Can I configure a tenant application as an external identity provider for other tenants?

sandiprghane

I want to create a multi-tenant system using FusionAuth, with centralized authentication for user verification before the onboarding process. My plan is to create a default tenant where users authenticate before they create their own organization. Once authenticated, the user would create their own tenant programmatically, along with the respective application. Later, the user would log in through their organization-related application.

In this setup, I want the user, once authenticated by the centralized tenant, to be able to create their tenant. I also want to create the user in their tenant using the centralized tenant's token.

My question is: can I use external identity providers to create users and registrations in the newly created tenant using the JWT claims from the default tenant?

mark.robustelli

@mark-robustelli OK, this question became a brain bug and I could not let it go. I think I got it to work the way you want but it may be a little confusing. Here is what I did.

I have a couple of tenants; Default; Tenant 1, Tenant 2 (We can ignore Tenant 2) not used here.

I have a couple of users: Again, ignore test@example.com user in Tenant 2. Just note that test@example.com does not exist for the Default tenant.

I use the .Net Web Quickstart application as my test app.

I set up a Test Base Application for Login application. I now have 3 applications: FusionAuth(Default), ExampleDotNetApp (from quickstart), and the Test Base Application for Login (this will be the source of auth app)

(note that the ExampleDotNetApp belongs to a different tenant the the Test Base Application for Login application.)

I then set up an new OpenID Connect identity provider: "TestBaseApplication"

I set it up using info the Test Base Application. Then I enabled it in the ExampleDotNetApp and selected Create Registration.

Now, when I go to login to the Change Bank Quickstart I see the Login with Test Base Application button. (The text is cut off in the image because it is too long, but you get the idea)

When I click that button and login with the test@example.com user, it allows me in. When I go back to users, you can see the test@example.com user was added to the ExampleDotNetApp.

Now please be aware that the test@example.com user for the Default tenant is technically different than the test@example.com user for Tenant 1. They will have different User Ids. However now user test@example.com in Tenant 1 can log into the application in the default tenant.

For here you should be able to use the APIs to update whatever data you need.

Hope this helps.

mark.robustelli

@sandiprghane For the "centralized authentication", are using FusionAuth or another IdP?

If so I think this could be done validating the user against the external Idp, then when you get that users info, you can use the APIs to add them.

sandiprghane

@mark-robustelli For the centralized authentication, I want to use FusionAuth. Then, I plan to create a user in another tenant using an external JWT identity provider, allowing the user to log in to the other tenant as well.

mark.robustelli

@sandiprghane So you can create users with the same user info in different tenants:

However, they will ultimately be different users.

As far as a FusionAuth tenant using another FusionAuth tenant for and IdP, that is an interesting question. I should get some time next week to look into that. I will let you know what I find.

mark.robustelli

@mark-robustelli OK, this question became a brain bug and I could not let it go. I think I got it to work the way you want but it may be a little confusing. Here is what I did.

I have a couple of tenants; Default; Tenant 1, Tenant 2 (We can ignore Tenant 2) not used here.

I have a couple of users: Again, ignore test@example.com user in Tenant 2. Just note that test@example.com does not exist for the Default tenant.

I use the .Net Web Quickstart application as my test app.

I set up a Test Base Application for Login application. I now have 3 applications: FusionAuth(Default), ExampleDotNetApp (from quickstart), and the Test Base Application for Login (this will be the source of auth app)

(note that the ExampleDotNetApp belongs to a different tenant the the Test Base Application for Login application.)

I then set up an new OpenID Connect identity provider: "TestBaseApplication"

I set it up using info the Test Base Application. Then I enabled it in the ExampleDotNetApp and selected Create Registration.

Now, when I go to login to the Change Bank Quickstart I see the Login with Test Base Application button. (The text is cut off in the image because it is too long, but you get the idea)

When I click that button and login with the test@example.com user, it allows me in. When I go back to users, you can see the test@example.com user was added to the ExampleDotNetApp.

Now please be aware that the test@example.com user for the Default tenant is technically different than the test@example.com user for Tenant 1. They will have different User Ids. However now user test@example.com in Tenant 1 can log into the application in the default tenant.

For here you should be able to use the APIs to update whatever data you need.

Hope this helps.

mark.robustelli

@sandiprghane , For some reason, I have still been thinking about this question. We didn't get too much into the "why" you want this setup and if it works for you...that is great. I just want to throw something else out there for consideration.

While this is a premium feature, you may think about custom scopes for third party applications. FusionAuth has a blog post that describes this.

sandiprghane

@mark-robustelli, thank you for your time and response. Currently, I am working on a FusionAuth POC to fulfil my requirements. I am doing this through 'Add External JWT.'

My requirement is straightforward: I want to build a multi-tenant SaaS application using FusionAuth, where all organization members are isolated within a particular tenant. I understand that the same user can have different identities in different tenants.

However, I want to authenticate the Admin user in a centralised authentication system before they set up their own tenant and invite users into their tenant.

mark.robustelli

@sandiprghane based on that info, I think the above method will work for you and as I mentioned, maybe check out custom scopes for third party applications if you have a license that supports it.