Getting started with multitenancy
Find out the organizations (tenants) relevant for your application
The set of organizations (tenants) owning resources of an application may be of interest for use-cases like loading master data. This list of tenants equals the set of tenants that owns any of the application’s resources. This can easily be determined by collecting the values of the resource property owningTenantId from the application’s ACL. There may be more tenants that have access to the application’s resources due to sharing access. But as the owner of these resources is still the same, the set of relevant tenants does not change. Check out our sections on Sharing and Access management for further information.
Exchange data in a tenant-specific context
In multitenant capable systems, the organizational context of a request has to be respected for each resource access. See Sharing on how this context could be interpreted. There are multiple ways this can be implemented:
- When accessing resources
-
-
API with path parameter (e.g. /{tenantID}/)
-
Resource server requests the tenant ID of the requestor from the userinfo endpoint of Multitenant Access Control
-
Form parameter (e.g. 'tenantID')
-
But keep in mind that due to Sharing the user’s or client’s tenant may differ from the tenant that owns the resource.
- When accessing web applications
-
-
Path parameter (e.g. /{tenantID}/)
-
Query parameter (e.g. '?tenant={tenantID}')
-
| When the organization (tenant) is switched, existing tokens have to be ignored (issuer mismatch) and a new login flow has to be triggered. |