Modeling B2B SaaS Identity in SecureAuth
SecureAuth provides a flexible identity architecture that supports both single-tenant and multi-tenant B2B SaaS applications. Using features like Organizations, Workspaces, and Delegated Administration, your platform can deliver secure, branded, and scalable experiences for each business customer—no matter your underlying SaaS model.
Architecture Overview
The diagram below illustrates how SecureAuth supports both single-tenant and multi-tenant SaaS identity models:
What’s the Difference?
| Model | Description | Common Use Case |
|---|---|---|
| Single-Tenant | One dedicated application instance per customer | High-assurance customers (e.g., financial, gov) |
| Multi-Tenant | One shared app serving many customers, logically isolated by org context | Standard SaaS platforms with shared backend |
How SecureAuth Supports Each SaaS Model
Single-Tenant B2B SaaS
Each customer has their own environment and may require full isolation.
SecureAuth Modeling Options:
- Use a dedicated SecureAuth tenant per customer, if desired
- Or use a shared tenant with a Workspace or Organization per customer
- Federation setup, branding, and policy configuration per customer
- Configure vanity domains like
login.customer-name.com
Best suited for regulated industries or customers requiring strict data isolation.
Multi-Tenant B2B SaaS
All customers share one application instance, and identity is isolated logically.
SecureAuth Modeling Options:
- Use a single SecureAuth tenant
- Define each customer as an Organization
- Support per-org:
- Branding and theming
- Authentication policies
- Federation with customer IdPs (SAML, OIDC)
- Delegated admin for user lifecycle management
- Use org-level claims in tokens for authorization and personalization
Best suited for SaaS platforms with self-service onboarding, tiered customers, and partner networks.
Example Architecture Mapping
| SaaS Model | SecureAuth Design | Identity Isolation Scope |
|---|---|---|
| Single-Tenant | One tenant per customer | Full platform isolation |
| Single-Tenant | Shared tenant, per-customer workspaces or orgs | Logical branding + policy |
| Multi-Tenant | One tenant, many orgs | Per-org auth + admin + flows |
| Hybrid | Mix of both | Choose based on customer fit |
Decision Guide
| Your SaaS Strategy | SecureAuth Approach |
|---|---|
| Large customers with isolated security/compliance needs | Separate tenant or workspace |
| SMB and mid-market customers in one environment | Use Organizations + policy/branding per org |
| Need delegated management by customer admins | Enable Delegated Admin per Organization |
| Each customer wants their own IdP or branding | Use Federation + per-org theming |
Key Capabilities Supporting This
- Organizations: Logical customer isolation with custom IdP, branding, and admin
- Workspaces: Configuration segmentation per customer or business unit
- Delegated Admin: Scoped administrative roles for customer self-management
- Vanity Domains: Branded URLs like
login.partnerxyz.com - Federation: SAML or OIDC login per org with JIT provisioning
- Token Claims: Include
organization_idand other metadata for fine-grained control
Whether you run dedicated environments or operate at scale with a shared multi-tenant architecture, SecureAuth lets you model your B2B SaaS identity approach securely—with the flexibility to evolve as your business grows.