You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Set up a [Loopback4 Datasource](https://loopback.io/doc/en/lb4/DataSource.html) with `dataSourceName` property set to
66
70
`SubscriptionDB`. You can see an example datasource [here](#setting-up-a-datasource).
67
71
- This component internally uses [FeatureToggleServiceComponent](https://www.npmjs.com/package/@sourceloop/feature-toggle-service) that requires a datasource binding with the name 'FeatureToggleDB'. Make sure to create a datasource for it.
This microservice uses [loopback4-authentication](https://www.npmjs.com/package/loopback4-authentication) and [@sourceloop/core](https://www.npmjs.com/package/@sourceloop/core) and that uses asymmetric token encryption and decryption by default for that setup please refer [their](https://www.npmjs.com/package/@sourceloop/authentication-service) documentation but if you wish to override and use symmetric encryption add the following to your `application.ts` file along with other config values.
- This endpoint would onboard the tenant in the DB, and its success you should trigger the relevant events using the `/tenants/{id}/provision` endpoint.
69
72
- The provisioning endpoint will invoke the publish method on the `EventConnector`. This connector's purpose is to provide a place for consumer to write the event publishing logic. And your custom service can be bound to the key `EventConnectorBinding` exported by the service.
70
73
74
+
## Direct Tenant Onboarding
75
+
76
+
In addition to the lead-based onboarding flow, a new tenant can also be onboarded directly without creating a lead first.
77
+
This capability is designed specifically for control plane administrators, who can create and provision tenants directly through the management APIs.
78
+
79
+
To ensure security and operational control, only users with control plane admin privileges are allowed to perform direct tenant onboarding.
80
+
Regular users or leads cannot bypass the standard lead creation and verification process.
71
81
## Event Publishing
72
82
73
83
The service supports pluggable event strategies — EventBridge, SQS, and BullMQ — through the loopback4-message-bus-connector.
@@ -151,6 +161,25 @@ app
151
161
.bind(TenantManagementServiceBindings.IDP_AUTH0)
152
162
.toProvider(Auth0IdpProvider);
153
163
```
164
+
### Keycloak IdP Provider
165
+
166
+
The Keycloak IdP Provider automatically sets up and configures all the required Keycloak resources for a new tenant during onboarding.
167
+
168
+
It eliminates manual setup and ensures each tenant has a secure, isolated identity environment.
169
+
170
+
When a new tenant is provisioned, the provider automatically:
171
+
- Creates a Realm in Keycloak for that tenant.
172
+
(Each tenant gets its own isolated authentication space.)
173
+
174
+
- Configures SMTP (Email) settings in the realm using AWS SES for password reset and notification emails.
175
+
176
+
- Creates a Client inside the realm for the tenant’s application with the correct redirect URIs and credentials.
177
+
178
+
- Creates an Admin User for the tenant with a temporary password and triggers a password reset email.
179
+
180
+
- Returns the admin user’s ID (authId) after successful setup.
181
+
182
+
This setup ensures that every tenant has a ready-to-use Keycloak environment, complete with its own realm, client, and admin user, enabling secure login and user management from day one.
154
183
155
184
## Webhook Integration
156
185
@@ -585,3 +614,5 @@ The major tables in the schema are briefly described below -
585
614
**Leads** - this model represents a lead that could eventually be a tenant in the system
586
615
587
616
**Tenants** - main model of the service that represents a tenant in the system, either pooled or siloed
617
+
618
+
**TenantsConfig** - to save any tenant specific data related to idP
0 commit comments