Configure a Tenant

Every user belongs to a single organization, but a human being is allowed to be associated with multiple tenants by having a user account in each tenant. The user account is allowed to have the exact same credentials (for example the exact same username and password). To be able to add users, there must exist an organization to add them too. There is one build-in organization for private individuals, but for all customers, suppliers and partners that you want to allow access for you must create a tenant.

Considerations for Creating Tenants and Organizations

These are the possibilities and limitations that you should have in mind when deciding how you should add an organization to Authway:

  • An user can belong to more than one tenant, ie the same username (and other credentials) can be used in multiple tenants. If the user uses exactly the same credentials, Authway will ask the user for which tenant he/she wants to sign-in. The user can only be signed in to one tenant at a time.
  • An user can only belong to one organization in the organization tree.
  • Modules can only be activated/deactivated for a tenant and not for any subsidiaries (and the same rule applies to functionalities that requires tenant permission). If you want different parts of the organization to have access to different modules, this indicates that you should configure them as different owners. At the same time, this can to some extent also be handled by creating different groups for different parts of the organization that are only assigned rights to the modules they are supposed to use, but if a strict separation is required where groups cannot be configured incorrectly, different tenants must be set up.
  • Trusted domains are required to be unique per tenant, which will affect the possibility to configure auto-provision.
  • It is possible to configure the exactly same external identity provider on multiple tenants, but in many cases the need to do this is an indication that the organization maybe should be a single tenant.
  • An application (client) will always get the tid (tenant id) claim for a user, but it is also possible to get more organization information like the organization id a user belongs to.

Create a Tenant

You create new tenants under the Configure -> Tenant menu and the only required information is the name of an organization. The name must be unique over all tenants. It is possible to optionally add an organization identity and after creating the tenant you can add subsidiaries to the tenant.

Manage a Tenant

When the organizational structure of a tenant is defined there are mainly two things you want to manage:

  • Modules: activate modules that users of the tenant should be allowed to access (authorization).
  • Settings: make custom settings for authentication of users belonging to the tenant. This is done by editing, disabling och adding identity providers for the tenant.

To be able to make any changes of the identity providers for a tenant, you must first assign a unique URL name for the organization. This can often be a shorter version of the name, for example we use “priv” for the tenant “Private individuals”. The reason for this setting to be required is that it will be part of the URL:s when customizing identity providers.

Configuring Identity Providers

All configured identity providers for the service is visible in a list under settings. For each of the listed identity providers you can enable/disable the usage of the identity provider for this specific tenant. Depending on the specific identity provider more customization can be done.

A common configuration to do is to configure the Microsoft identity provider to only allow users from the organization’s Azure AD Tenant. To do this, select the Microsoft identity provider and click Edit. Paste the tenant id from Azure AD and optionally change the name, probably to something like the organization name (important that the user will understand that they will be able to use their existing Azure AD identity).

It is also possible to configure two levels of auto-provisioning of users for some of the identity providers. Check that the identity provider is allowed to automatically create users. By doing so you are enabling the first level that we call auto-link. This level still requires an administrator to manually add the user to the service, but it is not needed to send an invitation. Instead the user will be re-directed to the external identity provider when trying to sign-in and when returning the user will be auto-linked based on the username being the same in Authway and the external identity provider.

Authway can also create the user completely at sign-in and therefor removing all manual administration of users in Authway. To enable this, one or more trusted domains must be added in addition to allow the users to be automatically created. The sign-in process will match everything after “@” in the e-mail address (username) to see if there is an organization with auto-provision configured. If a match is found, the user is re-directed to the external identity provider and when returning the user is automatically created. If any piece of information is missing when creating the user, the user will be prompted for that information the first time, but not after the user creation is finished.

Delete a Tenant

It is always sad to see a customer, supplier or partner to leave, but when it happens it is important to remove the information from the system to be compliant with regulations such as GDPR. To delete a tenant you search for it, and click on the name to get to the details page. Under the Actions menu you’ll find the delete command if you have the necessary permission. Remember that deleting a tenant is an action that can not be undone.