Multi Tenant Auth Login

Configurable auth modes for different clients in SAAS setup

Comment

Inspiration

Enterprise applications require flexible authentication - some organizations use Google OAuth, others mandate SAML-based SSO with Okta or Azure AD, while smaller teams prefer simple password or OTP login. We were inspired by how products like Auth0 and WorkOS handle this complexity, and wanted to build an open-source solution that lets SaaS applications support multiple auth methods per tenant without vendor lock-in.

What it does

Multi-Tenant Auth Login is a complete authentication system that allows each organization (tenant) to configure their own login methods:

  1. Password & OTP - Traditional email/password with magic link support
  2. Google OAuth - Social login for quick onboarding
  3. SAML SSO - Enterprise IdP integration (Okta, Azure AD, OneLogin)
  4. OIDC SSO - Modern OpenID Connect protocol support
  5. JIT Provisioning - Automatically create users on first SSO login When a user enters their email, the system detects their organization and shows only the auth methods their admin has enabled - exactly how enterprise SaaS products work.

How we built it

  1. Backend: Node.js + Express + TypeScript with TypeORM for database management
  2. Frontend: React + Vite + TailwindCSS
  3. Database: PostgreSQL with multi-tenant schema (organizations, users, auth methods, SSO configs)
  4. SSO: @node-saml/node-saml for SAML assertions, openid-client for OIDC flows
  5. Security: JWT access/refresh tokens, PKCE for OAuth, bcrypt for password hashing

Challenges we ran into

a. SAML complexity - Parsing XML assertions, certificate validation, and handling different IdP response formats was tricky

b. Email-first flow - Designing a UX where users enter email first, then see available auth methods required careful state management

c. Identity linking - Ensuring a user can't accidentally link to a different SSO account than expected required email verification at every callback

Accomplishments that we're proud of

i. Protocol-agnostic design - Adding a new auth method only requires implementing one service class

ii. True multi-tenancy - Each organization has completely isolated auth configuration

iii. Production-ready security - PKCE, signed assertions, email verification, and proper token rotation

iv. Clean architecture - Separation between controllers, services, and models makes the codebase maintainable

What we learned

  1. Deep understanding of SAML assertions, OIDC flows, and how enterprise IdPs work
  2. Designing database schemas for multi-tenant SaaS applications
  3. The importance of relay state and PKCE in preventing auth-related attacks
  4. How to build email-first authentication flows like Slack and Notion

What's next for Multi Tenant Auth Login

  1. SCIM provisioning - Sync users automatically from enterprise directories
  2. MFA support - Add TOTP/WebAuthn as a second factor
  3. Admin dashboard - UI for org admins to configure SSO without API calls
  4. Audit logs - Track all authentication events for compliance
  5. Session management - Allow users to view and revoke active sessions
  6. SDK/npm package - Make it easy to integrate into any Node.js application

Built With

Share this project:

Updates