Account Multi-tenancy#

The Curity Identity Server supports multi-tenancy. A tenant can be assigned to each authentication profile, thus allowing to create a logical data silo per organization, subsidiary, customer etc. All data are stored in a single multi-tenant enabled data source which greatly reduces the complexity of database maintenance.

When a tenant ID is configured on an authentication profile then all linked profiles (token and user management profiles) will inherit this tenant. As a consequence, all accounts, credentials, devices, linked accounts, buckets and delegations will all be assigned the tenant ID when persisted. Moreover, a profile can only see and use the data for the tenant ID it is assigned to.

When multi-tenancy is configured, a given user is able to get an account with the same subject (user name, email etc) in a different tenant. However, a subject remains unique in a given tenant.

Requirements to Multi-Tenancy#

Before enabling multi-tenancy on a profile, the following requirements must be met:

  • All data sources used by the authentication profile must support multi-tenancy
  • All JDBC data sources used by the authentication profile have a database schema compatible with multi-tenancy
  • the authentication profile must be empty before enabling multi-tenancy

To check that the database schema is compatible with multi-tenancy, look for the tenant_id column in the accounts table. It is also possible to upgrade an existing database using migration scripts provided in misc/upgrade/9.1-to-9.2 directory. Database schema initialization scripts without multi-tenancy support are provided in Curity Identity Server releases under misc/database-schemas directory.

When enabling multi-tenancy on a non-empty authentication profile, all existing data will not inherit the tenant ID and therefore will not be visible to the profile!

Configuring Multi-Tenancy#

To enable multi-tenancy:

  1. Go to Facilities / Data Sources,

    • for every JDBC data source used by the profile, enable Multi-tenant Mode option.

    • for every JSON/REST data sourced used by the profile:

      • for Buckets (if used): add the :tenantId placeholder in the URLs of clear, fetch, store operations.
      • for Credentials Access: set the Tenant ID Parameter or add the :tenantId placeholder in the URL.
      • for Attributes (if used): set the Tenant ID Parameter or add the :tenantId placeholder in the URL.

    • There is nothing to configure for DynamoDB and MongoDB data sources

  2. For each empty authentication profile, go to General settings, and configure the Tenant ID.

A profile without configured tenant ID will be assigned the default tenant.

Was this helpful?