FusionAuth developer image
FusionAuth developer logo
  • Back to site
  • Expert Advice
  • Blog
  • Developers
  • Downloads
  • Account
  • Contact sales
Navigate to...
  • Welcome
  • Getting Started
    • Getting Started
    • 5-Minute Setup Guide
    • Setup Wizard & First Login
    • Register/Login a User
    • Start and Stop FusionAuth
    • Core Concepts
      • Overview
      • Users
      • Roles
      • Groups
      • Registrations
      • Applications
      • Tenants
      • Identity Providers
      • Authentication/Authorization
      • Integration Points
    • Example Apps
      • Overview
      • Dart
      • Go
      • Java
      • JavaScript
      • .NET Core
      • PHP
      • Python
      • Ruby
    • Tutorials
  • Installation Guide
    • Overview
    • System Requirements
    • Server Layout
    • Cloud
    • Cluster
    • Docker
    • Fast Path
    • Kubernetes
      • Overview
      • Deployment Guide
      • Minikube Setup
      • Amazon EKS Setup
      • Google GKE Setup
      • Microsoft AKS Setup
    • Kickstart™
    • Homebrew
    • Packages
    • Database
    • FusionAuth App
    • FusionAuth Search
    • Common Configuration
  • Migration Guide
    • Overview
    • General
    • Auth0
    • Keycloak
    • Amazon Cognito
    • Firebase
    • Tutorial
  • Admin Guide
    • Overview
    • Account Portal
    • Config Management
    • Editions and Features
    • Key Rotation
    • Licensing
    • Monitoring
    • Prometheus Setup
    • Proxy Setup
    • Reference
      • CORS
      • Configuration
      • Data Types
      • Known Limitations
      • Password Hashes
    • Release Notes
    • Roadmap
    • Securing
    • Switch Search Engines
    • Technical Support
    • Troubleshooting
    • Upgrading
  • Login Methods
    • Identity Providers
      • Overview
      • Apple
      • Epic Games
      • External JWT
        • Overview
        • Example
      • Facebook
      • Google
      • HYPR
      • LinkedIn
      • Nintendo
      • OpenID Connect
        • Overview
        • Azure AD
        • Discord
        • Github
      • Sony PlayStation Network
      • Steam
      • Twitch
      • Twitter
      • SAML v2
        • Overview
        • ADFS
      • SAML v2 IdP Initiated
        • Overview
        • Okta
      • Xbox
    • OIDC & OAuth 2.0
      • Overview
      • Endpoints
      • Tokens
    • SAML v2 IdP
      • Overview
      • Google
      • Zendesk
  • Developer Guide
    • Authentication Tokens
    • Client Libraries
      • Overview
      • Dart
      • Go
      • Java
      • JavaScript
      • .NET Core
      • Node
      • OpenAPI
      • PHP
      • Python
      • Ruby
      • Typescript
    • Events & Webhooks
      • Overview
      • Writing a Webhook
      • Securing Webhooks
      • Events
        • Overview
        • Audit Log Create
        • Event Log Create
        • JWT Public Key Update
        • JWT Refresh
        • JWT Refresh Token Revoke
        • Kickstart Success
        • User Action
        • User Bulk Create
        • User Create
        • User Create Complete
        • User Deactivate
        • User Delete
        • User Delete Complete
        • User Email Update
        • User Email Verified
        • User IdP Link
        • User IdP Unlink
        • User Login Failed
        • User Login Id Dup. Create
        • User Login Id Dup. Update
        • User Login New Device
        • User Login Success
        • User Login Suspicious
        • User Password Breach
        • User Password Reset Send
        • User Password Reset Start
        • User Password Reset Success
        • User Password Update
        • User Reactivate
        • User Reg. Create
        • User Reg. Create Complete
