B2B Authentication MultiTenant

Adding Multi-Account Support to Your Product

Andrew Israel

4 min read
Adding Multi-Account Support to Your Product

When starting a startup, the initial focus is usually on getting your product into peoples hands as quickly as possible. You want to cut any features that aren’t important so you can find out if you are heading in the right direction - this is usually known as making an MVP or minimum viable product.

One area where we see this happen, is authentication for B2B products. In addition to signup, login, and account management, B2B products have to worry about features like invitation flows, setting up an initial role structure, deciding who can see what within their product, and for larger customers, enterprise SSO.

At PropelAuth, we’ve designed our product with this in mind. You can start with a simple B2C product where each user is an individual, and when you are ready to allow those users to invite their coworkers, you can enable all those B2B features with the flip of this switch:

We’ve worked hard to make the transition as smooth as possible, and in this post, we’ll describe the types of changes you might want to make to your application as you start selling your product to companies.

Organization-Scoped Requests

When you are using PropelAuth in a B2C context, your requests are all on behalf of a user. For example, let’s say we are building a product to store your own personal code snippets. You might have some APIs like:

GET  /code-snippet          Gets all MY code snippets
POST /code-snippet          Create a new code snippet
PUT  /code-snippet/{id}     Update one of my code snippets

If you want to update the product to allow users to submit code snippets that their entire organization can see, you’ll want to add APIs that look like this:

GET  /org/{orgId}/code-snippet          Gets all code snippets for my org
POST /org/{orgId}/code-snippet          Create a new code snippet for my org
PUT  /org/{orgId}/code-snippet/{id}     Update one of my org's code snippets

PropelAuth provides you with all the tools you need to do this. For example, on the frontend, our libraries all have an orgHelper which you can use to fetch the organizations the current user is a member of. You can also use our active org concept to automatically select an organization that the user is currently operating within.

On the backend, PropelAuth provides middleware that allows you to check for things like:

  • This user is in the organization with ID 8d75a126-d201-405e-a965-53217986a4aa
  • This user has the role of Admin within the organization with ID 8d75a126-d201-405e-a965-53217986a4aa (we’ll see more about roles in the next section)
  • This user has the permission CanCreateCodeSnippets within the organization with ID 8d75a126-d201-405e-a965-53217986a4aa
  • … and more

Roles / Permissions / RBAC

Once you have organizations enabled, one of the first things you’ll want to think about is - does everyone in an organization have the same access? Or do some users have more access than others?

We’ve written about the role structure that popular products use, and if you aren’t sure where to start, we’d recommend having at least two roles:

  • Member - Full access to the product, but cannot view billing or anything else that is sensitive
  • Admin - Full access

Whatever you pick initially, remember that you can always change it. PropelAuth will automatically handle non-backwards compatible role changes, by re-mapping all your users and outstanding invitations:

Self-service UIs

When a user wants to invite their coworker, what steps do they need to take? Ideally, they can do this without emailing you. That’s why PropelAuth provides full UIs for organization management, enabling your users to invite their coworkers, rescind invitations, manage roles, and more. You don’t have to write any code, once you enable Organizations, the UIs will be turned on automatically.

Enterprise Customers?

While you might not be worried about this just yet, once you close your first enterprise customer, they are going to have even more requirements. They will ask for enterprise SSO / SAML, which means they won’t want to use the same invite flows as everyone else.

Luckily, this is again a case where PropelAuth provides those features out of the box. Your enterprise customers can use the same organization management UIs to set up an enterprise SSO connection.

You have full control over which companies using your product have access to this feature, in case you want to save it for an Enterprise tier of your pricing plan.

And, remember that code you write to support the smaller organizations using your product? It all just works with enterprise customers too.

Summary

PropelAuth offers a simple solution for B2B authentication. It is designed to support the initial focus of starting a startup - to get a product into people's hands quickly.

The product can be used for B2C authentication and later be converted to B2B with a switch.

PropelAuth provides the tools to make the transition smooth with our frontend and backend libraries. It also includes self-service UIs for organization management and enterprise SSO/SAML for larger customers.

Ready to get started?

Sign Up