We're in the evaluation stage of outsourcing our AuthN needs, and I'm looking for advice on a couple of things that weren't entirely clear from the online FusionAuth documentation.
Our SaaS application is multitenant, where many corporate clients are given custom domains client-name.ourapp.co. Internally we use a templating scheme so that we can substitute the client-specific URLs in emails and notifications. Although there is also a general URL that will work for any client, that is not seen by clients with the custom ones.
As I understand FusionAuth, we would expect to use the Tenant concept to model our production, dev, staging, and QA environments, and the Application concept to model our (one) app. I want to minimize the amount of per-client management that has to happen through the FusionAuth UI - zero would be best unless the client has their own IdP so that we need to configure a Connector. My thought was to leave direct knowledge of our clients entirely out of FusionAuth, keep shell objects for the users in our existing database, and use the API through the Java client to synchronize user state and trigger actions.
Does that sound like a reasonable approach overall?
One roadblock I'm seeing, at least based on an impression from the documentation, is that the emails from FusionAuth for a given application are expected to reference fixed URLs. Using the approach of synchronization through the API, is there enough flexibility in what data we store in the FusionAuth User record so that we can parameterize the templates with the client-specific URLs?
Thanks for any input!