You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Set up a [Loopback4 Datasource](https://loopback.io/doc/en/lb4/DataSource.html) with `dataSourceName` property set to
66
70
`SubscriptionDB`. You can see an example datasource [here](#setting-up-a-datasource).
67
71
- This component internally uses [FeatureToggleServiceComponent](https://www.npmjs.com/package/@sourceloop/feature-toggle-service) that requires a datasource binding with the name 'FeatureToggleDB'. Make sure to create a datasource for it.
This microservice uses [loopback4-authentication](https://www.npmjs.com/package/loopback4-authentication) and [@sourceloop/core](https://www.npmjs.com/package/@sourceloop/core) and that uses asymmetric token encryption and decryption by default for that setup please refer [their](https://www.npmjs.com/package/@sourceloop/authentication-service) documentation but if you wish to override and use symmetric encryption add the following to your `application.ts` file along with other config values.
- The front end application first calls the `/leads/{id}/verify` which updates the validated status of the lead in the DB and returns a new JWT Token that can be used for subsequent calls
67
70
- If the token is validated in the previous step, the UI should call the `/leads/{id}/tenants` endpoint with the necessary payload(as per swagger documentation).
68
71
- This endpoint would onboard the tenant in the DB, and its success you should trigger the relevant events using the `/tenants/{id}/provision` endpoint.
69
-
- The provisioning endpoint will invoke the publish method on the `EventConnector`. This connector's purpose is to provide a place for consumer to write the event publishing logic. And your custom service can be bound to the key `EventConnectorBinding` exported by the service.
70
72
73
+
## Direct Tenant Onboarding
74
+
75
+
In addition to the lead-based onboarding flow, a new tenant can also be onboarded directly without creating a lead first.
76
+
This capability is designed specifically for control plane administrators, who can create and provision tenants directly through the management APIs.
77
+
78
+
To ensure security and operational control, only users with control plane admin privileges are allowed to perform direct tenant onboarding.
79
+
Regular users or leads cannot bypass the standard lead creation and verification process.
71
80
## Event Publishing
72
81
73
82
The service supports pluggable event strategies — EventBridge, SQS, and BullMQ — through the loopback4-message-bus-connector.
@@ -151,6 +160,47 @@ app
151
160
.bind(TenantManagementServiceBindings.IDP_AUTH0)
152
161
.toProvider(Auth0IdpProvider);
153
162
```
163
+
### Keycloak IdP Provider
164
+
165
+
The Keycloak IdP Provider automatically sets up and configures all the required Keycloak resources for a new tenant during onboarding.
166
+
167
+
It eliminates manual setup and ensures each tenant has a secure, isolated identity environment.
168
+
169
+
When a new tenant is provisioned, the provider automatically:
170
+
- Creates a Realm in Keycloak for that tenant.
171
+
(Each tenant gets its own isolated authentication space.)
172
+
173
+
- Configures SMTP (Email) settings in the realm using AWS SES for password reset and notification emails.
174
+
175
+
- Creates a Client inside the realm for the tenant’s application with the correct redirect URIs and credentials.
176
+
177
+
- Creates an Admin User for the tenant with a temporary password and triggers a password reset email.
178
+
179
+
- Returns the admin user’s ID (authId) after successful setup.
180
+
181
+
This setup ensures that every tenant has a ready-to-use Keycloak environment, complete with its own realm, client, and admin user, enabling secure login and user management from day one.
182
+
183
+
### Auth0 IdP Provider
184
+
185
+
The Auth0 IdP Provider automates the Auth0 setup required for a tenant during onboarding. It creates the Auth0 organization, provisions an initial admin user, and adds that user to the organization — all based on tenant details and stored tenant configuration.
186
+
187
+
When a tenant is provisioned, the provider will:
188
+
189
+
- Create (or reuse) an Auth0 Organization for the tenant.
190
+
191
+
For PREMIUM tenants a dedicated organization is created per tenant. For pooled plans, tenants are grouped under a shared organization named after the plan tier. This ensures correct isolation or pooling based on your plan model.
192
+
193
+
- Apply branding and connection settings to the organization using the tenant configuration (logo, colors, enabled connections, etc.).
194
+
195
+
This makes tenant login pages and connections (social/database) behave and look as configured for that tenant.
196
+
197
+
- Create an Admin User for the tenant using the tenant contact details and a generated temporary password.
198
+
199
+
The password is generated securely and the admin is expected to verify or change it through Auth0 flows (no password is persisted in plain text).
200
+
201
+
- Add the admin user as a member of the Auth0 Organization so they can manage users, connections, and settings for that tenant.
202
+
203
+
- Return the Auth0 user ID (authId) on success so the control plane can reference the identity for audits or future operations.
154
204
155
205
## Webhook Integration
156
206
@@ -585,3 +635,5 @@ The major tables in the schema are briefly described below -
585
635
**Leads** - this model represents a lead that could eventually be a tenant in the system
586
636
587
637
**Tenants** - main model of the service that represents a tenant in the system, either pooled or siloed
638
+
639
+
**TenantMgmtConfig** - to save any tenant specific data related to idP
0 commit comments