Multi-tenancy, facilitated by the multi-tenant “auth mode”, allows you to run multiple Dittofeed workspaces on a single instance of Dittofeed. These workspaces allow you to isolate data for different customers, and can be managed programmatically. The multi-tenant auth mode also provides separate workspace member accounts, which can log into Dittofeed using their own credentials and permissions. The multi-tenant auth mode is only available in dittofeed-ee, and Dittofeed cloud. See dittofeed-ee for more information on installing dittofeed-ee.

Setup

Multi-tenancy utilizes OIDC (OpenID Connect) for authentication. To enable multi-tenancy, you will need to configure an OIDC provider.

Auth0

In order to configure Auth0 as an OIDC provider for multi-tenancy, use the following environment variables.
.env
OPEN_ID_CLIENT_ID='<your-auth0-client-id>'
OPEN_ID_CLIENT_SECRET='<your-auth0-client-secret>'
SECRET_KEY='<your-secret-key>'
AUTH_MODE='multi-tenant'
AUTH_PROVIDER='auth0'
SIGNOUT_URL='/dashboard/signout'
# Example: https://dittofeed.us.auth0.com/
OPEN_ID_ISSUER='https://<your-auth0-domain>.auth0.com/'
OPEN_ID_AUTHORIZATION_URL='https://<your-auth0-domain>.auth0.com/authorize'
OPEN_ID_TOKEN_URL='https://<your-auth0-domain>.auth0.com/oauth/token'
OPEN_ID_USER_INFO_URL='https://<your-auth0-domain>.auth0.com/userinfo'

Configuring Auth0

In auth0 create a Regular Web Application. Then in the settings of the application, (https://manage.auth0.com/dashboard/us/dittofeed/applications/<application-id>/settings) take the following actions.
  • Copy the Client ID which will be used as the OPEN_ID_CLIENT_ID.
  • Copy the Client Secret which will be used as the OPEN_ID_CLIENT_SECRET.
  • Add a callback URL of the form https://<your-dittofeed-instance>/dashboard/oauth2/callback.
  • Add a Logout URL of the form https://<your-dittofeed-instance>/dashboard/signout/complete.
  • Add an Allowed Web Origins of the form https://<your-dittofeed-instance>.
  • Allow Cross-Origin Authentication.
  • Click Save Changes.

Generating a Secret Key

See our documentation on Authentication Modes for instructions on how to generate a new SECRET_KEY.

AWS Cognito

In order to configure AWS Cognito as an OIDC provider for multi-tenancy, use the following environment variables. Note that many of these values can be found on your Cognito user pool’s OpenID Connect settings page. https://cognito-idp.<your-region>.amazonaws.com/<your-user-pool-id>/.well-known/openid-configuration
.env
OPEN_ID_CLIENT_ID='<your-cognito-client-id>'
OPEN_ID_CLIENT_SECRET='<your-cognito-client-secret>'
SECRET_KEY='<your-secret-key>'
AUTH_MODE='multi-tenant'
AUTH_PROVIDER='cognito'
SIGNOUT_URL='/dashboard/signout'
OPEN_ID_ISSUER=https://cognito-idp.us-east-1.amazonaws.com/<your-user-pool-id>
OPEN_ID_AUTHORIZATION_URL='https://<your-user-pool-id>.auth.<your-region>.amazoncognito.com/oauth2/authorize'
OPEN_ID_TOKEN_URL='https://<your-user-pool-id>.auth.<your-region>.amazoncognito.com/oauth2/token'
OPEN_ID_USER_INFO_URL='https://<your-user-pool-id>.auth.<your-region>.amazoncognito.com/oauth2/userInfo'
OPEN_ID_END_SESSION_ENDPOINT='https://<your-user-pool-id>.auth.<your-region>.amazoncognito.com/logout'
OPEN_ID_RETURN_TO_QUERY_PARAM=logout_uri

Configuring Cognito

  • Create a new user pool using a traditional web application.
  • Create a new App client.
  • Configure your app client as follows:
    • Set the “Allowed callback Urls”: https://<your-dittofeed-instance>/dashboard/oauth2/callback
    • Set Allowed sign-out URLs: https://<your-dittofeed-instance>/dashboard/signout/complete
    • Select the “OAuth 2.0 grant types”: Authorization code grant
    • Select the “OpenID Connect scopes”: Email, OpenID, and Profile