        • User Reg. Delete
        • User Reg. Delete Complete
        • User Registration Update
        • User Reg. Update Complete
        • User Reg. Verified
        • User 2FA Method Add
        • User 2FA Method Remove
        • User Update
        • User Update Complete
    • Guides
      • Overview
      • Advanced Registration Forms
      • Breached Password Detection
      • Multi-Factor Authentication
      • Multi-Tenant
      • Passwordless
      • Securing Your APIs
      • Silent Mode
      • Single Sign-on
    • Integrations
      • Overview
      • CleanSpeak
      • Kafka
      • Twilio
    • JSON Web Tokens
    • Key Master
    • Localization and Internationalization
    • Plugins
      • Overview
      • Writing a Plugin
      • Custom Password Hashing
    • Search And FusionAuth
    • Two Factor (pre 1.26)
    • User Control & Gating
      • Gate Unverified Users
      • Gate Unverified Registrations
      • User Account Lockout
  • Customization
    • Email & Templates
      • Overview
      • Configure Email
      • Email Templates
      • Email Variables
      • Message Templates
    • Lambdas
      • Overview
      • Apple Reconcile
      • Client Cred. JWT Populate
      • Epic Games Reconcile
      • External JWT Reconcile
      • Facebook Reconcile
      • Google Reconcile
      • HYPR Reconcile
      • JWT Populate
      • LDAP Connector Reconcile
      • LinkedIn Reconcile
      • Nintendo Reconcile
      • OpenID Connect Reconcile
      • SAML v2 Populate
      • SAML v2 Reconcile
      • SCIM Group Req. Converter
      • SCIM Group Resp. Convtr.
      • SCIM User Req. Converter
      • SCIM User Resp. Converter
      • Sony PSN Reconcile
      • Steam Reconcile
      • Twitch Reconcile
      • Twitter Reconcile
      • Xbox Reconcile
    • Messengers
      • Overview
      • Generic Messenger
      • Kafka Messenger
      • Twilio Messenger
    • Themes
      • Overview
      • Examples
      • Helpers
      • Localization
      • Template Variables
  • Premium Features
    • Advanced Threat Detection
    • Connectors
      • Overview
      • Generic Connector
      • LDAP Connector
      • FusionAuth Connector
    • Entity Management
    • SCIM
    • Self Service Account Mgmt
      • Overview
      • Updating User Data & Password
      • Add Two-Factor Authenticator
      • Add Two-Factor Email
      • Add Two-Factor SMS
      • Customizing
      • Troubleshooting
  • APIs
    • Overview
    • Authentication
    • Errors
    • Actioning Users
    • API Keys
    • Applications
    • Audit Logs
    • Connectors
      • Overview
      • Generic
      • LDAP
    • Consents
    • Emails
    • Entity Management
      • Overview
      • Entities
      • Entity Types
      • Grants
    • Event Logs
    • Families
    • Forms
    • Form Fields
    • Groups
    • Identity Providers
      • Overview
      • Links
      • Apple
      • External JWT
      • Epic Games
      • Facebook
      • Google
      • HYPR
      • LinkedIn
      • Nintendo
      • OpenID Connect
      • SAML v2
      • SAML v2 IdP Initiated
      • Sony PlayStation Network
      • Steam
      • Twitch
      • Twitter
      • Xbox
    • Integrations
    • IP Access Control Lists
    • JWT
    • Keys
    • Lambdas
    • Login
    • Message Templates
    • Messengers
      • Overview
      • Generic
      • Kafka
      • Twilio
    • Multi-Factor/Two Factor
    • Passwordless
    • Reactor
    • Registrations
    • Reports
    • SCIM
      • Overview
      • SCIM EnterpriseUser
      • SCIM Group
      • SCIM Service Provider Config.
      • SCIM User
    • System
    • Tenants
    • Themes
    • Users
    • User Actions
    • User Action Reasons
    • User Comments
    • Webhooks

