Multi Auth0 Tenant vs. Single Tenant for global SaaS

Hi together!

I’m currently evaluating if we can use Auth0 for our next project. Maybe you guys can help me with my thoughts and tell me about your experience on how you would implement the following scenario.

We want to implement a global SaaS. We have roughly identified 3 user groups that communicate with our software via their own API’s and applications. Each of these user groups has different requirements.

  • Group A: Admins, Internal Employees. MFA required. Access via Website. No self-registration. Strong password policy. ~5-20 Users
  • Group B: These users require a paid subscription and generate the content for our software. They can add other users to their account who can help maintain the content. Access via Tablet, Smartphone, Web. Possibly other hardware (POS system). ~5-10k users
  • Group C: The end users. This group can freely use the app and authenticate via social provider in addition to email. mainly smartphone. Potentially millions of users

Unfortunately, I currently lack the experience and understanding of how best to implement this scenario. Currently I tend to create a separate Auth0 tenant (+ SDLC tenants) for each user group, but maybe there is a better way? My gut feeling would be to create a separate tenant for at least group A (admins), since they have a special position. The articles on Multi-Tenant Applications Best Practices & How to Use Auth0 for B2B Multi/Single-Tenant SaaS Solutions didn’t help me either, unfortunately.

I know there is no patent solution, but maybe someone has already solved a similar problem and can help me. Thanks in advance :slight_smile:

Hi @phillipp

Is your business B2B or B2C?

What I usually see in similar circumstances: a single Auth0 tenant with 3 connections.
The connection for Group A is either a username/password or SSO to your company difectory.
The conneciton for Group B is just username/password
The connection for group C is a social connection (or multiple social connections).

Then you use actions or rules to handle the different connections, for example, you would have an action that triggers MFA when a user in Group A logs in.

No need for multiple Auth0 tenants.


Thanks for the quick reply @john.gateley!

I can not really classify this at all. But maybe it will help if I explain the scenario a bit more.

It should be a platform for Group B (usually business owners). They can present their business(es) via this platform and map internal processes. End customers can then find this business (via an app) and use the services of the platform for this business.

I think a single Auth0 tenant (for production, you should also have at least one staging/testing tenant) is the best.