Auth0 Home Blog Docs

Multitenant App with Multiple Sub Domains

multiple-accounts
multi-tenant
multiple-clients

#1

We are working with an app that the current setup has every tenant with their own subdomain for example tenant1.myapp.com, tenant2.myapp.com. If we were to use Auth0 on this, how would we setup the clients and connections?

On top of that, some users could be in multiple tenants. I have looked at the documentation about putting this in the app metadata like.

{
“tenant1”:{
“role”:“admin”
},
“tenant2”:{
“role”:“user”
}
}

What other considerations do we need to take for our account and how to best set this up? Our concern would be just maintaining the number of tenants which is close to a thousand. About 5k activate users

So the key questions:

  1. Is it best to have 1 database and 1 client?
  2. Should we break individual tenants into their own databases? How does this affect cost?
  3. Any other concerns about users that can log into multiple tenants?

#2

We have implemented multi-tenancy like this.

  1. If you use multiple clients, you will need to create these and databases (auth0 or custom) dynamically, retrieve and store all the various keys and Ids, then connect to individual tenants using this information. I don’t think this overhead is necessary and believe 1 database and 1 client will be best.
    In recent times, creating new clients, confirms to different standards, for instance Client created after a certain date behave differently (without notification) So you may find that your integration breaks without warning, for this reason I would also stick to 1 client.
  2. I don’t think there is a limit on the number Auth0 databases/connections? It may be additional cost to run your own/custom database, sure of the overhead and cost for that.
  3. When user info is retrieved, you will need to pull/translate any metadata into claims using a “rule” on your Auth0 account. We store the basic things like TenantId, Role etc, return these as claims then within our app manage additional/internal claims based on roles. If you are using this for single sign on, you may need to store all your claims in the metatdata to share with other apps.

Impersonation is a handy feature, but not sure how that works across Clients?

Hope this helps.


#3

Is it best to have 1 database and 1 client?
I would recommend multiple clients with a single database. Then you can have a client association in app_metadata and approve/deny authorization in Rules based on the client_id(s).

Should we break individual tenants into their own databases? How does this affect cost?
Auth0 doesn’t cost you for a number of connection however, for users that will be part of more than a single tenant you’ll need to create the profile in both the databases. Which will create 2 profiles, passwords and so-on. I’d recommend that if that is exactly what you want, however storing them with the tenant information in app_metadata is a great alternative.

Any other concerns about users that can log into multiple tenants?
None OTOH.


#4