    Tenants

    Overview

    FusionAuth is fundamentally a single tenant solution, so you may be surprised to learn that we support multiple tenants.

    FusionAuth will always be a single tenant solution, this means that your instance of FusionAuth is your own and even when FusionAuth is hosting, we do not co-mingle your data with other clients. FusionAuth was built as a single tenant solution, and we have no plans to change anytime soon.

    It is entirely likely that our clients may wish to be multi-tenant or offer their services to more than one client. In these scenarios it may be useful to separate Users, Applications and Groups for each of your clients.

    For example, let’s assume you are building a payroll offering using a SaaS model. In this case it is possible that monica@piedpiper.com works for two of your clients, Acme Corp and The Umbrella Company. Because Monica is not aware that Acme Corp and The Umbrella Company both are buying their Payroll software from the same vendor it would be surprising for Monica to share the same password and account details between these two companies. In this scenario you would likely want to utilize the FusionAuth Tenant to ensure that monica@piedpiper.com exists once for each instance of your Payroll offering.

    See Tenant API Authentication for more details about making API requests in a multi-tenant configuration.

    Here’s a brief video covering some aspects of tenants:

    Admin UI

    This page describes the Admin UI for creating and configuring a Tenant.

    • Create a Tenant

    • General

    • Connectors

    • Email

    • Family

    • Multi-Factor

    • OAuth

    • JWT

    • Password

    • Webhooks

    • SCIM

    • Security

    • Advanced

    Create a Tenant

    To create a new tenant, navigate to Tenants.

    Create a Tenant

    Tenant Configuration

    A majority of your FusionAuth configuration is managed at the Tenant-level. Some of these configuration options act as defaults and can be overridden by the Application.

    General

    Tenant Configuration - General
    Form Fields
    Issuer Required

    The named issuer used to sign tokens. Typically a fully-qualified domain name.

    Login Theme Optional

    The Theme associated with this Tenant; determines which templates to render for interactive work-flows.

    Form Settings
    Admin user form Optional Available since 1.20.0

    The form that will be used in the FusionAuth UI for adding and editing users.

    FusionAuth Reactor logo

    This feature is only available in paid editions of FusionAuth. Please visit our pricing page to learn more about paid editions.

    Username settings

    Enable Unique usernames to allow multiple users suggest the same username. If there are any collisions, FusionAuth will transparently create a unique username by appending a suffix. The user will continue to use the username without the suffix.

    Unique usernames Optional defaults to false Available since 1.27.0

    When true, FusionAuth will handle username collisions.

    FusionAuth Reactor logo

    This feature is only available in paid editions of FusionAuth. Please visit our pricing page to learn more about paid editions.

    Number of digits Optional defaults to 5 Available since 1.27.0

    The maximum number of digits to use when building a unique suffix for a username. A number will be randomly selected and may be 1 or more digits up to this configured value. The value of this field must be greater than or equal to 3 and less than or equal to 10.

    Separator character Optional defaults to ["#"] Available since 1.27.0

    A single character to use as a separator from the requested username and a unique suffix that is added when a duplicate username is detected. This value can be a single non alphanumeric ASCII character.

    Connectors

    Connectors can be enabled on a per tenant basis with a Connector policy.

    The Tenant Connector policy configuration tab.

    Full documentation on Connectors and Connector Policies can be found here.

    Add Connector Policy Dialog

    If you click on the Add policy button on this page you will be presented with the following dialog.

    Add Connector Policy

    Form Fields

    Connector Required

    The Connector to be used for this policy.

    Domains Optional defaults to ["*"]

    One or more line separated domains to be used to filter incoming authentication requests. To match all incoming email addresses, a single entry using an asterisk (*) can be used.

    Migrate user Optional

    When selected, migrate the user from the Connector into FusionAuth so that future authentications will use FusionAuth and not the Connector.

    Email

    Once you have configured your email settings, you may test your configuration with the "Send test email" button.

    Tenant Configuration - SMTP settings
    SMTP settings
    Host Optional defaults to localhost

    The hostname of the SMTP server. This will be provided by your SMTP provider.

    Port Optional defaults to 25

    The port of the SMTP server. This will be provided by your SMTP provider. Ports 25, 465 and 587 are the well known ports used by SMTP, it is possible your provider will utilize a different port.

    In most cases you will be using TLS to connect to your SMTP server, and the port will generally be 587 or 465.

    Username Optional

    The username of the outgoing SMTP mail server authentication.

    Change password Optional

    When enabled, you may modify the SMTP password, when the Password field is not displayed the current password will not be modified.

    Password Required

    The new password to use for the outgoing SMTP mail server authentication. This field is only required when Change password is checked.

    Security Optional defaults to None

    The security type when using an SSL connection to the SMTP server. This value should be provided by your SMTP provider.

    Generally speaking, if using port 25 you will select None, if using port of 465 you will select SSL and if using port 587 you will select TLS. It is possible your provider will be different, follow your providers instruction.

