FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Can I configure a tenant application as an external identity provider for other tenants?

    Scheduled Pinned Locked Moved Solved
    Q&A
    2
    8
    7.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sandiprghane
      last edited by

      I want to create a multi-tenant system using FusionAuth, with centralized authentication for user verification before the onboarding process. My plan is to create a default tenant where users authenticate before they create their own organization. Once authenticated, the user would create their own tenant programmatically, along with the respective application. Later, the user would log in through their organization-related application.

      In this setup, I want the user, once authenticated by the centralized tenant, to be able to create their tenant. I also want to create the user in their tenant using the centralized tenant's token.

      My question is: can I use external identity providers to create users and registrations in the newly created tenant using the JWT claims from the default tenant?

      mark.robustelliM 1 Reply Last reply Reply Quote 1
      • mark.robustelliM
        mark.robustelli @mark.robustelli
        last edited by

        @mark-robustelli OK, this question became a brain bug and I could not let it go. I think I got it to work the way you want but it may be a little confusing. Here is what I did.

        I have a couple of tenants; Default; Tenant 1, Tenant 2 (We can ignore Tenant 2) not used here.
        Screenshot 2024-08-09 at 2.34.05 PM.png

        I have a couple of users: Again, ignore test@example.com user in Tenant 2. Just note that test@example.com does not exist for the Default tenant.
        Screenshot 2024-08-09 at 2.34.55 PM.png

        I use the .Net Web Quickstart application as my test app.

        I set up a Test Base Application for Login application. I now have 3 applications: FusionAuth(Default), ExampleDotNetApp (from quickstart), and the Test Base Application for Login (this will be the source of auth app)
        Screenshot 2024-08-09 at 2.39.32 PM.png
        (note that the ExampleDotNetApp belongs to a different tenant the the Test Base Application for Login application.)

        I then set up an new OpenID Connect identity provider: "TestBaseApplication"
        Screenshot 2024-08-09 at 2.40.44 PM.png

        I set it up using info the Test Base Application. Then I enabled it in the ExampleDotNetApp and selected Create Registration.
        Screenshot 2024-08-09 at 2.41.13 PM.png
        Screenshot 2024-08-09 at 2.41.20 PM.png

        Now, when I go to login to the Change Bank Quickstart I see the Login with Test Base Application button. (The text is cut off in the image because it is too long, but you get the idea)

        Screenshot 2024-08-09 at 2.46.40 PM.png

        When I click that button and login with the test@example.com user, it allows me in. When I go back to users, you can see the test@example.com user was added to the ExampleDotNetApp.
        Screenshot 2024-08-09 at 2.48.36 PM.png

        Now please be aware that the test@example.com user for the Default tenant is technically different than the test@example.com user for Tenant 1. They will have different User Ids. However now user test@example.com in Tenant 1 can log into the application in the default tenant.

        For here you should be able to use the APIs to update whatever data you need.

        Hope this helps.

        mark.robustelliM 1 Reply Last reply Reply Quote 0
        • mark.robustelliM
          mark.robustelli @sandiprghane
          last edited by

          @sandiprghane For the "centralized authentication", are using FusionAuth or another IdP?

          If so I think this could be done validating the user against the external Idp, then when you get that users info, you can use the APIs to add them.

          S 1 Reply Last reply Reply Quote 0
          • S
            sandiprghane @mark.robustelli
            last edited by

            @mark-robustelli For the centralized authentication, I want to use FusionAuth. Then, I plan to create a user in another tenant using an external JWT identity provider, allowing the user to log in to the other tenant as well.

            mark.robustelliM 1 Reply Last reply Reply Quote 0
            • mark.robustelliM
              mark.robustelli @sandiprghane
              last edited by

              @sandiprghane So you can create users with the same user info in different tenants:
              Screenshot 2024-08-09 at 1.41.16 PM.png

              However, they will ultimately be different users.
              Screenshot 2024-08-09 at 1.42.52 PM.png
              Screenshot 2024-08-09 at 1.42.41 PM.png

              As far as a FusionAuth tenant using another FusionAuth tenant for and IdP, that is an interesting question. I should get some time next week to look into that. I will let you know what I find.

              mark.robustelliM 1 Reply Last reply Reply Quote 0
              • mark.robustelliM
                mark.robustelli @mark.robustelli
                last edited by

                @mark-robustelli OK, this question became a brain bug and I could not let it go. I think I got it to work the way you want but it may be a little confusing. Here is what I did.

