Multi-Tenant SaaS with AWS Cognito

With the growing popularity of Software As A Service (SaaS) applications, the use of a Multi-Tenant architecture is getting popular as well. There are several benefits of using a multi-tenant architecture vs making copies of a single tenant application for each customer. This post does not focus on detailing the benefits of a multi-tenant architecture as there are several resources available on Medium and elsewhere. Instead, I will focus on implementing the authentication end of a multi-tenant architecture, specifically using AWS Cognito. The framework presented in this post can easily be migrated to other Auth as a Service tools like Okta, Auth0 and Google Auth.

Let us start by listing a few assumptions/requirements:

• Each end-user (ie. the customer of your customer/tenant) facing site will be a different URL for each tenant. For example www.abc.com and www.cde.com will both be on the same multi-tenant platform behind the scenes, but will appear as completely different sites to their customers
• The end user should not know that the platform they are using is a multi-tenant platform, which means each end-user site appears as if its a single instance
• Since the end user is unaware of the multi-tenancy, they are allowed to use the same email address as their username across different tenants sites