    • None

    • SSL

    • TLS

    Default from address Optional

    The default email address that emails will be sent from when a from address is not provided on an individual email template. This is the address part email address (i.e. Jared Dunn <jared@piedpiper.com>).

    Default from name Optional

    The default From Name used in sending emails when a from name is not provided on an individual email template. This is the display name part of the email address ( i.e. Jared Dunn <jared@piedpiper.com>).

    Additional headers Optional Available since 1.32.0

    One or more line separated SMTP headers to be added to each outgoing email. The header name and value should be separated by an equals sign. ( i.e. X-SES-CONFIGURATION-SET=Value).

    Tenant Configuration - Email verification settings
    Email verification settings
    Verify email Optional

    When enabled, users will be required to verify their email address.

    Allow implicit verification Optional Defaults to true

    When enabled, this allows a user’s email address to be verified as a result of completing a similar based email workflow such as change password.

    Verify email when changed Optional

    When enabled, users will be required to verify their email address upon update.

    Verification template Required

    The email template to use when accounts are created to verify the User’s email address.

    Required when the Verify email toggle is enabled.

    Verification complete template Optional Available since 1.30.0

    The email template to use when notifying a user that email address has been verified.

    Verification strategy Optional Available since 1.27.0

    The process by which the user will verify their email address. Using the "Form Field" method works only when the Unverified behavior is Gated.

    Unverified behavior Optional Available since 1.27.0

    The way a user is handled during the login process when they do not have a verified email address.

    Allow email change when gated Optional Available since 1.27.0

    When enabled, the user is allowed to change their email address when they are gated because they haven’t verified their email address.

    Delete unverified users Optional

    When enabled, users who have not verified their email address after a configurable duration since being created will be permanently deleted.

    Delete after Required

    The duration since creation that a user must exist before being deleted for having an unverified email address.

    Required when the Delete unverified users toggle is enabled.

    Tenant Configuration - Email template settings
    Template settings
    Email update Optional Available since 1.30.0

    The email template to use when notifying a user that their email address has been updated.

    Note: An Enterprise version of FusionAuth is required to utilize this feature.

    Forgot password Optional

    The email template to use for the forgot password workflow.

    Login Id duplicate on create Optional Available since 1.30.0

    The email template to use when notifying a user that another user has attempted to register an account with the same username or email address as they have. If user Richard has an email richard@piedpiper.com and a new user tries to register with the email address richard@piedpiper.com, then user Richard will be notified.

    Note: An Enterprise version of FusionAuth is required to utilize this feature.

    Login Id duplicate on update Optional Available since 1.30.0

    The email template to use when notifying a user that another user has attempted to change their own email or username to a value in-use by the user.

    Note: An Enterprise version of FusionAuth is required to utilize Login Id duplicate on update.

    Login with new device Optional Available since 1.30.0

    The email template to use when notifying a user that a new device was used to login.

    Note: An Enterprise version of FusionAuth is required to utilize Login with new device.

    Suspicious login Optional Available since 1.30.0

    The email template to use when notifying a user that a login occurred and it was determined to be of interest or suspect due to the location, IP address or other factors.

    Note: An Enterprise version of FusionAuth is required to utilize Suspicious login.

    Password reset success Optional Available since 1.30.0

    The email template to use when notifying a user that their password has been successfully updated using the reset workflow.

    Note: An Enterprise version of FusionAuth is required to utilize Password reset success.

    Password update Optional Available since 1.30.0

    The email template to use when notifying a user that their password has been successfully updated. This is different from Password reset success in that this event occurs outside of the reset workflow.

    Note: An Enterprise version of FusionAuth is required to utilize Password update.

    Passwordless login Optional

    The template to use to send the link for passwordless login requests.

    Setup password Optional

    The email template to use when accounts are created and the user needs to setup their password.

    Two-factor method added Optional Available since 1.30.0

    The email template to use when notifying a user that a new two-factor method has been successfully added.

    Note: An Enterprise version of FusionAuth is required to utilize Two-factor method added.

    Two-factor method removed Optional Available since 1.30.0

    The email template to use when notifying a user that a previously configured two-factor method has been successfully removed.

    Note: An Enterprise version of FusionAuth is required to utilize Two-factor method removed.

