Welcome back to B2B Auth School. Our mission is to help B2B companies’ uplevel their understanding and implementation of authentication technologies. Our first series of posts is dedicated to Single Sign On (SSO). This article is lesson two in that series.
Lesson one | Introducing B2B Auth School
Lesson two | Organization tenancy: the foundation of SSO and B2B data models
Lesson three | What is single sign on?
Lesson four | SSO protocols: SAML vs. OIDC
Lesson five | What is OpenID Connect (OIDC)?
Lesson six | What is SAML and how does it work?
Lesson seven | Choosing a B2B auth provider
In our previous lesson, we introduced you to the wide world of B2B auth. We established the big picture: B2B auth’s challenges, its value adds, and its key differences from B2C auth. Most importantly, we explained why SSO is B2B auth’s most requested feature and thus the topic of this series.
If you recall, we defined the term B2B auth as the authentication of members and their organizations. Members, instead of individual users, change the whole paradigm of authentication because they come in groups. This change requires a new way of designing and building auth flows in applications.
But to talk about SSO, we have to start with the foundation and building blocks upon which B2B SaaS technologies are built. Specifically, we need to talk about organization tenancy – or org tenancy for short. In this post we’ll go over:
Multi-tenancy is the architecture characterized by multiple parties sharing the same resources. The tenants in multi-tenancy can be a wide variety of entities: customers, groups, applications, databases, containers, microservices, or workers. Nearly all SaaS applications implement multi-tenancy in some shape or form.
Org tenancy is a type of multi-tenancy. The tenants are organizations stored in a shared data model as top level entities. Org tenancy focuses and zooms in on the B2B aspect of representing complex organizations like companies as individual customers.
Org tenancy is the software architecture that governs multiple organizations within a single application. In other words, org tenancy is the design system that lets organizations coexist together within an application. It helps separate and coordinate resources. Like tenants or residents of a building, each organization uses the application without having to worry about its neighbors because org tenancy provides the walls, hallways, doors, and locks to achieve orderly separation. You may have noticed: the word “organization” is always brought up and emphasized.
By name and design, org tenancy considers organizations as the primary unit of business data; the organization is a first-class entity. In an org tenancy model, the application will always scope an end user’s data and functions to their organization. In more practical B2B terms, we can say: the organization is the customer. Let’s break down the org tenancy model into its elements:
B2B customers think, speak, and operate in terms of organizations. Org tenancy architecture equips B2B SaaS applications to codify that ideology into the data structure itself.
If you’re a B2B company, you’re dealing with organizations all the time. Your customers are other companies – which are complex organizations by definition. So if you want more than one customer, you need an org tenancy model that will enable your customers to…
These requirements are considered table stakes by most B2B customers. If a B2B company doesn’t offer org tenancy, the customer has to deal with the fallout; the customer will need to use their own internal systems and tools to create ad-hoc solutions that can group together all of their employees’ user accounts – essentially replicating org tenancy logic on their end. A B2B company not supporting org tenancy puts a huge onus on customers they won’t be interested in taking on. It's a must-have when companies are purchasing B2B SaaS applications.
Now that we understand org tenancy’s importance, let’s talk about the build process. By itself, org tenancy architecture is a lot to construct. When adding authentication on top of that, the challenges start to stack. Here are the key considerations when building org tenancy:
One of the worst possible things that could happen to a B2B company is data leaking between customers. To prevent this, you need really strong controls to guarantee that the data is scoped to the individual tenant. In SaaS applications, shared resources like databases, microservices, and memory need to be thoroughly tested and vetted for isolation. This is arguably org tenancy’s greatest responsibility and requirement. It’s a matter of security.
Unfortunately, there is no exact recipe to define the data model for org tenancy. Every B2B SaaS application must define their own schema to support its features and auth flows. The data model can change drastically depending on what use cases the application supports. When defining the data entities and their relationships, consider these questions: Can end users be members of multiple organizations? Are membership records tied to user records? What structure does the metadata need to be stored in? Can organizations have sub-organizations? And so on.
Org discovery
When an end user logs in to your B2B SaaS application, how do you know which organization they’re authenticating to? It’s a problem of discovery: how to find and identify the right organization based on a login. There are multiple strategies that sit on a spectrum of user friendliness. For a more seamless experience, a B2B SaaS application could attempt to automatically discover the organization from an end user’s membership attributes like email or username. On the other hand, they could require the end user to specify the organization before they can even attempt to log in (this is more thorough, but puts a bigger burden on the end user).
Authentication has many different features and behaviors. Each company may require their own unique combination of these properties for their auth flows. To support that variety, you’ll need to build controls that enable organizations to customize or configure their auth settings. You’ll then need to scope those auth settings to either the organization or member level. The common and fundamental authentication features you should consider supporting are:
The biggest benefit to building org tenancy is that it lays the foundation for SSO. But how? Well, they are inherently linked; SSO is also directly tied to the concept of an organization as a first-class entity. In fact, its authentication scheme relies on the org tenancy data model (organizations, members, and their relationships) to function.
Org tenancy is a prerequisite because it unlocks the ability for:
To build SSO, the standard B2B auth experience for your customers, you first need org tenancy to coordinate organizations, members, and their relationships to all work together in concert within your application. For our next lesson, we’ll cover SSO! See you then.