product(s) a given customer has ordered from us.
- Each of the above applications shares connections whether that is
U/PW-DB, AD/LDAP, Social etc - SSO is achieved by the calling application attempting to authenticate the user, using the connections available to it.
Observations:
- External support software like Zendesk; to which we can only provide 1 URL to authenticate against e.g. something similar
https://zendesk-tenant-xxx.us.auth0.com/xxx- which represents a tenant set up for Freshdesk.
As connections can not be shared across tenants, there is no way for the Zendesk tenant to know about, and subsequently attempt to authenticate, all of the others users from all other tenants. - This means customer X of ours can SSO into their products etc but cannot authenticate when trying to access Freshdesk, as those users are in a separate tenant.
Proposal 2:
- A single tenant is set up - tenant would contain all applications and connections for all customers.
- Each application within this tenant would be configured for each customer-product ie
customerX-productXandcustomerY-productYetc - Each of the above applications, again, share connections whether that is
U/PW-DB, AD/LDAP, Social etc - As with the previous scenario - SSO is achieved by the calling application attempting to authenticate the user, using the connections available to it.
Observations:
- With this scenario, it would appear we could authenticate each customer-users against products And we can also now authenticate the same users against Zendesk as the connections are shared across this single-tenant, which Zendesk could be set up to authenticate against.
- However, the
delegated admin accessfeature may now not be possible as all connections are shared meaning a delegated admin would be able to see/manage users/roles from other customers.
Thoughts:
- As you can see, with (1) we get all requirements except the ability for a user to auth with the products AND Zendesk.
- with (2) we get all requirements but have the unacceptable result of admins from one customer with the ability to view the roles from another customer.
I am open to any corrections if I made any incorrect assumptions as relates to Auth0 and I welcome any and all advise on how I can design to achieve the requirements listed at the beginning.