Tenant Management

If you want to view the SDK documentation for Tenant Management, click here.

The Descope service supports multi-tenancy architecture natively. Each project can have multiple tenants, and the end-users can be assigned to either the project or can belong to one or many tenants. The most common use case of tenants is when you are building a B2B application, and each of your customers can have multiple users. You must manage these users and their roles at a tenant level. Descope admins can create and update tenants either manually in the Descope console or using the tenant management API and sdk from within their application as show within the Tenants in Backend guide.

Tenant Domain

Under the configuration of tenants in Descope, you can configure tenant domains. These domains are utilized during user registration and will automatically maps users to the tenant based on the domain in
their email address. It only takes effect if the user signs in using methods other than SAML. In case of SAML authentication, the tenant-id is a required parameter.

Tenant Session Management

Descope allows you to configure some of the session management configurations at a per tenant level. You can configure these items within the Descope Console by going to the tenants page, selecting the tenant you want to configure, and then select Custom under the Session Management section. Descriptions of the configurations can be found within this section of the project configuration guide for the supported tenant level configurations.

Once you have enabled these configurations at the tenant level, the tenant level configuration will take precedence over the project level configuration.

Note

If a user exists in multiple tenants, a merged policy favoring stricter security will be chosen.

Custom Tenant Attributes

Descope allows you to create custom attributes that can store further details about your tenants. You can create custom attributes within the tenant's page under the custom attributes tab.

Custom attributes can be of various types and store any data you want to store for the tenant. For example, this data could be a tenant's paid tier, geographical location, etc. You can later utilize these attributes within custom claims or loaded for a tenant and displayed them within your application.

SSO Post Authentication Redirect URL

Descope allows to set the SSO post authentication URL that will affect all of the project's tenants. If redirect URL is specified in tenant level settings or SDK/API call, they will override this value.

SSO redirect URL

Widgets

In a tenant-based implementation, we allow Descopers to use Widgets to delegate tenant management actions to their customers. Widgets are client-side components that you embed in your website using our SDKs. With Widgets, your customers can perform tenant management functions within your application, using the tenant-id of your customers. To implement Widgets, please further read here

Was this helpful?

On this page