Tenant Onboarding and Identity

Where do you start? Onboarding and identity

For both greenfield and migrating teams, the answer to “where do you start?” is onboarding, identity, and the control plane. This puts tenancy “front and center” from day one and avoids the trap of building the application first and bolting tenancy on later. Onboarding is part of your service, not a bolt-on — it shapes first impressions and time to value, and it is where deployment, identity, routing, and tiering strategies are put into action. The bar is identical for self-service (B2C) and internal (B2B): fully automated, repeatable, low-friction, with no one-off configuration.

The baseline environment

Before onboarding any tenant, teams provision a baseline environment via DevOps automation: foundational networking (VPC, AZs, subnets), the control plane itself, pooled resources shared by all tenants, the system admin identity, and the system admin console — a purpose-built single pane of glass (monitor onboarding status, activate/deactivate tenants, manage policies, view metrics). System admin identities are kept entirely separate from tenant identities.

The onboarding flow

graph TD
RQ["Receive onboarding request"] --> CT["Create tenant<br/>(GUID, active=false)"]
CT --> PR["Provision tenant resources<br/>(full silo vs. minimal pool)"]
PR --> BI["Add to billing"]
BI --> CU["Create tenant admin user"]
CU --> AC["Set active=true on full success"]
CT -. tracks .-> ST["States: TENANT_CREATED,<br/>BILLING_INITIALIZED,<br/>TENANT_ACTIVATED"]

A single Onboarding service orchestrates the flow, tracking granular states. The provisioning step is potentially the heaviest — SaaS “blurs the DevOps boundaries” by running provisioning at runtime. Tier-based onboarding applies per-resource tier policies (premium → full silo, basic → pool, mixed mode per-resource), with a bias toward pre-provisioning pooled resources at baseline. Track onboarded resources so later deployments find every per-tenant deployment, and handle failures with fault tolerance (e.g., async billing via a queue with retries).

SaaS identity

graph LR
U["User identity"] --> AUTH["OAuth / OIDC authentication"]
T["Tenant identity"] --> AUTH
AUTH --> JWT["JWT with custom claims<br/>(tenant ID, role, tier)"]
JWT --> RT["Routing"]
JWT --> LG["Logging and metrics"]
JWT --> DA["Data access"]

Guidance for getting identity right:

• Configure the IdP with custom attributes before onboarding and populate them per user.
• Use custom claims judiciously — don’t put volatile app access-control attributes there.
• Support federated identity (customer-hosted IdPs), often via an authentication manager that stitches tenant context into third-party tokens (e.g., Amazon Cognito User Pools — pool-per-tenant or a shared pool with groups).

Front-door access and routing

Tenants “enter the front door” via a tenant domain (subdomain-per-tenant, or vanity domains supporting white-labeling, resolved through a Tenant Mapping layer) or a single shared domain (common in B2C, where tenant resolution uses the user’s email domain or a lookup table). Beware the Man in the Middle Challenge: injecting tenant-mapping indirection before the IdP conflicts with the elegant classic auth flow and adds a point of scale and failure. Routing then maps authenticated tenants to resources per request — and the more siloed constructs you introduce, the more you must weigh scalability against cost.

See also

• Control plane vs. application plane — onboarding and identity are control-plane services.
• SaaS foundations — why these surrounding services come first.
• Tenant isolation models — what consumes the tenant context.

When to use it — and when not

Related topics