• Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login
FusionAuth
  • Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login

Can I configure a tenant application as an external identity provider for other tenants?

Scheduled Pinned Locked Moved Solved
Q&A
2
8
7.3k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    sandiprghane
    last edited by 8 Aug 2024, 11:20

    I want to create a multi-tenant system using FusionAuth, with centralized authentication for user verification before the onboarding process. My plan is to create a default tenant where users authenticate before they create their own organization. Once authenticated, the user would create their own tenant programmatically, along with the respective application. Later, the user would log in through their organization-related application.

    In this setup, I want the user, once authenticated by the centralized tenant, to be able to create their tenant. I also want to create the user in their tenant using the centralized tenant's token.

    My question is: can I use external identity providers to create users and registrations in the newly created tenant using the JWT claims from the default tenant?

    M 1 Reply Last reply 8 Aug 2024, 21:13 Reply Quote 1
    • M
      mark.robustelli @mark.robustelli
      last edited by 9 Aug 2024, 21:59

      @mark-robustelli OK, this question became a brain bug and I could not let it go. I think I got it to work the way you want but it may be a little confusing. Here is what I did.

      I have a couple of tenants; Default; Tenant 1, Tenant 2 (We can ignore Tenant 2) not used here.
      Screenshot 2024-08-09 at 2.34.05 PM.png

      I have a couple of users: Again, ignore test@example.com user in Tenant 2. Just note that test@example.com does not exist for the Default tenant.
      Screenshot 2024-08-09 at 2.34.55 PM.png

      I use the .Net Web Quickstart application as my test app.

      I set up a Test Base Application for Login application. I now have 3 applications: FusionAuth(Default), ExampleDotNetApp (from quickstart), and the Test Base Application for Login (this will be the source of auth app)
      Screenshot 2024-08-09 at 2.39.32 PM.png
      (note that the ExampleDotNetApp belongs to a different tenant the the Test Base Application for Login application.)

      I then set up an new OpenID Connect identity provider: "TestBaseApplication"
      Screenshot 2024-08-09 at 2.40.44 PM.png

      I set it up using info the Test Base Application. Then I enabled it in the ExampleDotNetApp and selected Create Registration.
      Screenshot 2024-08-09 at 2.41.13 PM.png
      Screenshot 2024-08-09 at 2.41.20 PM.png

      Now, when I go to login to the Change Bank Quickstart I see the Login with Test Base Application button. (The text is cut off in the image because it is too long, but you get the idea)

      Screenshot 2024-08-09 at 2.46.40 PM.png

      When I click that button and login with the test@example.com user, it allows me in. When I go back to users, you can see the test@example.com user was added to the ExampleDotNetApp.
      Screenshot 2024-08-09 at 2.48.36 PM.png

      Now please be aware that the test@example.com user for the Default tenant is technically different than the test@example.com user for Tenant 1. They will have different User Ids. However now user test@example.com in Tenant 1 can log into the application in the default tenant.

      For here you should be able to use the APIs to update whatever data you need.

      Hope this helps.

      M 1 Reply Last reply 11 Aug 2024, 22:43 Reply Quote 0
      • M
        mark.robustelli @sandiprghane
        last edited by 8 Aug 2024, 21:13

        @sandiprghane For the "centralized authentication", are using FusionAuth or another IdP?

        If so I think this could be done validating the user against the external Idp, then when you get that users info, you can use the APIs to add them.

        S 1 Reply Last reply 9 Aug 2024, 05:16 Reply Quote 0
        • S
          sandiprghane @mark.robustelli
          last edited by 9 Aug 2024, 05:16

          @mark-robustelli For the centralized authentication, I want to use FusionAuth. Then, I plan to create a user in another tenant using an external JWT identity provider, allowing the user to log in to the other tenant as well.

          M 1 Reply Last reply 9 Aug 2024, 20:49 Reply Quote 0
          • M
            mark.robustelli @sandiprghane
            last edited by 9 Aug 2024, 20:49

            @sandiprghane So you can create users with the same user info in different tenants:
            Screenshot 2024-08-09 at 1.41.16 PM.png

            However, they will ultimately be different users.
            Screenshot 2024-08-09 at 1.42.52 PM.png
            Screenshot 2024-08-09 at 1.42.41 PM.png

            As far as a FusionAuth tenant using another FusionAuth tenant for and IdP, that is an interesting question. I should get some time next week to look into that. I will let you know what I find.

