Multi-tenant authorization wth FusionAuth

Question

I have the following use case. I have several organizations that want to use my application (spa). The owners of these organizations must be able to register a new organization by email. Once the email has been verified and the organization has been unlocked, the owner must be able to create new users for their own organization. the username and password can be chosen freely by the owner (no email, eg Callagent1, Bob, etc.). The newly created users can now log in with the help of organization id, username and password.

how can i realize this with the help of your product? which steps do I have to take?

Answer 1

FusionAuth supports the concept of Tenants and then each Tenant can have multiple Applications and Users. Here's how you would accomplish this with the FusionAuth APIs:

1. When a new organization is unlocked, you call the Tenant API to create a new Tenant (https://fusionauth.io/docs/v1/tech/apis/tenants)
2. You create a new Application in this newly created Tenant using the Application API (https://fusionauth.io/docs/v1/tech/apis/applications). Don't forget to send in the Tenant Id using the header. You can read up more on Tenants in this Tutorial (https://fusionauth.io/docs/v1/tech/tutorials/tenants)
3. The user that just verified their email is created a User in the Tenant by calling the User API (https://fusionauth.io/docs/v1/tech/apis/users) and/or the Registration API (https://fusionauth.io/docs/v1/tech/apis/registrations). They will also need a Registration to the Application created in step #2. This user can be granted a role in the Application that allows them to create new users. Maybe it is called Admin or something.
4. The admin user can now create new users. When a new user is created, you perform the same API cals from step #3, but the new users are given different roles.

This setup will allow the organizations to have users that can log in with their organization id (which is the tenant id), username and password.