Glossary>Multi-Tenancy / Tenant

Multi-Tenancy / Tenant

An architecture where a single instance of a software application serves multiple distinct customer organizations (tenants), each with isolated data and configuration.

What is Multi-Tenancy / Tenant?

Multi-Tenancy is a software architecture where a single instance of an application serves multiple customer organizations, called tenants. Each tenant's data is isolated and invisible to other tenants.

Key characteristics:

  • Tenant Isolation: Data, configuration, and users are logically isolated per tenant
  • Shared Infrastructure: All tenants share the same application instance, database, and infrastructure
  • Tenant-Specific Configuration: Each tenant can customize branding, policies, and features
  • Usage Metering: Resource usage (users, storage, API calls) can be tracked per tenant

In CIAM, multi-tenancy enables one identity platform to serve multiple customer organizations, each with their own user directory, login pages, and authentication policies.

Analogy

Think of multi-tenancy like an apartment building. The building (software instance) has many separate apartments (tenants), each with its own lock (authentication), furniture (configuration), and belongings (data). The building manager (provider) maintains the common infrastructure (heating, plumbing) while each tenant has privacy and independence.

Types and Use Cases

  • SaaS Applications: Each customer is a tenant with their own data and settings (Salesforce, Slack)
  • CIAM Platforms: Each business customer has a tenant for their customer identity management
  • B2B Portals: Each partner company is a tenant with their own users and permissions
  • E-Commerce: Each merchant is a tenant with their own product catalog and customer base
  • Education: Each school/district is a tenant with their own students, teachers, and courses

How it Works

1
Provider creates tenant for each customer organization with a unique tenant ID or domain
2
Tenant configures their instance: branding, authentication policies, MFA requirements, SSO connections
3
Users register or are provisioned within their tenant - data is tagged with tenant ID for isolation
4
During authentication, the system identifies which tenant the user belongs to (by subdomain, email domain, or tenant ID)
5
All user operations (login, profile update, API calls) are scoped to the tenant - tenant A users cannot access tenant B data
6
Provider manages the shared infrastructure while tenants self-manage their configuration and users

Multi-Tenancy / Tenant vs Single-Tenant Architecture

Multi-Tenancy / Tenant
Single-Tenant Architecture

Multi-Tenant shares one instance across all customers

Single-Tenant gives dedicated instance per customer ; Multi-Tenant has lower cost (shared resources); Single-Tenant has higher cost (dedicated resources) ; Multi-Tenant is easier to maintain (one codebase to update); Single-Tenant adds maintenance overhead (update each instance)

Multi-Tenant requires strong isolation measures

Single-Tenant has natural isolation ; Multi-Tenant scales horizontally; Single-Tenant scales vertically

Best Practices for Multi-Tenancy / Tenant

  • Design for isolation: Ensure tenant data is strictly isolated at the database level (tenant ID on every record)
  • Monitor noisy neighbors: One tenant consuming excessive resources shouldn't impact others - implement rate limiting and resource quotas
  • Allow tenant customization: Let tenants customize branding, policies, and features within safe boundaries
  • Plan for data export: Provide tenants easy ways to export their data for backup or migration
  • Test isolation thoroughly: Security test that tenants cannot access each other's data

How LoginRadius Powers Multi-Tenancy / Tenant

LoginRadius CIAM platform is built on a multi-tenant architecture. Each customer gets a dedicated tenant with isolated user directory, custom branding, configurable authentication policies, MFA settings, and SSO connections. LoginRadius manages infrastructure while customers self-manage their tenant configuration. Tenant isolation is enforced at database and application layers.

FAQs

Tenant isolation is achieved through: (1) Database-level isolation - every record has a tenant ID; queries always filter by tenant. (2) Application-level isolation - middleware ensures user's session is scoped to their tenant. (3) Encryption - per-tenant encryption keys. (4) Network isolation - separate network segments for sensitive tenants. Most SaaS platforms use database-level isolation as the primary mechanism.

Multi-tenant = one application instance shared by many customers, with logical data isolation. Multi-instance = each customer gets their own application instance (possibly on shared hardware). Multi-tenant is more cost-efficient and easier to maintain but requires stronger isolation. Multi-instance provides stronger security isolation but is more expensive to operate.

LoginRadius operates a multi-tenant architecture where each customer organization is a separate tenant with isolated user data, configuration, and policies. Each tenant has their own subdomain, branding, authentication policies, MFA settings, and SSO connections. LoginRadius handles tenant isolation at the database and application layers, ensuring complete data separation.

Customer Identity, Simplified.

No Complexity. No Limits.
Thousands of businesses trust LoginRadius for reliable customer identity. Easy to integrate, effortless to scale.

See how simple identity management can be. Start today!