            M 1 Reply Last reply 9 Aug 2024, 21:59 Reply Quote 0
            • M
              mark.robustelli @mark.robustelli
              last edited by 9 Aug 2024, 21:59

              @mark-robustelli OK, this question became a brain bug and I could not let it go. I think I got it to work the way you want but it may be a little confusing. Here is what I did.

              I have a couple of tenants; Default; Tenant 1, Tenant 2 (We can ignore Tenant 2) not used here.
              Screenshot 2024-08-09 at 2.34.05 PM.png

              I have a couple of users: Again, ignore test@example.com user in Tenant 2. Just note that test@example.com does not exist for the Default tenant.
              Screenshot 2024-08-09 at 2.34.55 PM.png

              I use the .Net Web Quickstart application as my test app.

              I set up a Test Base Application for Login application. I now have 3 applications: FusionAuth(Default), ExampleDotNetApp (from quickstart), and the Test Base Application for Login (this will be the source of auth app)
              Screenshot 2024-08-09 at 2.39.32 PM.png
              (note that the ExampleDotNetApp belongs to a different tenant the the Test Base Application for Login application.)

              I then set up an new OpenID Connect identity provider: "TestBaseApplication"
              Screenshot 2024-08-09 at 2.40.44 PM.png

              I set it up using info the Test Base Application. Then I enabled it in the ExampleDotNetApp and selected Create Registration.
              Screenshot 2024-08-09 at 2.41.13 PM.png
              Screenshot 2024-08-09 at 2.41.20 PM.png

              Now, when I go to login to the Change Bank Quickstart I see the Login with Test Base Application button. (The text is cut off in the image because it is too long, but you get the idea)

              Screenshot 2024-08-09 at 2.46.40 PM.png

              When I click that button and login with the test@example.com user, it allows me in. When I go back to users, you can see the test@example.com user was added to the ExampleDotNetApp.
              Screenshot 2024-08-09 at 2.48.36 PM.png

              Now please be aware that the test@example.com user for the Default tenant is technically different than the test@example.com user for Tenant 1. They will have different User Ids. However now user test@example.com in Tenant 1 can log into the application in the default tenant.

              For here you should be able to use the APIs to update whatever data you need.

              Hope this helps.

              M 1 Reply Last reply 11 Aug 2024, 22:43 Reply Quote 0
              • M
                mark.robustelli @mark.robustelli
                last edited by 11 Aug 2024, 22:43

                @sandiprghane , For some reason, I have still been thinking about this question. We didn't get too much into the "why" you want this setup and if it works for you...that is great. I just want to throw something else out there for consideration.

                While this is a premium feature, you may think about custom scopes for third party applications. FusionAuth has a blog post that describes this.

                S 1 Reply Last reply 13 Aug 2024, 10:00 Reply Quote 0
                • S
                  sandiprghane @mark.robustelli
                  last edited by 13 Aug 2024, 10:00

                  @mark-robustelli, thank you for your time and response. Currently, I am working on a FusionAuth POC to fulfil my requirements. I am doing this through 'Add External JWT.'

                  My requirement is straightforward: I want to build a multi-tenant SaaS application using FusionAuth, where all organization members are isolated within a particular tenant. I understand that the same user can have different identities in different tenants.

                  However, I want to authenticate the Admin user in a centralised authentication system before they set up their own tenant and invite users into their tenant.

                  M 1 Reply Last reply 14 Aug 2024, 15:19 Reply Quote 0
                  • M
                    mark.robustelli @sandiprghane
                    last edited by 14 Aug 2024, 15:19

                    @sandiprghane based on that info, I think the above method will work for you and as I mentioned, maybe check out custom scopes for third party applications if you have a license that supports it.

                    1 Reply Last reply Reply Quote 0
                    • M mark.robustelli has marked this topic as solved on 21 Aug 2024, 20:01
                    • M mark.robustelli referenced this topic on 22 Aug 2024, 14:45
                    1 out of 8
                    • First post
                      1/8
                      Last post