Single Sign On and Auth0 Multi Tenant

Currently we have a single Auth0 tenant with a number of applications and APIs. Some of those applications and APIs are development and staging. Some more are for different user groups.
The reason they were all under a single tenant was we wanted to have a “single sign on Auth0 account” our users could log into. This wouldn’t get them to resign into their account between Application A and Application B (if they had authorization to log into both A & B).

Quickly explained: Our user base is a mix of only App A, only App B and both App A & B users.

Reading Auth0 documentation, the multi-tenant approach seems to be “best practice” and more desirable when having dev, staging and Production applications.

I am however unable to find any docs on single sign-on between 2 Auth0 tenants / username-password Auth0 databases / etc. Our user base also doesn’t / can’t support social media OAuth.

The desired outcome, as stated above is to have users log into their Auth0 username-password account. Some users have access to App A, some users have access to App B and some users have access to both A and B.

Any help with this would be appreciated.

Hi @matt.demler

First, you should have separate Auth0 tenants for dev and staging.

Second, SSO is done via a cookie in the Auth0 tenant domain (or CNAME), and so multi-tenant will NOT give you SSO.

How do you know if a user is App A only or both A and B? Are they selectively enabled for apps? Like they purchase access to App A, and maybe later also purchase access to B?

Assuming this is true, you want a single tenant, and each user should have an app_metadata field for which apps are enabled. Then have a rule that checks the application ID (client ID) and that app_metadata field and returns an Unauthorized error if the user should not have access.

This gives you SSO



Thanks @john.gateley for the reply.

Just so I’m clear in my understanding.

We should separate out our Dev and Staging apps into their own Auth0 tenants.
However App A and App B should be in the same Auth0 tenant as multi-tenant won’t give us SSO.
Use an Auth0 rule to check for enabled apps against a user during authentication.

That is right.
– John