                I have a couple of tenants; Default; Tenant 1, Tenant 2 (We can ignore Tenant 2) not used here.
                Screenshot 2024-08-09 at 2.34.05 PM.png

                I have a couple of users: Again, ignore test@example.com user in Tenant 2. Just note that test@example.com does not exist for the Default tenant.
                Screenshot 2024-08-09 at 2.34.55 PM.png

                I use the .Net Web Quickstart application as my test app.

                I set up a Test Base Application for Login application. I now have 3 applications: FusionAuth(Default), ExampleDotNetApp (from quickstart), and the Test Base Application for Login (this will be the source of auth app)
                Screenshot 2024-08-09 at 2.39.32 PM.png
                (note that the ExampleDotNetApp belongs to a different tenant the the Test Base Application for Login application.)

                I then set up an new OpenID Connect identity provider: "TestBaseApplication"
                Screenshot 2024-08-09 at 2.40.44 PM.png

                I set it up using info the Test Base Application. Then I enabled it in the ExampleDotNetApp and selected Create Registration.
                Screenshot 2024-08-09 at 2.41.13 PM.png
                Screenshot 2024-08-09 at 2.41.20 PM.png

                Now, when I go to login to the Change Bank Quickstart I see the Login with Test Base Application button. (The text is cut off in the image because it is too long, but you get the idea)

                Screenshot 2024-08-09 at 2.46.40 PM.png

                When I click that button and login with the test@example.com user, it allows me in. When I go back to users, you can see the test@example.com user was added to the ExampleDotNetApp.
                Screenshot 2024-08-09 at 2.48.36 PM.png

                Now please be aware that the test@example.com user for the Default tenant is technically different than the test@example.com user for Tenant 1. They will have different User Ids. However now user test@example.com in Tenant 1 can log into the application in the default tenant.

                For here you should be able to use the APIs to update whatever data you need.

                Hope this helps.

                mark.robustelliM 1 Reply Last reply Reply Quote 0
                • mark.robustelliM
                  mark.robustelli @mark.robustelli
                  last edited by

                  @sandiprghane , For some reason, I have still been thinking about this question. We didn't get too much into the "why" you want this setup and if it works for you...that is great. I just want to throw something else out there for consideration.

                  While this is a premium feature, you may think about custom scopes for third party applications. FusionAuth has a blog post that describes this.

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    sandiprghane @mark.robustelli
                    last edited by

                    @mark-robustelli, thank you for your time and response. Currently, I am working on a FusionAuth POC to fulfil my requirements. I am doing this through 'Add External JWT.'

                    My requirement is straightforward: I want to build a multi-tenant SaaS application using FusionAuth, where all organization members are isolated within a particular tenant. I understand that the same user can have different identities in different tenants.

                    However, I want to authenticate the Admin user in a centralised authentication system before they set up their own tenant and invite users into their tenant.

                    mark.robustelliM 1 Reply Last reply Reply Quote 0
                    • mark.robustelliM
                      mark.robustelli @sandiprghane
                      last edited by

                      @sandiprghane based on that info, I think the above method will work for you and as I mentioned, maybe check out custom scopes for third party applications if you have a license that supports it.

                      1 Reply Last reply Reply Quote 0
                      • mark.robustelliM mark.robustelli has marked this topic as solved on
                      • mark.robustelliM mark.robustelli referenced this topic on
                      • First post
                        Last post