    Family

    Tenant Configuration - Family
    Form Fields
    Enabled Optional

    When enabled, you may model parent-child user relationships, and observe parental approval and age validation on user creation.

    Maximum child age Required

    The maximum age a user can be to be considered a child.

    Required when the Enabled toggle is enabled.

    Minimum owner age Required

    The minimum age a user must be to create a family.

    Required when the Enabled toggle is enabled.

    Allow child registrations Required

    When enabled, allow children to register themselves without requiring a parent to create their account for them.

    Family request template Optional

    The email template used when children are not able to register themselves and they are asking their parent to create them an account.

    Confirm child account template Optional

    The email template used when a parent needs to confirm a child account before it is activated as part of their family.

    Parent registration request template Optional

    The email template used when a child is requesting that their parent create an account (because it is not created automatically).

    Parent email required during registration Optional

    When enabled, child users must provide their parent’s email address during the registration process.

    Delete unverified children Optional

    When enabled, child user accounts that have not been verified by a parent after a configured period will be automatically deleted.

    Delete after Required

    The number of days before a child account that has not yet been verified by a parent is automatically deleted.

    Required when the Delete unverified children toggle is enabled.

    Multi-Factor

    FusionAuth Reactor logo

    This feature is only available in paid editions of FusionAuth. Please visit our pricing page to learn more about paid editions.

    However, the Authenticator/TOTP implementation is not a premium feature.

    Tenant Configuration - MFA authenticator settings
    Authenticator settings
    Enabled Optional

    When enabled, users may use an authenticator application to complete a multi-factor authentication request.

    Tenant Configuration - MFA email settings
    Email settings
    Enabled Optional

    When enabled, users may use an email address to complete a multi-factor authentication request.

    Template Required

    The email template to use when a multi-factor authentication request is sent to the User’s email address.

    Required when the Enabled toggle is enabled.

    Tenant Configuration - MFA SMS settings
    SMS settings
    Enabled Optional

    When enabled, users may use a mobile phone number to complete a multi-factor authentication request.

    Messenger Required

    The Messenger used to deliver the template.

    Required when the Enabled toggle is enabled.

    Template Required

    The SMS template to use when a multi-factor authentication request is sent to the User’s mobile phone number.

    Required when the Enabled toggle is enabled.

    OAuth

    Tenant Configuration - OAuth
    Form Fields
    Session timeout Optional

    The length of time an SSO session can be inactive before it is closed.

    Logout URL Optional

    The URL the user is redirected to upon logout.

    Client credentials populate lambda Optional Available since 1.28.0

    The lambda that will be called to populate the JWT during a client credentials grant.

    JWT

    Tenant Configuration - JWT
    JSON Web Token settings
    JWT duration Required

    The length of time the issued token (access token and Id token) is valid. JWT tokens are typically short lived.

    Access token signing key Optional

    The key used to sign the access token JWT.

    Id token signing key Optional

    The key used to sign the Id token JWT.

    Refresh Token settings
    Refresh token duration Required Defaults to 43,200

    The length of time the refresh token is valid. Refresh tokens are typically long lived.

    Refresh token expiration Optional defaults to Fixed

    The Refresh token expiration may be either a fixed or sliding window. By default the expiration of a refresh token is a fixed length of time from when it was originally issued. With a sliding window expiration, the expiration is calculated from the last time the refresh token was used.

    For instance, if a refresh token is issued at 1:00pm and has a duration of 60 minutes, if the expiration is fixed, the token will expire at 2:00pm. If, instead, the expiration is a sliding window, then if the refresh token is used at 1:55pm, it would then expire at 2:55pm. If it were then used at 2:50pm, it would expire at 3:50 pm.

    Refresh token usage Optional Defaults to Reusable

    The Refresh token usage may be reusable or one time use. By default, a token is reusable and the token does not change after it was issued. With a one time use token, the token value will be changed each time the token is used to refresh a JWT. This means the client must store the new value after each use.

    Refresh token revocation Optional

    The event or events that will cause refresh tokens to be revoked.

    Password

    Tenant Configuration - JWT
    Failed authentication settings
    User action Optional

    The user action must be 'time-based' and must have 'prevent login' enabled. This actions is applied after multiple failed login attempts.

