docs(tenant-management): update the readme

vaibhavbhalla2505 · vaibhavbhalla2505 · commit a466394ea326 · 2025-11-11T13:19:24.000+05:30
GH-109
diff --git a/services/subscription-service/README.md b/services/subscription-service/README.md
@@ -62,6 +62,10 @@ $ [npm install | yarn add] @sourceloop/ctrl-plane-subscription-service
   // add Component for subscription-service
   this.component(SubscriptionServiceComponent);
   ```
+- If you uses Sequelize as the ORM, make sure to use the Sequelize-compatible components,else use the respective default components.  
+  ```ts
+  this.component(SubscriptionSequelizeServiceComponent);
+  ```
 - Set up a [Loopback4 Datasource](https://loopback.io/doc/en/lb4/DataSource.html) with `dataSourceName` property set to
   `SubscriptionDB`. You can see an example datasource [here](#setting-up-a-datasource).
 - This component internally uses [FeatureToggleServiceComponent](https://www.npmjs.com/package/@sourceloop/feature-toggle-service) that requires a datasource binding with the name 'FeatureToggleDB'. Make sure to create a datasource for it.
diff --git a/services/tenant-management-service/README.md b/services/tenant-management-service/README.md
@@ -42,7 +42,10 @@ $ [npm install | yarn add] @sourceloop/ctrl-plane-tenant-management-service
   // add Component for TenantManagementService
   this.component(TenantManagementServiceComponent);
   ```
-
+- If you uses Sequelize as the ORM, make sure to use the Sequelize-compatible components,else use the respective default components.  
+  ```ts
+  this.component(TenantManagementSequelizeServiceComponent);
+  ```
   This microservice uses [loopback4-authentication](https://www.npmjs.com/package/loopback4-authentication) and [@sourceloop/core](https://www.npmjs.com/package/@sourceloop/core) and that uses asymmetric token encryption and decryption by default for that setup please refer [their](https://www.npmjs.com/package/@sourceloop/authentication-service) documentation but if you wish to override and use symmetric encryption add the following to your `application.ts` file along with other config values.
 
 ```typecript
@@ -66,8 +69,14 @@ this.bind(TenantManagementServiceBindings.Config).to({
 - The front end application first calls the `/leads/{id}/verify` which updates the validated status of the lead in the DB and returns a new JWT Token that can be used for subsequent calls
 - If the token is validated in the previous step, the UI should call the `/leads/{id}/tenants` endpoint with the necessary payload(as per swagger documentation).
 - This endpoint would onboard the tenant in the DB, and its success you should trigger the relevant events using the `/tenants/{id}/provision` endpoint.
-- The provisioning endpoint will invoke the publish method on the `EventConnector`. This connector's purpose is to provide a place for consumer to write the event publishing logic. And your custom service can be bound to the key `EventConnectorBinding` exported by the service.
 
+## Direct Tenant Onboarding
+
+In addition to the lead-based onboarding flow, a new tenant can also be onboarded directly without creating a lead first.
+This capability is designed specifically for control plane administrators, who can create and provision tenants directly through the management APIs.
+
+To ensure security and operational control, only users with control plane admin privileges are allowed to perform direct tenant onboarding.
+Regular users or leads cannot bypass the standard lead creation and verification process.
 ## Event Publishing
 
 The service supports pluggable event strategies — EventBridge, SQS, and BullMQ — through the loopback4-message-bus-connector.
@@ -151,6 +160,25 @@ app
   .bind(TenantManagementServiceBindings.IDP_AUTH0)
   .toProvider(Auth0IdpProvider);
 ```
+### Keycloak IdP Provider
+
+The Keycloak IdP Provider automatically sets up and configures all the required Keycloak resources for a new tenant during onboarding.
+
+It eliminates manual setup and ensures each tenant has a secure, isolated identity environment.
+
+When a new tenant is provisioned, the provider automatically:
+- Creates a Realm in Keycloak for that tenant.
+(Each tenant gets its own isolated authentication space.)
+
+- Configures SMTP (Email) settings in the realm using AWS SES for password reset and notification emails.
+
+- Creates a Client inside the realm for the tenant’s application with the correct redirect URIs and credentials.
+
+- Creates an Admin User for the tenant with a temporary password and triggers a password reset email.
+
+- Returns the admin user’s ID (authId) after successful setup.
+
+This setup ensures that every tenant has a ready-to-use Keycloak environment, complete with its own realm, client, and admin user, enabling secure login and user management from day one.
 
 ## Webhook Integration
 
@@ -585,3 +613,5 @@ The major tables in the schema are briefly described below -
 **Leads** - this model represents a lead that could eventually be a tenant in the system
 
 **Tenants** - main model of the service that represents a tenant in the system, either pooled or siloed
+
+**TenantsConfig** - to save any tenant specific data related to idP
diff --git a/services/tenant-management-service/src/models/tenant-config.model.ts b/services/tenant-management-service/src/models/tenant-config.model.ts
