I’m developing an application with two very distinct user groups that have different authentication requirements, but both interact with our products/API. The first group will use username/password and eventually enterprise connections. The second group will use passwordless (sms). This is an enterprise setup where we sell to large organizations (10ish “admin” users per org), who then manage their users (100s-1000s) via our platform.
My question is what is the best setup in auth0 to facilitate this. As far as I can tell, there isn’t a way to do this on a single tenant, partially because we cannot have multiple hosted login pages for auth. I also cannot figure out how to identify users during signup (e.g. which group they belong to). Is multiple tenants the way to go?
Thanks so much, really appreciate any advice you can give me!
I’m personally finding hard to say based just on that information; the connections types described can co-exist within the same tenant so focusing on connection types may not be worthwhile. What does it mean to be in one user groups versus the other? Is it that one group has access to a set of applications/API’s and another groups has access to another set of applications/API’s?
You mention needing to have multiple hosted login pages so this does seem to imply that the products you have possess completely different branding and may constitute totally independent products/services. If this is the case then one single tenant may not indeed be a good fit, however, as I said earlier it’s very difficult to provide a definitive answer to these sort of questions because someone looking from the outside will not have the same context as you.
Thanks for the reply. Sorry for the lack of detail, I was trying to edit my question to provide more but the system would not let me.
Sorry for the confusion around the two groups. Lets call one group the enterprise admins, and the second group their customers. We sell our platform to the enterprise admins and they in turn grant access to their customers. This means that we provide a unified platform: a web portal for the enterprise admins, and a (react native) mobile app for their customers. You’re right that there is effectively two separate products: one for the enterprise admins, and one for their customers. But we have a shared backend (python/flask) that allows the admins to manage their customer profiles, etc.
The reason I mentioned multiple hosted login pages is because I could not find a way to do both database and passwordless from the same page. The templates available are: lock, lock (passwordless), custom. Each of these worked individually, but we have the need for admins (web portal) to use the database connection and their customers (react native app) to use the passwordless connection. And I guess even if we could do it from the same page we only want to offer passwordless to the customers, not the admins. The admins will use the database connection in the short term, and enterprise sso in the medium term.
I think what I’d ultimately like to do is have two distinct hosted pages (this is what led me to two tenants), and show the passwordless lock to the mobile users, and the normal lock to the web users. If there is a way to do this without two tenants that would be ideal because they do share a backend which means all of the custom rules (alerts, enrichment, etc) need to be duplicated on both tenants.
Additionally, we just got our Auth0 Enterprise contract signed by both parties, so if there’s an easier/faster support method please let me know how I can reach out!
The hosted login page available templates do not represent a definitive statement on what’s supported so technically it should be possible to have both database and passwordless available in the same login page, but this would require a custom implementation because as you said it’s really easy to use one of the default templates to do passwordless or database, but there’s none for both at the same time.
Another point to have in mind is that you also don’t want to have them both at the same time and this is the part that makes me have the opinion that one tenant may not be right; not saying it cannot be done in a single tenant, just questioning if it should.
With all this in mind and the fact that you have a paid subscription then you may indeed want to consider reaching out through private support as it may be easier to share much more information about your particular case; you can open a ticket through (https://support.auth0.com). This ensures guaranteed replies, however, due to the ongoing Lock/Auth0.js migration scheduled for April 1st the number of support tickets has been above average and response times are being a bit impacted by it.