Multi-tenant applications with Firebase and Google Cloud
Google Cloud Identity Platform (GCIP) allows you to add Google-grade identity and access management support to your own applications. Enterprises can use GCIP to manage the identities of their employees, customers, partners and IoT devices at scale. In November 2019 Google further extended GCIP with support for tenant management. This new feature enables enterprises to define multiple tenants within a single instance of GCIP. Each user account can be assigned to a tenant, and authenticated using a collection of tenant-specific identity providers.
As an example consider an automobile manufacturer who’s partnered with at least two distributors. The manufacturer offers an array of online inventory management, order processing and payment applications to the distributors. However, as often is the case, the distributors use different SAML identity providers to manage the identities of their own employees and systems. So how do we go about securely exposing the manufacturer’s applications to the distributors?
GCIP multi-tenancy support is ideal for implementing this type of business-to-business (B2B) integrations. The auto manufacturer can use GCIP, and define separate tenants for each distributor. Within each tenant the manufacturer can specify different SAML configurations that would enable employees of the distributor companies to authenticate with manufacturer’s applications. Furthermore, if the manufacturer wishes to enable additional authentication methods (e.g. Google or Facebook sign-in) for selected tenants, GCIP supports that too.
Developers that use GCIP to implement multi-tenant applications can use the Firebase Admin SDKs to create and manage their tenants programatically. This is useful for developing backend services, automation scripts and customer on-boarding flows that need to define and access tenants in an automated fashion. So far the required APIs have been added to the Node.js and Golang variants of the Admin SDK, with more language support expected in the future. Listing 1 shows how to create a new tenant with a tenant-specific email sign-in configuration in Go.
Once a tenant has been created, you can create, update, retrieve and delete users within that tenant. Listing 2 shows some of the corresponding Go APIs.
You can also define SAML and OIDC identity providers for each tenant using the Admin SDK.
Listing 4 shows how to list or iterate over all the tenants defined in a single GCIP instance. This is useful when developing high-level administrative tools for managing all the B2B integrations from a single central point.
But what about the client-side development interface? How would our auto manufacturer add authentication support to their apps, so the distributors can sign-in as separate tenants? You can use the Firebase Web SDK to implement tenant-aware user authentication flows in your client-facing web apps. As shown in listing 5, you just need to specify the target tenant ID before invoking the usual Firebase authentication logic.
Multi-tenancy is a critical feature for many large enterprises who wish to expose their apps to different customer and/or partner organizations. GCIP and Firebase make developing multi-tenant applications easier by providing a wide range of server-side and client-side APIs. Refer to the documentation and the code samples for more details, and see if GCIP can help simplify your B2B integration story.
