Can you move users from one tenant to another?

dan

Is there a way to move a user from one tenant to another? Or do we have to delete and re-import?

dan

Another option that works as of today is to set up a tenant to tenant connector.

Add a connector to the new tenant. Point it at the /api/login endpoint of the old tenant, including an API key as a header.

Change your app to send everyone to a new application in the new tenant.

When the user logs in to the new application, if it is the first time they've been seen, the old tenant data, including password, will be queried. The password hash will be transparently migrated to the new tenant.

This slow migration takes time, but is another option.

dan

No, a user cannot be moved between tenants in the admin user interface. You could do this via the API with a retrieve and a create in a small program, though.

rnsupercool

How do you retrieve the whole user with password and other information? Is there any api available for the same?

Thanks,
Lohith

dan

@rnsupercool

Unfortunately, there's no way to extract the password and the other information via the APIs.

Options I could see working:

• if you have developer edition (or other paid edition), you could set up a connector from FusionAuth to itself (via a generic http connector). This would take time to move the users to a different tenant.
• you can get a database dump of your FusionAuth instance and run a bulk import of the user data, password, and other password settings into another tenant.
• you could move over the users, set a random password and force them to change their password by setting passwordChangeRequired. Not sure that would definitely work; you should test this.

Hope this helps.

dwong

@dan Could a rule be set up such that if an already-provisioned user (e.g. johndoe@abc.com) from tenant A which logs into tenant B can perform a custom backend query that finds that user on tenant A, automatically lazy-import them into B, and finally provide successful login?

I wish to use multitenancy for custom login experience across tenants, but I don't necessarily care that the credentials for that email address are different.

joshua

@dwong

FusionAuth is API first, so this type of flow could be created using our API and custom integration code.

Roughly:

1. On tenant B, a user from tenant A logs in.
2. Do a search for a user
3. If found, do a registration and/or user create using API.
4. The newly created user can now be logged in. As referenced above, you may have some interstitial pages that would be needed for password generation as the user passes from one tenant to another.

Another way to do this would be to reconsider how you are using tenants and applications. Depending on your business requirements, registering a user to a new application rather than a completely separate tenant removes a few steps from a workflow as described.

Reference documentation -> https://fusionauth.io/docs/v1/tech/apis/

Thanks,
Josh

dan

Another option that works as of today is to set up a tenant to tenant connector.

Add a connector to the new tenant. Point it at the /api/login endpoint of the old tenant, including an API key as a header.

Change your app to send everyone to a new application in the new tenant.

When the user logs in to the new application, if it is the first time they've been seen, the old tenant data, including password, will be queried. The password hash will be transparently migrated to the new tenant.

This slow migration takes time, but is another option.