    Failed attempts Required

    The number of failed attempts allowed during the specified time period before the selected action is applied.

    Time period Required

    The window of time in seconds for which the failed authentication attempts are counted. If no further failed attempts occur the failure count will be reset after this time period starting at the time of the last failed login.

    Action duration Required

    The length of time the selected action is applied to the user before the action expires at which point the user will be allowed to attempt log in again.

    Time unit Optional

    The time unit the Action duration is measured in.

    Tenant Configuration - JWT
    Breach detection settings
    Enabled Optional

    When enabled, users' login Id and password will be checked against public breached password databases on user creation, password change, and (optionally) on login. Purchase of a FusionAuth Edition is required to enable this feature.

    Match mode Optional

    The login Id and password match constraints to qualify as a breach match.

    On login Optional

    The action to perform during login for breach detection. Performing breach detection during login may increase the time it takes to complete authentication.

    Tenant Configuration - JWT
    Password settings
    Minimum length Required

    The minimum length a password may be to qualify as a valid password.

    Maximum length Required

    The maximum length a password may be to qualify as a valid password.

    Uppercase & lowercase Optional

    When enabled, force the user to use at least one uppercase and one lowercase character.

    Special character Optional

    When enabled, force the user to use at least one non-alphanumeric character.

    Number Optional

    When enabled, force the user to use at least one number.

    Minimum age (toggle) Optional

    When enabled, users must wait a configurable duration before changing their password after the previous change.

    Minimum age (value) Required

    The minimum age (in seconds) users must wait before changing their password after the previous change.

    Required when the Minimum age toggle is enabled.

    Expiration (toggle) Optional

    When enabled, user passwords will expire after a configurable duration, at which point the user will be forced to change their password on login.

    Expiration (value) Required

    The duration (in days) the password expire after since the previous change.

    Required when the Expiration toggle is enabled.

    Reject previous passwords Optional

    When enabled, prevent users from using a configurable number of their previous passwords.

    Number of passwords Required

    The number of previous password to retain, to prevent users from password reuse.

    Required when the Reject previous passwords toggle is enabled.

    Re-validate on login Optional

    When enabled the user’s password will be validated during login. If the password does not meet the currently configured validation rules the user will be required to change their password.

    Tenant Configuration - JWT
    Cryptographic hash settings
    Scheme Optional

    The password encryption scheme used when creating new users and when changing a password.

    Factor Required

    A non-zero number that provides an iteration count to the hashing scheme. A higher number will make the password hash more difficult to reverse engineer but will take more CPU time during login. Be careful as a high factor may cause logins to become very slow.

    Re-hash on login Optional

    When enabled the user’s password hash will be modified if it does not match the configured values during next login.

    Webhooks

    Tenant Configuration - Webhooks
    Table Columns
    Event

    The event type, this value will be present in the JSON request to identify the message.

    Enabled

    When enabled this event can be sent by one or more webhook. You will also need to enable the event for a specific webhook to receive the event.

    This toggle allows you to optionally disable an event for all webhooks all at once.

    Transaction setting

    The transaction setting for this event. This setting will apply to all webhooks consuming this event type.

    No Webhooks are required to succeed

    The event will succeed regardless of the webhook response status code. Use this setting when it is not important for a webhook to succeed or provide confirmation that the event has been received and processed successfully.

    Any single Webhook must succeed

    The event will succeed as long as one or more of the webhooks respond with a status code between 200 and 299 (inclusive).

    A simple majority of Webhooks must succeed

    The event will succeed if at least half of the webhooks respond with a status code between 200 and 299 (inclusive). This means 50% or more of the webhooks must respond successfully.

    A two-thirds majority of Webhooks must succeed

    The event will succeed if a super majority of the webhooks respond with a status code between 200 and 299 (inclusive). A super majority is two-thirds (66.7%) or more of the configured webhooks.

    All of the Webhooks must succeed

    The event will succeed if every configured webhook responds with a status code between 200 and 299 (inclusive). Use this setting when it is critical for every configured webhook to receive and process the event before considering it complete.

    SCIM

    FusionAuth Reactor logo

    This feature is only available in the Enterprise edition of FusionAuth. Please visit our pricing page to learn more about paid editions.

