Multi User Accounts



  • We'd like to use fusionauth for our saas platform with a structure with companies and users where the users are attached to one company. We would like to have one application under app.---.com where every user is able to login and see their company and user details and also manage their user rights (admin access or access to different products/applications displayed on that website).

    Then we would like to have another application under app2.---.com which would be company based (tenants?) but users should not be allowed in multiple companies. Also this should be the same users which are logged in to the app.---.com application.

    As far as I understood, this would not fit the tenant-based solution of fusionauth, right?

    Is there a suggested approach on how to handle multi-user accounts in a single application?



  • Hiya,

    I'm not sure I totally understand what you are trying to accomplish.

    Is this the scenario you are trying to accomplish?

    UserA and UserB can both log into to app.example.com and manage their profiles. UserA manages CompanyA's details (like the logo and the color scheme) and UserB manages CompanyB's details.

    UserA can also log into app2.example.com and access functionality, like a todo app. The todo app will have the color and logo configured by the app.example.com application. UserB an login to app2.example.com and also see their own colors and logo.

    Is this what you are trying to accomplish?

    Also, are you looking to use the fusionauth login pages, or are you planning to write your own against the login api: https://fusionauth.io/docs/v1/tech/apis/login ?



  • Hey 🙂

    yes that sounds like our use-case, but the users should also be able to use some sub-applications on app.example.com. Therefore there should also be access rights for users on app.example.com.
    The app.example.com site is our main saas platform where users can use paid and free services. The same users should be able to log into app2.example.com which is a tenant based service. app2.example.com is a service which is also managed via app.example.com (also the access rights to specific features inside app2.example.com).
    Also there is a third application called admin.exampple.com where our internal admins should be able to log into and see stuff happening in our database. Ideally those adminusers should also be managed in fusionauth.

    We would like to just use the fusionauth login pages, but it would be alright for us to write our own since I guess we will have to have some kind of two-step login page to have company-based password policies?



  • Hiya,

    Tenants provide separation of:

    • users (so same email address can have a different password in two tenants)
    • themes (look and feel of the login pages, which is moot if you are writing your own)
    • settings (password rules, email templates, etc)
    • API keys

    From what I can see of your requirements, I think you might be able to get by with different applications. I'm not sure tenants are needed based on the requirements I've seen (though I haven't seen all of the requirements, I'm sure). You'd just need to manage the different (fusionauth) applications and roles, checking in your application logic.

    It might be worth separating the idea of separate tenants in your SaaS application from tenants in FusionAuth. (This might be worth reading too: https://fusionauth.io/blog/2020/06/30/private-labeling-with-multi-tenant )

    So you could have the following fusionauth applications (all in the default FusionAuth tenant):

    • Main SaaS application (grant UserA, UserB and AdminUser access)
    • Admin application (grant AdminUser access)
    • Application for UserA's company (grant UserA access, but not userB)
    • Application for UserB's company (grant UserB access)

    If you take this approach, you'll want to know there's a difference between being authenticated and authorized for a given application. More here: https://fusionauth.io/community/forum/topic/5/can-you-limit-a-user-s-login-authentication-access-to-applications-within-a-single-tenant

    but it would be alright for us to write our own since I guess we will have to have some kind of two-step login page to have company-based password policies?

    I don't know what you mean by this :).



  • Hey,

    thanks for your thoughts on this.

    but it would be alright for us to write our own since I guess we will have to have some kind of two-step login page to have company-based password policies?

    I don't know what you mean by this :).

    What I mean by that is, that if a user wants to log into app.example.com and the company has a password policy or oauth provider which basic app.example.com users don't have (for example SAML), he in some way has to see another login-form than the other users. I'd imagine something like a 2-step login form, where in the first step, you enter your email address and based on that there may be a second step where you get options to log into app.example.com with the providers and policies you are allowed to based on the app2.example.com preferences.



  • Ah, you may want to review https://fusionauth.io/docs/v1/tech/apis/identity-providers/samlv2#overview and https://fusionauth.io/docs/v1/tech/identity-providers/samlv2/ (and the similar pages for the OIDC and JWT identity providers). We provide support for domain based identity providers for SAML, JWT and OIDC identity providers.


Log in to reply