    Tenant Configuration - SCIM

    Read more about setting up and using SCIM in the full SCIM documentation.

    The SCIM server configuration to enable incoming SCIM client provisioning requests.

    SCIM server settings
    Enabled Optional Defaults to false

    When enabled, FusionAuth will act as a SCIM server and the SCIM API endpoints will be functional.

    Client entity type Required

    The Entity Type defined for the SCIM client. If there are no Entity Types available in the list then navigate to Entity > Types and create a new one using the template button for SCIM client.

    Server entity type Required

    The Entity Type defined for the SCIM server. If there are no Entity Types available in the list then navigate to Entity > Types and create a new one using the template button for SCIM server.

    User request lambda Required

    The lambda that will be invoked on every incoming request to the SCIM User API endpoints. This maps the incoming SCIM User JSON to the User object.

    User response lambda Required

    The lambda that will be invoked on every outgoing response from the SCIM User API endpoints. This maps the outgoing User object to the JSON for a SCIM User.

    Enterprise User request lambda Required

    The lambda that will be invoked on every incoming request to the SCIM Enterprise User API endpoints. This maps the incoming SCIM Enterprise User JSON to the User object.

    Enterprise User response lambda Required

    The lambda that will be invoked on every outgoing response from the SCIM Enterprise User API endpoints. This maps the outgoing User object to the JSON for a SCIM Enterprise User.

    Group request lambda Required

    The lambda that will be invoked on every incoming request to the SCIM Group API endpoints. This maps the incoming SCIM Group JSON to the Group object.

    Group response lambda Required

    The lambda that will be invoked on every outgoing response from the SCIM Group API endpoints. This maps the outgoing Group object to the JSON for a SCIM Group.

    Schemas Optional

    The JSON response sent from the Schemas endpoint. This can be customized however you like, but by default the response body will contain the JSON for the core SCIM schemas for SCIM Group, SCIM User, and SCIM EnterpriseUser.

    Security

    Tenant Configuration - Security: ACL and Captcha
    Login API settings
    Require an API key Optional Defaults to true

    This indicates how to authenticate the Login API when an applicationId is not provided.

    When an applicationId is provided, the application configuration will take precedence. In almost all cases you will want to leave this enabled to require the use of an API key.

    Access control lists settings
    FusionAuth Reactor logo

    This feature is only available in the Enterprise edition of FusionAuth. Please visit our pricing page to learn more about paid editions.

    Access control list Optional

    The IP access control list that will be used to restrict or allow access to hosted login pages in FusionAuth. For example, it may be configured to only allow specific IP addresses to access authentication pages (login, forgot password, etc) for all applications on that tenant.

    When Access control list is configured on an application within the tenant, the application value will override the tenant value for that application.

    Captcha settings
    FusionAuth Reactor logo

    This feature is only available in the Enterprise edition of FusionAuth. Please visit our pricing page to learn more about paid editions.

    Captcha is supported on multiple theme templates, when enabled. You can further control display on a template by template basis with the specific theme template variables.

    Enabled Optional Defaults to false

    When enabled, Captcha is used to help increase security of a form submission on the FusionAuth themed pages.

    Method Optional Defaults to GoogleRecaptchaV3

    The type of Captcha to use. FusionAuth supports Google reCAPTCHA v2, Google reCAPTCHA v3, hCaptcha, and hCaptcha Enterprise.

    Required when enabled is set to true.

    Secret key Required

    The secret key for this Captcha service.

    Required when enabled is set to true.

    Site key Required

    The site key for this Captcha service.

    Required when enabled is set to true.

    Threat score threshold Optional

    The threat score threshold for this Captcha service if required. If it is not used by this Captcha service then the value will be ignored.

    Tenant Configuration - Security: Blocked domains and rate limiting
    Blocked domain settings
    FusionAuth Reactor logo

    This feature is only available in the Enterprise edition of FusionAuth. Please visit our pricing page to learn more about paid editions.

    Blocked domains Optional

    One or more newline separated email domains for which self service registration will be prohibited.. For example, enter your company email domain (piedpiper.com) to prevent employees from using the self-service registration form, or to prevent end users from attempting to create an account using a company email address.

    This configuration is applied to all registration API requests and self-service registration pages for all applications in this tenant.

    Rate limit settings
    FusionAuth Reactor logo

    This feature is only available in the Enterprise edition of FusionAuth. Please visit our pricing page to learn more about paid editions.

    The Rate limit settings allow you to set a number of times an action can be attempted within a specific time frame. When the limit is exceeded, that action is unavailable until the configured time frame elapses without a failed attempt. The settings are evaluated and enforced per user.

    Action

    The action to be rate limited.

    Note: For the Failed login action, rate limiting can be used in combination with Failed authentication settings. When enabled, and rate limiting conditions have been exceeded, login requests will be denied and bypass the login flow until conditions are no longer exceeded. Failed attempts will only be incremented when requests are not being rate limited.

    Enabled

    When enabled, the corresponding action will be rate limited when the limit value has been exceeded within the specified time period.

    Limit

    The number of allowed attempts within the time period before an action will be rate limited. When an action is rate limited, it will not succeed.

    Time period

    The window of time that the limit is evaluated against when determining if an action should be rate limited.

    Advanced

    Tenant Configuration - External Identifier Durations
    External identifier durations Form Fields
    Authorization Code Required

    The number of seconds before the OAuth2 Authorization Code is no longer valid to be used to complete a Token request.

    Change Password Required

    The number of seconds before the Change Password identifier is no longer valid to complete the Change Password request.

    Device Grant Codes Required

    The number of seconds before the device_code and user_code are no longer valid to be used to complete the Device Code grant.

    Email Verification Required

    The number of seconds before the Email Verification identifier is no longer valid to complete the Email Verification request.

    External Authentication Required

    The number of seconds before the External Authentication identifier is no longer valid to complete the Authentication request.

    One Time Password Required

    The number of seconds before the One Time Password identifier is no longer valid to complete a Login request.

    Passwordless Login Required

    The number of seconds before the Passwordless Login identifier is no longer valid to complete a Login request.

    Pending account link Required

    The number of seconds before the Pending account link is no longer valid to complete an account link request.

    Registration Verification Required

    The number of seconds before the Registration Verification identifier is no longer valid to complete the Registration Verification request.

    SAMLv2 AuthN request Required

    The number of seconds before the SAMLv2 AuthN request is no longer valid to complete the SAMLv2 login request.

    Setup Password Required

    The number of seconds before the Setup Password identifier is no longer valid to complete the Change Password request.

    Two Factor Login Required

    The number of seconds before the Two Factor identifier is no longer valid to complete a Two Factor login request.

    Two Factor one-time code Required

    The number of seconds before the Two Factor one-time code used to enable or disable a two-factor method is no longer valid.

    Two Factor Trust Required

    The number of seconds before the Two Factor Trust is no longer valid and the user will be prompted for Two Factor during login.

    Tenant Configuration - External Identifier Generation
    External identifier generation Form Fields
    Change Password Required

    The length and type of characters of the generated code used in the Change Password flow.

    Email Verification Required

    The length and type of characters of the generated code used in the Email Verification flow.

    Email Verification one-time code Required

    The length and type of characters of the generated code used for Email Verification one-time codes.

    The one-time code for email verification is only used with email verification gating and when using a form field configuration instead of the clickable link.

    Passwordless Login Required

    The length and type of characters of the generated code used in the Passwordless Login flow.

    Registration Verification Required

    The length and type of characters of the generated code used in the Registration Verification flow.

    Registration Verification one-time code Required

    The length and type of characters of the generated code used for Registration Verification one-time codes.

    The one-time code for registration verification is only used with registration verification gating and when using a form field configuration instead of the clickable link.

    Setup Password Required

    The length and type of characters of the generated code used in the Setup Password flow.

    Device grant user code Required

    The length and type of characters of the generated user code used in the Device Authorization Grant flow.

    Two-Factor one-time code Required

    The length and type of characters of the generated code used for Two-Factor one-time codes.

    SMTP Settings Form Fields
    Additional properties Optional

    The custom SMTP configuration properties that may be necessary in some cases.

    Feedback

    How helpful was this page?

    See a problem?

    File an issue in our docs repo

    © 2022 FusionAuth
    Subscribe for developer updates